Recently i’ve started getting lots of spam ‘draft’ orders in my shop. Reading the order status documentation https://woocommerce.com/document/managing-orders/order-statuses/ I understand that orders are created in draft when “a customer arrives on the checkout page using WooCommerce Blocks.” I dont understand what this means, can anyone help?
If I manually go to my shop and reach the checkout page I do not see a draft order automatically created so i’m assuming the difference is that the bot that is spamming my shop is doing so via ‘WooCommerce Blocks’. What does this actually mean?
I have already enabled reCaptcha on the checkout which I guess is what is preventing these orders from actually being placed but i’d like to know what I can do to prevent them being created in draft. The bit i’m missing is how a customer arrives on the checkout page using WooCommerce Blocks as this doesnt seem to be the case if you just go to the checkout via the normal route.
I understand your concern. Since you have already added reCAPTCHA, this will definitely help prevent spam orders. You can also add additional protection by following the instructions in this guide on how to control spam and card testing attempts: Preventing Card Testing
Could you please also share a screenshot of the order notes you are seeing as draft orders? You can use this tool to capture and share screenshots: https://snipboard.io
Regarding draft orders, here are the details about how they are created and why they appear: Draft Order Status
Thanks for getting back. There are no notes in any of the spam orders. Example of one from 40 minutes ago below.
I had already read the page about how draft orders are created but as I said its not clear to me what it means when it says “Creation: Initiated when a customer arrives on the the checkout page using WooCommerce Blocks.” If I start making an order myself and go through to the checkout page I dont get a draft order created so why are these spam orders creating drafts?
This reply was modified 7 months, 2 weeks ago by fpadia.
Thank you for getting back to me and for the clarification. From the screenshot you shared, I can see that the draft includes billing and shipping details as well as an email and phone number. This suggests it may have been created by a spam bot rather than by the block itself, since those fields were already filled in.
Before we conclude that it’s spam-related, could you confirm how many successful orders you typically receive each day compared to the number of draft orders? If you run sales, promotions, or similar campaigns that drive a lot of traffic, the drafts might simply be abandoned checkouts. I’ll wait for your clarification.
Hi @mosesmedh. It’s only a small shop, we might get 1 or 2 actual orders per day on average whereas we’ve been seeing 30 or 40 drafts per day recently. They are definitely spam orders because they all have the same features; just 1 item in the basket, nonsense addresses, fake phone numbers and suspicious looking email addresses.
These are indeed spam orders generated by bots, not necessarily related to the block checkout. Adding a CAPTCHA to checkout, which you’ve already done, is a solid step. You may also want to consider the other suggestions shared by my colleagues, as they can be helpful as well.
If you have any further questions, please don’t hesitate to reach out or open a new topic. And if you found the support here quick and helpful, we’d truly appreciate it if you could leave a review: https://ww.wp.xz.cn/support/plugin/woocommerce/reviews/#new-post
Hi @mosesmedh thanks for confirming. But I was hoping to understand how the bot is able to create draft orders. When a human uses the site and goes through to the checkout this doesn’t seem to create a draft order so how is it that the bots orders are creating drafts. If I can understand the mechanism behind this perhaps I can take steps to prevent it beyond the reCaptcha that seems to work in preventing these drafts from becoming failed orders.
Great question! The key thing to understand is that the Block Checkout creates draft orders for everyone — both humans and bots.
You usually don’t notice the human drafts because once a customer completes payment, the draft instantly converts into a real order. If a customer abandons checkout, the draft stays behind, but it often blends in with the rest of your orders.
Bots, on the other hand, also trigger drafts when they load the checkout and auto-fill fields. Since they never pass reCAPTCHA or complete payment, those drafts remain visible as spam.
You can even test this yourself: open checkout in a private window, fill in some details, and then close the tab without placing the order. When you check your admin, you’ll see a new draft order with the information you entered.
So the difference isn’t that drafts are only for bots — it’s that legit orders convert, while abandoned or blocked ones stay as drafts.
To reduce spam, the best approach is to stop bots from reaching checkout in the first place. You can do this with rate limiting, bot detection tools, or requiring a valid cart before checkout loads. Another option is switching back to Classic Checkout, which doesn’t auto-create drafts on page load.
@mosesmedh thanks for the explanation. I have tried several times to create a draft order by going through to checkout and filling fields before closing the tab but I don’t see any draft orders being created when I do it. This is why I thought the bot must be doing something different. I’ve tried from different devices and different browsers but I just don’t get a draft when I try it.
I will look into bot detection tools as you suggest.
Thanks for following up and for testing this on your side. You’re right that it can feel confusing when you don’t see a draft order created during your own tests. Draft creation with the block checkout can be a bit inconsistent depending on how far into the checkout flow you go and whether certain triggers (like field input or cart updates) fire. Bots often “force” those triggers quickly by auto-filling data, which is why you see drafts left behind for them but not in your own browsing.
It sounds like you’ve already taken some great steps by enabling reCAPTCHA, and looking into additional bot detection tools is definitely a good way forward. Please feel free to reach out again if you notice any new patterns with these drafts or want to explore other options—we’re always happy to dig in further.
Viewing 9 replies - 1 through 9 (of 9 total)
The topic ‘Prevent spam draft orders’ is closed to new replies.
