- I’m going to need third-party confirmation before I add this to my site. Last time I tried something like this it disabled all the add-to-cart buttons, and locked me out of the site for an hour.
- WooCommerce’ Hand Picked products block doesn’t use AJAX. I had to add the following code to my site to compensate for this issue.
- I hate nested IF statements. Doesn’t anyone know how to use PHP’s Switch/Case Statement?
add_action( 'wp_enqueue_scripts', 'hand_picked_block_ajax');
function hand_picked_block_ajax() {
// Only load this on the homepage to keep the site fast
if ( is_front_page() ) {
// Force the core WooCommerce AJAX scripts to load
wp_enqueue_script( 'wc-add-to-cart' );
wp_enqueue_script( 'wc-cart-fragments' ); // This fixes the "0 items" issue
// The custom JS logic
$custom_js = "
jQuery(document).on('click', '.wc-block-handpicked-products .add_to_cart_button', function(e) {
e.preventDefault();
var \$button = jQuery(this);
var product_id = \$button.data('product_id');
if (!product_id) return;
\$button.addClass('loading');
jQuery.ajax({
type: 'POST',
url: wc_add_to_cart_params.ajax_url,
data: {
action: 'woocommerce_ajax_add_to_cart',
product_id: product_id
},
success: function(response) {
if (response.error && response.product_url) {
window.location = response.product_url;
return;
}
// Trigger the fragment refresh so the mini-cart updates
jQuery(document.body).trigger('added_to_cart', [response.fragments, response.cart_hash, \$button]);
\$button.removeClass('loading').addClass('added');
}
});
});
";
// Attach this script to the 'wc-add-to-cart' handle
wp_add_inline_script( 'wc-add-to-cart', $custom_js );
}}
Hi @mesmer7
I understand your concern, especially after experiencing issues previously it’s completely reasonable to want confirmation before adding custom code to a live site.
Since this involves custom code changes and implementation decisions outside WooCommerce core functionality, this would fall under customization support. In this case, we’d recommend working with a developer who can properly review, test, and adapt the solution to your specific setup to avoid unexpected side effects.
Alternatively, you can also ask your development questions in the WooCommerce Community Slack as custom code falls outside our usual scope of support.
Hi @shahzeenfarooq
Given the scope of this forum, that’s perfectly understandable. But this is a serious security concern that affects ALL Woocommerce users. These bots are attacking every website they can find. We’d all appreciate it if Automatic would add cart security like this to Woocommerce core functionality.
Hi @mesmer7,
I understand your concern here, especially given your previous experience where a similar approach affected your add to cart functionality. It makes complete sense to be cautious before applying anything that could impact core store behavior.
You’re right that this topic touches on a broader security discussion rather than a confirmed vulnerability within WooCommerce core. The add to cart via GET requests is actually part of WooCommerce’s default behavior, and while it can be leveraged by bots, it isn’t considered an exploit in itself. That said, what you are experiencing with automated traffic is valid, and many store owners mitigate it at the server or firewall level, just as mentioned earlier with Cloudflare.
From a WooCommerce perspective, introducing restrictions at the application level can sometimes interfere with legitimate functionality, especially in cases like blocks or non AJAX flows, which you’ve already encountered. That is why these kinds of protections are typically better handled at the hosting or firewall level rather than modifying core behavior directly.
For anything involving custom scripts or conditional logic like the one you shared, working with a developer is still the best route to ensure it aligns with your setup without breaking expected functionality. If you decide to test any approach, doing so on a staging environment first will help avoid downtime or unexpected issues on your live site.
Hi @lovingbro
As difficult as it may be for Automatic to handle these issues at the application level. Think about how difficult it is for us ecommerce merchants. Remember, a lot of us are one-man operations.
I’m a technical writer turned voice actor. I write, voice, and produce my audio recordings. I design my own cover art, I maintain my website and promote my products.In my list of skills, writing non-fiction is #1, coding is probably #10. I’m an amateur.
I spent 3 months trying to find the code to block these bots. (three months NOT developing new products) And so far, I’m only 80% successful. My hosting service tech support was totally useless. I couldn’t find an answer on reddit or stackoverflow. And the AIs I asked for help made a ton of mistakes. People who have even less coding experience than me will go straight to an AI, ask for the code, and add it to their site, not realizing they could be adding additional problems.
We need a better solution.
-
This reply was modified 1 week, 3 days ago by
mesmer7.
Alright this is the 10th time I’ve asked an AI for a solution to this problem. And this is the 10th solution they’ve given me. This time, the AI told me enable WooCommerce Order Attribution and check for the session cookie by adding this to the htaccess file:
#Block Add-to-Cart if the source-tracking cookie is missing (This identifies users who didn't 'land' on the site first)
RewriteCond %{QUERY_STRING} (^|&)add-to-cart=[0-9]+ [NC]
RewriteCond %{HTTP_COOKIE} !sbjs_session [NC]
RewriteRule .* - [F,L]
Hi there!
Thank you for the update. I understand your concern. In this case, I would suggest submitting a feature request here: WooCommerce Feature Requests.
This helps our developers understand the issues users are facing so they can implement the proper fix. You can also submit an enhancement request here: WooCommerce GitHub Issues.
Thank you for your cooperation and understanding.
