Hi there!
I completely understand how frustrating it is to deal with a high volume of failed payment attempts like this.
Since the issue started recently and is focused on a single product, it’s very likely caused by bot activity targeting your checkout rather than anything being wrong with your WooCommerce setup or PayPal Payments. CleanTalk reducing most of it confirms that it’s automated traffic.
Here are some additional things you can do to protect your store from card testing attacks or bot attack.
- Implement a CAPTCHA, extensions such as reCaptcha for WooCommerce or Google reCaptcha for WooCommerce are quick and easy ways to achieve this. Either of these plugins will insert a mandatory bot detection mechanism into your checkout process, which can help prevent automated fraud. A free plugin that only supports Google’s v2 (Checkbox) reCaptcha is available on ww.wp.xz.cn
- Cloudflare Turnstile is a newer alternative to CAPTCHA plugins that provides a lightweight, privacy-focused solution for bot detection. By integrating Turnstile into your checkout process, you can add an extra layer of security without compromising user experience, helping to safeguard your store against automated fraud attempts. Turnstile is free to use with the Simple Cloudflare Turnstile plugin from ww.wp.xz.cn. A paid option is also available on the WooCommerce.com marketplace.
- WooCommerce Anti-Fraud is an extension that allows you to set up complex rules that, when triggered, will block the offending transactions. This extension offers even more power and flexibility than the rules built into WooPayments.
- Anti-Fraud Shield for WooCommerce offers highly customizable fraud detection and prevention techniques. It helps you reduce card testing activities and block fraud orders manually or automatically.
If you install one of the above plugins, be sure to read the documentation thoroughly. If the plugins are not configured correctly, they will offer little or no protection!
Here are a couple more miscellaneous tips that may help:
- Avoid pay-what-you-want or donation products with no minimum. Fraudsters often use these to make small transactions that may not be noticed by the cardholder.
- If your site is under attack but you don’t see see a large number of Failed orders, it may help to disable the Enable payments via saved cards setting for your payment methods (if supported). This is sometimes effective if fraudsters are trying to validate cards by adding them to an account on your site.
By carefully monitoring transactions, implementing appropriate security measures, and responding quickly to suspicious activity, you can help protect your store from card testing attacks and maintain your customers’ trust and confidence.
Thread Starter
janecl
(@janecl)
Thank you for that information. Are all of these effective against bots? Is there one that stands out for my situation as owner of a tiny store? I realise it’s hard for you to recommend one, and you may not be allowed to, but I’m a bit wary of getting too plug-in heavy.
Hi @janecl,
Thank you for getting back to me, and I completely understand your position on this. If you’re looking for an effective all-in-one plugin solution, I’d recommend starting with this: https://woocommerce.com/it/products/woocommerce-anti-fraud/
However, if your budget doesn’t allow for that, you can begin with a free integration using Cloudflare and Turnstile.
Hi @janecl,
Since we haven’t heard back in a bit, I’ll close this out for now. If you need help later, feel free to reach back out again
And if you found our support helpful, or would like to rate the plugin, we’d appreciate a review here:
https://ww.wp.xz.cn/support/plugin/woocommerce/reviews/#new-post
Thread Starter
janecl
(@janecl)
Thank you. I apologise for the non-response – I’ve had a very busy week. I will look at the Cloudflare Turnstile options.
Presently, the order notifications have started showing up as Pending Payment instead of Failed Payment, and CleanTalk doesn’t appear to have caught up yet. It’s mind boggling and hard to see what the point is.
-
This reply was modified 5 months, 2 weeks ago by
janecl.
Hi @janecl,
Thank you for the update and for following up. You can certainly try using Cloudflare Turnstile to see if it helps mitigate the issue. Attacks like this tend to increase around the festive season, often in the form of stolen card test attempts, which I understand can be a very frustrating situation.
If you have any further questions, feel free to reply here or open a new topic, and we’ll be happy to assist you further.
Hello @janecl
This is CleanTalk Support. We noticed your issue related to how our service works and would be happy to help.
We’ve reviewed your Anti-Spam logs and adjusted some filters to block spam order requests that were previously not blocked.
We also recommend enabling the “Check anonymous users when they add new items to the cart” option in the Anti-Spam by CleanTalk plugin settings. This should help prevent pending orders created by bots.
If you need any further assistance, please feel free to contact us. You can open a topic on our forum
(https://ww.wp.xz.cn/support/plugin/cleantalk-spam-protect/)
or create a ticket in our private support system:
https://cleantalk.org/my/support/open.
