Hello @mmazziotti
The recent update was a critical hotfix, and there is another one expected today, but neither of them includes prevention against fraud attempts. This is an area where we are moving more carefully, especially since we already developed temporary measures that can be applied.
I can share this patch on our private board. To access them, please open a ticket with our service desk here: Request Support. Make sure to include the URL of this thread in your ticket for reference.
To answer your question, we are planning further updates with improved fraud prevention to be included in an upcoming official release.
Kind Regards,
Krystian
Now we’re getting attacked. I hope a fix gets expedited before this grows to an intolerable level. Security of any plugin MUST always be a top priority, and I’d like to see WC treat it as such.
We have also been getting these attacks. They have only stopped when we switched the PayPal plugin off. This of course means customers cannot use PayPal to pay now.
Does anyone know if the problem goes away after a few days (i.e the bots get bored and leave your site alone?)
Hello @themetalhouse
It will not go away on its own. These attacks are automated scripts that continuously run through lists of URLs collected by bots. Once a site is indexed in their list, they continue to retry it automatically, so switching the plugin off only hides the target temporarily.
Also, please avoid posting under another user’s thread, as it goes against wp.org forum rules. Instead, contact us directly and we’ll provide you with the correct mitigation steps. We already have a few external security layers and helper packages that effectively stop these bot attempts without disabling PayPal.
Kind Regards,
Krystian
Hello @mmazziotti
Some time ago, you reported incidents of fraudulent orders impacting your site. We’re pleased to share that a comprehensive prevention mechanism is now available, thoroughly validated across a wide user base during the release candidate phase.
The latest version of the plugin introduces a native reCAPTCHA integration specifically designed to block automated abuse and card-testing activity at the PayPal payment endpoints. You can download the release here: https://github.com/woocommerce/woocommerce-paypal-payments/releases/tag/3.3.0
Alternatively, the update can be installed directly from your WordPress dashboard.
This version combines invisible reCAPTCHA v3 with a visible v2 captcha for potential bots or automated requests to protect to the PayPal payment endpoints. The protection is active on both the classic and block-based checkout and helps prevent automated card testing and other forms of malicious activity that can result in random declines or failed transactions. Unlike general CAPTCHA plugins, this implementation specifically protects the PayPal endpoints, so we recommend using it instead of third-party CAPTCHA solutions.
After installing the update, go to: WooCommerce → Settings → Integration → WooCommerce PayPal Payments CAPTCHA
Or open directly: /wp-admin/admin.php?page=wc-settings&tab=integration§ion=wppc
From there, generate your Site Key and Secret Key using the Google reCAPTCHA admin console and paste them into the corresponding fields. Once saved, the CAPTCHA will silently protect the checkout process without disrupting legitimate users.
Documentation is also available here: https://woocommerce.com/document/woocommerce-paypal-payments/fraud-and-disputes/
If you need any help during setup feel free to reach out.
Kind Regards,
Krystian
