WooCommerce hammered by fake orders
Back to Notes

WooCommerce hammered by fake orders

Blog post
### A bot testing credit cards I’ve got a client with a small, niche e-commerce store running on WooCommerce. It’s a self-hosted WordPress setup with just enough customizations to meet some very specific needs. Recently, we’ve been seeing a constant trickle of failed orders, about one every 10 minutes, all with the same pattern. It doesn’t take a genius to suspect bot-driven credit card testing. We tried reCaptcha v3. It was clunky, but it worked for a while. Then the attackers changed tactics, slipping right past it. Apparently, we’d been ignoring a major side door. ### Multiple APIs, who knew? I’m used to the junk that floats around the WordPress ecosystem, but here’s a twist: WooCommerce introduced another API - the Store API - mainly to support their block-based cart and checkout features. It’s documented on their developer resources, but there’s no high-profile “acknowledgment” on their main blog, and quite frankly I'm not following these developments closely because WordPress is definitely not my thing. Anyway, the Store API is designed for a headless experience and modern front-ends. It allows guest-level interactions. This isn’t necessarily a “vulnerability” in the classic sense, but it's a design choice that’s ripe for abuse by bots, and some of the obvious safeguards (eg: the ability to disable the API or parts of the API if you're not using the block system) have not been introduced. So I find it quite problematic. ### Shutting out the bot My first attempt was a quick fix: using `woocommerce_checkout_process` to filter out suspicious emails. But guess what? The Store API doesn’t play by the same rules as the traditional checkout flow. We weren’t even using this new API, but it existed, ready for exploitation. So I went scorched earth: ```php add_action( 'rest_api_init', function () { if ( strpos( $_SERVER['REQUEST_URI'], '/wc/store' ) !== false ) { wp_die( json_encode( [ 'error' => 'Store API is disabled on this site.' ] ), 'Store API Disabled', [ 'response' => 403, 'content-type' => 'application/json' ] ); } }); ``` Bye-bye, Store API. Not a graceful solution, but we're going to migrate anyway. ### Root causes This project has almost no maintenance budget. Keeping WooCommerce, the theme, and plugins up-to-date was already a stretch. We once considered Shopify, but it needed custom features that just weren’t doable at the time without spending more than we had. Now the situation is different. We’re looking at moving to a hosted platform that limits our flexibility but offers better security out of the box. Ironically, the Store API probably came about to make life easier for complex headless setups, the kind of big-budget builds that can afford to harden their pipelines. For a tiny store on a shoestring budget, this kind of "progress" isn’t helpful.