spam draft orders

Hi @karenkir,

Thanks for the clarification. Since you’re using the classic checkout shortcode and still seeing spam draft orders, this could indicate automated bots interacting with your checkout page directly. The most effective way to mitigate this is by adding Cloudflare Turnstile, which offers a lightweight and privacy-friendly method to verify real users and block spam bots. You can follow the setup guide here: https://ww.wp.xz.cn/plugins/simple-cloudflare-turnstile/.

Also, as a quick reminder, please avoid sharing email addresses in public forums to help protect privacy and prevent further spam issues.

Once you’ve enabled Cloudflare Turnstile, let’s monitor your site to see if the spam orders stop. If they persist, please share your System Status Report through https://pastebin.com so we can look into it further. Let’s see how it goes!

Hi @karenkir,

Thanks for your update and I appreciate you confirming that the Simple CAPTCHA Alternative with Cloudflare Turnstile is installed. Can you verify that the plugin is configured to show a CAPTCHA on your checkout page? According to the plugin documentation, Turnstile supports WooCommerce checkout forms (Simple CAPTCHA Alternative with Cloudflare Turnstile – WordPress plugin | ww.wp.xz.cn), so if it’s installed and set up correctly the previously shared email addresses are likely not from spam orders. Please check the settings for Simple Cloudflare Turnstile to ensure the Turnstile field is visible on the checkout form, then monitor your orders for a few days and let us know if the issue persists.

I also noticed that you mentioned putting your status report on Pastebin but there was no link included. Could you provide the Pastebin link so we can review it? If you need any guidance on configuring the Turnstile settings, you can check the plugin’s setup guide (Simple CAPTCHA Alternative with Cloudflare Turnstile – WordPress plugin | ww.wp.xz.cn).

Hi @karenkir,

Thanks so much for sharing your System Status Report, that’s very helpful! From reviewing it, everything looks up to date and configured correctly, which helps narrow down what’s happening here.

Since you’re using the classic checkout shortcode and have both OOPSpam and the Simple CAPTCHA Alternative with Cloudflare Turnstile active, these “Draft” orders are almost certainly being created by automated bots submitting the checkout form directly, bypassing the visible checkout page.

Here’s what we recommend next:

1. Add a Cloudflare Firewall Rule: Because you’re already using Turnstile, the easiest next step is to add a Cloudflare firewall rule that challenges automated requests targeting your checkout page.
   • Go to your Cloudflare dashboard → Security → WAF → Firewall Rules → Create Rule
   • Set the condition to:(http.request.uri.path contains "/checkout")Action: Managed Challenge
     This helps prevent bots from even reaching your checkout endpoint.
2. Verify the Turnstile Field Renders Properly
   Open your checkout page in a private/incognito window — do you see the CAPTCHA box appear before placing an order?
   If not, the CAPTCHA isn’t being injected correctly, and bots can still bypass it.
3. Check for a Theme Override: Since your site uses the Botacora theme, please check if this file exists:
    /wp-content/themes/botacora/woocommerce/checkout/form-checkout.php
   If it does, it may be overriding the default checkout template and missing the Turnstile display hook.
   
   (Look for this line inside the file:
   <?php do_action( 'woocommerce_checkout_after_customer_details' ); ?>
   — if missing, the CAPTCHA won’t appear.)
4. Automatic Cleanup: WooCommerce automatically deletes old draft orders via the woocommerce_cleanup_draft_orders daily cron job, so those entries will be removed periodically.

If spam orders still appear after these steps, please let us know whether they arrive in bursts (many per hour) or randomly throughout the day. That will help determine if it’s a targeted bot pattern.

You’re doing everything right so far; these last few checks should help stop the drafts completely.

Hi @karenkir,

Thanks for clarifying, that’s very helpful! Since you’re on a Cloudflare plan without WAF access, here are some alternative ways to block these automated checkout submissions:

1. Use a free Cloudflare “Rate Limiting Rule” (available under Security → Bots → Rate Limiting):
   • Add a rule targeting /checkout* with an action like Managed Challenge or Block if there are more than a few requests per minute.
   • This works similarly to WAF but is available on free plans.
2. Add an extra field validation at checkout:
   A lightweight plugin like Checkout Honeypot for WooCommerce or a simple anti-spam field (invisible to humans, but bots fill it) can stop automated submissions even before a CAPTCHA.
3. Turnstile verification:
   Since you’ve confirmed it’s showing on the checkout page, please also check that it appears before the “Place Order” button; if it’s rendered too early in the form, some bots can still bypass it.
4. Automatic cleanup:
   WooCommerce will automatically clear old draft orders daily, so these spam drafts shouldn’t accumulate permanently.

The fact that the orders arrive in bursts confirms they’re from automated bots running scripts; adding the rate-limiting rule or honeypot will usually stop them completely.

Please try these and let us know if the bursts reduce after implementing them.

Hi @karenkir,

Thanks for the update, and no worries about the delay. Since the spam draft orders have returned, I’d like to clarify one quick detail that will help narrow down what’s happening:

In these draft orders, are the checkout fields (name, address, phone, etc.) being filled in, or is it mostly just the product + a random email?

This helps determine whether bots are interacting with the visible checkout form or if they’re hitting the checkout endpoint directly.

Regarding logs: WooCommerce itself does not log draft-order creation events or bot submissions, so there isn’t a WooCommerce log that would show the source. These requests typically come from external automated traffic, and identifying them usually requires server-level or CDN-level logs.

Let me know what you find in the draft-order fields, that will help us confirm the next step.

Hi @karenkir,

Thanks for the updates and examples. Since the draft orders are filled, it looks like automated bots are submitting the checkout form directly.

The most effective next steps are:

• Turnstile Placement: Confirm the CAPTCHA appears immediately before the “Place Order” button. Check in a private/incognito window to ensure it displays correctly; if it renders too early or elsewhere, some bots may bypass it.
• Add a Honeypot: A lightweight invisible field can block bots before they reach payment. While OOPSpam and your current Turnstile plugin do not include a honeypot, you can use a plugin like Invisible reCAPTCHA for WooCommerce, which includes a honeypot feature and logs blocked attempts.

After implementing these changes, monitor your draft orders for a few days. The bursts you’ve seen are typical of automated bot activity, and these measures usually stop them.