Hi @custardapple,
Thanks for reaching out. I’d love to help get this sorted.
To better understand what’s happening, could you share a bit more detail about where you’re seeing these customer entries? For example, are they appearing under WooCommerce → Customers, or somewhere else in the dashboard?
If possible, please also include a screenshot of what the customer list looks like on your end. That will help us see exactly what you’re seeing and guide you toward the right next steps.
Looking forward to your update so we can assist you more effectively.
Thread Starter
Andy
(@custardapple)
They are appearing in the WooCommerce customer list, where there is no way of deleting them. They do not appear as WP users.
https://u.pcloud.link/publink/show?code=XZcFLx5ZnBojhCEOil7iouIwCMD90fwQghTk
Hi @custardapple ,
Thanks for providing a screenshot. As customers appear in WooCommerce but not in WordPress Users, they’re likely guest customers (checkout without account) or orphaned customer records.
If you have some advanced knowledge about databases, you can delete from the database. To do, go to the wc_customer_lookup table and delete the orphan records.
Quick tips for preventing future spam signups.
- You can implement recaptach in the registration page
- Disable guest checkout: WooCommerce > Settings > Accounts & Privacy > Uncheck “Allow customers to place orders without an account”
if you don’t want to get spam or sign up without account registration.
Thanks for the update @custardapple. That helps a lot.
I tested this on my side and I can see exactly what you mean. Those customer entries aren’t clickable on my end either, and it looks like this happens when the customer doesn’t have a WordPress.com/Gravatar account associated with their email.
When I searched for the same emails in the Orders page, I noticed they actually have placed an order: https://share.zight.com/8LuzDJxm. Could you double‑check this on your end as well? It’s possible these are guest purchasers, which is completely normal, as guests don’t need an account to complete a checkout, so they won’t appear as WP users.
When you have a moment, could you also:
- Check a few other similar customers to see if there’s a pattern (guest purchasers vs. spam).
- Open one of their orders and look at the Order Notes section, then share a screenshot so we can see what WooCommerce recorded.
- Share a screenshot of WooCommerce → Settings → Accounts & Privacy, just so we can confirm how guest accounts and account creation are currently configured.
This will help us narrow down whether these are legitimate guest orders or something spam‑related.
Looking forward to your findings so we can get this fully sorted.
Just saw @shsajalchowdhury’s message which is also a good one.
Be sure to do that as well and see.
Thread Starter
Andy
(@custardapple)
There are no orders for these customers, and $0 registered in the Woo Customers page. I’m 100% certain they are bots registering an account via the /my-account page.
So yes, CAPTCHA is required – I have that working for contact forms but it seems a different setup is required for Woo, perhaps you can let me know your recommendation here.
A bit frustrating I can’t delete these customers via the Woo GUI, thanks for pointing out wc_customer_lookup table, I’ll look into that.
Hi @custardapple,
Thanks for confirming. That clears things up.
If there are no orders, $0 spent, and these entries are coming from the /my-account page, then you’re absolutely right, these are bot-created WooCommerce customer records, not legitimate guest purchases.
WooCommerce can create customer records even when no WordPress user is created, and no order is placed. Unfortunately, the WooCommerce → Customers screen does not currently provide a way to delete these orphaned records. That’s a limitation of the current UI.
To remove the existing spam customers, the only option at the moment is to delete them directly from the database. You can do this from the wp_wc_customer_lookup table. Typically, these records will have user_id = 0, total_spent = 0, and order_count = 0. Please make sure to take a full database backup before making any changes.
To prevent this from happening again, you’ll need to add protection specifically to WooCommerce forms, as standard contact form CAPTCHA does not apply to /my-account or checkout by default.
Recommended options:
- Add a WooCommerce-compatible CAPTCHA plugin (for example, reCAPTCHA for WooCommerce or Advanced noCaptcha & Invisible CAPTCHA).
- If it fits your store’s flow, disable account creation from the My Account page under WooCommerce → Settings → Accounts & Privacy.
- Optionally add rate limiting or WAF rules (such as Cloudflare) to reduce bot traffic to /my-account.
I understand this is frustrating, but you’re correct in your assessment, and your approach is the right one. If you need help choosing or configuring a CAPTCHA plugin for WooCommerce, feel free to let us know.
Hi @custardapple,
Since we have not heard back, I will go ahead and close this out for now. No worries at all, just reach out again if you need help in the future.
If the plugin or our support has been helpful, we would appreciate a quick review here:
https://ww.wp.xz.cn/support/plugin/woocommerce/reviews/#new-post