Thread Starter
janecl
(@janecl)
Hi @katereji
Thanks, I appreciate the assistance. I tried to adjust settings but obviously not adequately. I”’ve enabled “Check anonymous users when they add new items to the cart” and hope that helps, assuming that means lack of email address.
l’ll post further topics to your support, but to wind up this request: are there are recomemndations on how to quickly delete 2000+ pending payments under Orders in WooCommerce – faster than 20 at a time?
Hello @janecl
Thank you for the question. This is a WooCommerce-related task and is not handled by CleanTalk directly. However, for deleting a large number of pending orders faster than 20 at a time, WooCommerce usually recommends one of the following approaches:
1. Using a dedicated WooCommerce bulk management plugin that allows mass deletion of orders.
This is the safest and fastest method for non-developers. You can use a free plugin like “Advanced Bulk Edit” or “WP Bulk Delete”. They allow you to filter orders by status (e.g., “pending”) and delete hundreds or thousands at once with a few clicks.
2. Using a database tool (such as phpMyAdmin) to bulk-delete orders with the pending status.
Only attempt this if you have a full backup of your database. You can run a single SQL command to delete all pending orders. However, this method requires caution, as it will also remove associated data (like order items) and is irreversible.
3. Running a custom WP-CLI command.
If you have server command-line access, this is the most efficient method.
If you are not comfortable working with the database or WP-CLI, our strong recommendation is Option 1 (using a plugin). It’s controlled, safe, and does not require technical expertise.
If you need any further assistance with CleanTalk, please don’t hesitate to contact us.
Hello again @janecl
We’ve improved integration with WooCommerce. You can install the special version now or wait for the next release.
Download link: https://github.com/CleanTalk/wordpress-antispam/releases/download/dev-version/cleantalk-spam-protect.zip
Here’s a step-by-step guide:
- Go to your WordPress Administrator Dashboard and navigate to Plugins.
- Locate the “Anti-Spam by CleanTalk” plugin and click Deactivate.
- After the page automatically refreshes, find the “Anti-Spam by CleanTalk” plugin again and click Delete. Confirm the deletion by clicking “Yes, delete these files”.
- Download the plugin archive from the provided link above.
- Navigate to Plugins → Add New → Upload Plugin.
- Choose the downloaded archive file and click Install Now.
Please don’t hesitate to contact us if you have any questions or encounter any issues during this process.
Hi @janecl,
I appreciate you sharing the update and it is good to see the interaction with the CleanTalk team and the steps they have taken to improve the filtering on their side. Trying their latest recommendations and updates sounds like a solid next step to further reduce the noise from these orders.
If after applying those changes you notice anything that still needs attention from the WooCommerce side, feel free to let us know here and we will be glad to take a closer look and assist further.
Thread Starter
janecl
(@janecl)
Thank you both – I truly value the high level of support you’re providing. Thank you for ‘crossing the streams’ with your replies, it is very refreshing!
To update:
I have reinstalled and activated the updated CleanTalk – thank you.
The bulk delete plugins are helpful to know about but a bit disappointing in one respect: the WooCommerce features are only at PRO level in both cases. However, WP Bulk Delete offers a US$29 single site subscription, whereas Smart Manager PRO (name changed from Advanced Bulk Edit) starts at US$149. I may just start nibbling away at the bulk spam orders with 30-50 a day and see how I go. I will keep WP Bulk Delete in the plugins list for future reference, just in case!
Again, thanks for helping a self-taught store owner get by under a bot attack.
Hi @janecl,
Thank you for the update, and I really appreciate the effort you’ve put into tackling this bot attack. I know it’s a lot to manage alongside running your store. It’s great to hear you’ve reinstalled and activated the updated CleanTalk plugin, and that you’re already seeing improvements from their side.
You’re absolutely right that many plugins reserve advanced Woo features for their PRO versions. It looks like WP Bulk Delete does offer a more affordable single-site subscription compared to Smart Manager PRO, so keeping it in your toolkit for future use makes sense. In the meantime, nibbling away at 30–50 orders a day is a perfectly valid approach if you’d prefer not to invest further right now.
The important thing is that your checkout is now better protected against these automated spam orders, and you’ve got options for managing the backlog at your own pace. If you need any further assistance, we’ll be glad to take another look from our side.
Do take care!
