This is still happening
Before paying for yet another plugin (invisible recaptcha) I checked and there is a honeypot feature in Oopspam which is enabled. So I’m not sure what that plugin is giving me if I already have Simple CAPTCHA Alternative with Cloudflare Turnstile
Going back to basics – how can I be getting draft orders if I use the old checkout shortcode not the block checkout?
These orders are all from different IP addresses with clearly fake australian emails and addresses. adresses are from Australia but the IP adresses are from everywhere from Turkey, Afghanistan, Philippines etc.
Can someone please help me get to the bottom of this
Hi @karenkir,
Thank you for the update. I completely understand how frustrating and exhausting this situation can be, especially when it happens repeatedly.
To add to what my colleagues have already shared, issues like this are quite common on eCommerce sites during peak seasons such as November through February, with December and January being the height of activity. During these periods, scammers often test stolen cards on online stores, knowing many sites are running Black Friday or holiday sales.
Your CAPTCHA tools are working. They are successfully preventing bots from completing orders. However, bots can still trigger draft orders simply by loading the checkout page and auto-filling fields. Since they fail the CAPTCHA or payment step, those drafts remain stored as spam.
Good news: Your security setup is blocking them from placing real orders.
Bad news: Bots are still reaching the checkout and generating draft orders before being stopped.
The most effective fix is implementing server level bot protection. This includes enabling Cloudflare Bot Fight Mode or WAF rules, adding rate limiting to block repeated checkout attempts from the same IP, and setting firewall rules to challenge suspicious behavior. For the best results, you may need Cloudflare support to help configure the rules correctly.
As a quick workaround, you can also disable guest checkout and apply geographical restrictions. If you only sell to specific countries, go to WooCommerce → Settings → Selling/Shipping Locations to limit access and prevent unwanted traffic from reaching checkout.
The suggestions above work if you don’t want to purchase more plugins however if you’ll prefer to use pluginss then WooCommerce Anti-Fraud or Fraud prevention for woocommerce is highly recommended.
Thank you
Can you please clarify how these draft orders are being created – I was led to beleive only the checkout block creates draft orders. I’m still using the old checkout shortcode.
Hi @karenkir,
Great question. Draft orders can also be created when using the classic checkout shortcode. The block checkout creates them more intentionally, but the classic checkout can still generate draft orders under certain conditions, especially when automated bots hit the checkout endpoint.
Here is how it happens on the classic shortcode checkout:
- When a bot or user loads the checkout page, and WooCommerce begins preparing session data, a draft order can be created in the background to store temporary checkout progress.
- When bots auto-fill the form fields and attempt to submit the checkout without passing Turnstile or without valid payment details, WooCommerce does not complete the order, so the temporary order remains in “Draft” status.
- These drafts are never completed because the CAPTCHA, payment gateway, or anti-spam plugin blocks them at the payment step, but the draft order itself has already been generated once the checkout process starts.
The classic checkout can create draft orders, but usually only when bots interact with the form.
These drafts do not indicate a failure of your security plugins. They simply show that the bots reached the checkout page before being blocked from completing payment.
Suppose you want to reduce or stop these drafts entirely. In that case, the only reliable method is to prevent bots from reaching /checkout at all, using Cloudflare rate limiting, a firewall rule, or your hosting provider’s server-level bot protection.
Thank you for your detailed response. If the orders aren’t reaching checkout what are they achieving. I thought they were card testing?
These orders are coming in from different IP addresses at decent intervals so rate limiting doesn’t seem to be of any use.
Hi @karenkir,
I understand why you are asking for more clarity, and it makes sense to want to know what these bots are actually achieving when the checkout is not being completed. I am glad to help clear this up in a simpler way.
When any visitor or bot loads your checkout page, WooCommerce starts creating a temporary order in the background. This is part of how WooCommerce tracks what is happening during checkout, even before payment begins. If the visitor completes checkout, that temporary order becomes a real order. If the visitor fails any checks such as CAPTCHA, Turnstile, payment validation, or leaves the page, WooCommerce cannot finish the process so the order remains in Draft.
So even though these bots are trying card testing, they are not reaching the payment step because your protections are blocking them. Since they cannot complete payment, the temporary order never gets confirmed, and it stays as Draft.
This is why you are seeing these entries. They are not successful card tests and they are not completing checkout. They are simply hitting the checkout page, WooCommerce starts the order session, and then the bot gets blocked before payment.
If you want to reduce the drafts themselves, the only way is to stop bots before they ever reach the checkout page, using Cloudflare WAF rules, Bot Fight Mode, or country restrictions if suitable for your store.
It’s been a while since we heard back from you for this reason we are closing this thread.
If WooCommerce has been useful for your store and you appreciate the support you’ve received, we’d truly appreciate it if you could leave us a quick review here:
https://ww.wp.xz.cn/support/plugin/woocommerce/reviews/#new-post
Feel free to open a new forum topic if you run into any other problem.
