How to Block 99% of Carding Attacks on WooCommerce (Without Blocking Real Customers)

Published by Bastion Prime | Edited by Heorhi Tratsiak, CEO

You wake up to dozens of failed orders. The names are gibberish. Each transaction is a measly $1.99. Your payment processor’s risk score is tanking, and you’re racking up fees for every declined attempt. This is the signature of a card testing attack (or “carding”). Fraudsters use bots to test stolen credit card numbers on your checkout page, looking for any that still work.

If you’re using a payment gateway like Stripe, you already have a strong baseline: Stripe Radar. But determined fraudsters know how to work around it. In 2026, a successful defense isn’t a single magic bullet; it’s a multi‑layer strategy.

This guide gives you nine production‑tested layers of defense built to stop automated carding. The best part? You can deploy most of them in under an hour without ever bothering a real customer.

Layer 0: How to Spot a Carding Attack

Before you can stop an attack, you need to know what one looks like. Watch for:

• A sudden spike of failed or pending orders, often for low‑value items (less than $5).
• Orders with suspicious email addresses and foreign IP addresses.
• Dozens of transactions originating from the same IP within a short timeframe.
• A flood of small, low‑value payments appearing in your Stripe or PayPal logs (a strong indicator of card testing).
• Unexpected chargeback fees for orders you don’t even recognize in your system.

If you see any of these signs, act immediately. Every minute you wait allows the attackers to run more test transactions, incurring more processing fees and potentially triggering a review from your gateway.

Layer 1: Harden Your WooCommerce Backend (Free)

Before adding any external tools, start with the foundational security built right into WooCommerce 9.6 and later. These native settings are often disabled by default, so check them now:

1. Enable built‑in rate limiting – Go to WooCommerce → Settings → Advanced → Features and enable “Rate limiting for checkout requests”. This prevents bots from hammering the checkout endpoint.
2. Enable fingerprinting (WooCommerce 9.8+) – Rather than relying on IP address alone, fingerprinting combines IP, user agent, and accept-language headers. This makes it far harder for attackers who rotate IPs to remain undetected.
3. Turn on proxy mode – If your store sits behind Cloudflare or another CDN, enable proxy mode so WooCommerce logs the real visitor’s IP instead of the proxy’s. Without this, rate limiting is useless.
4. Regenerate API keys – If you use the WooCommerce REST API, generate fresh consumer keys and rotate them monthly. Disable any keys you no longer need to reduce attack surface.

Layer 2: Stripe Radar – The AI-Powered Core

If you process payments through Stripe, you already have Radar—a machine‑learning fraud detection system trained on billions of transactions across millions of merchants. Radar flags high‑risk charges in real time and can automatically block them based on your risk threshold.

To maximize Radar’s effectiveness:

• Enable 3D Secure 2.0 (3DS2). This shifts liability for fraud to the card issuer, but more importantly, it stops many card testing attempts before they reach your checkout page. In your Stripe dashboard, go to Payments → Rules and enable the core 3D Secure rules.
• Create custom Radar rules (requires the Radar for Fraud Teams plan at $0.02 per transaction). Use attributes such as IP location, card details, and behavioral signals to build rules that target card testing patterns. For example: “Block if more than five failed checkout attempts from the same IP in 15 minutes.” Stripe now also offers a “risk setting” interface, allowing you to adjust blocking preferences without manually writing rules.
• Monitor Radar’s risk scores. Transactions that score 75 or higher should be reviewed before fulfillment. You can automatically hold, cancel, or even request additional verification for borderline charges.

Radar for Fraud Teams is cheap insurance against sophisticated attacks. If you’re processing more than $10,000 per month, the custom rule‑writing capability alone is worth every cent.

Layer 3: Cloudflare WAF & Rate Limiting

Card testing bots don’t just hit your checkout page; they also target your API endpoints directly. Cloudflare’s Web Application Firewall (WAF) and Rate Limiting rules stop them at the network edge—before they ever touch your server.

WAF Rules to Block Known Attack Patterns

In the Cloudflare dashboard, navigate to Security → WAF and create custom rules:

1. Block or challenge suspicious user agents that bots use (e.g., curl, python-requests, headless Chrome).
2. Limit requests to sensitive endpoints like /checkout, /wc/store/v1/checkout, and /wc/store/v1/cart. Set a limit of 5–10 requests per minute per IP.
3. Enable Bot Fight Mode or Super Bot Fight Mode (available on Cloudflare Pro and higher). This challenges or blocks requests with a low bot score without annoying your human customers.
4. Optionally block entire countries if you only serve a specific region. This single step can eliminate a huge percentage of attacks.

Advanced Rate Limiting Example

One of the most effective cloud‑level defenses is to rate limit the reuse of a cf_clearance cookie. After a user passes a Managed Challenge, Cloudflare issues this cookie to identify them as verified. Attackers often try to share or reuse a single valid cookie. Use this rate limiting rule to stop them: match URI path /checkout, count by cf_clearance cookie, set a threshold of 100 requests per 10 minutes, and block once exceeded. Legitimate customers will never notice.

For more precise protection, set up individual rate limiters: 10 requests per minute per IP for the checkout page, 5 requests per minute per IP for login attempts, and 3 requests per minute per IP for password reset requests.

Layer 4: Velocity Guard – Free Plugin That Watches Checkout Speed

Velocity Guard for WooCommerce is a free, no‑account‑required plugin that automatically stops card‑testing attacks by tracking the speed of checkout attempts.

Here’s how it works: A real customer places one order at a time, while an attack tool fires dozens of attempts within minutes. Velocity Guard watches for that burst and quietly rejects excessive attempts before they hit your payment processor. The attacker gets nothing, you don’t get billed for failed transactions, and genuine shoppers never notice because the limits sit well above normal behavior (proxies, Cloudflare, etc.).

Key features:

• Sliding‑window velocity rules per IP, email, session, or IP+email combination.
• Failed‑payment auto‑blocklist with configurable thresholds and lockout durations.
• Protects REST API endpoints that modern carding bots target directly (/wc/v3/orders, /wc/store/v1/checkout).
• Proxy‑aware IP detection for Cloudflare and other CDNs.
• A dashboard widget and event log showing every block decision.
• Manual IP whitelist for test cards and staff workstations.

The Pro version adds behavioral device fingerprinting (catches attackers who rotate IPs but keep the same browser), real‑time alerts to Slack or email, and a pattern library that catches obvious bots on the first request.

Layer 5: WooCommerce Checkout Rate Limiter (Free Code Snippet)

For a lightweight, no‑plugin solution that blocks bots hitting the AJAX checkout endpoint, you can drop this code snippet into your child theme’s functions.php file or your site‑specific plugin:

php

add_action('wp_ajax_nopriv_woocommerce_checkout', 'bh_checkout_rate_limit', 1);
add_action('wp_ajax_woocommerce_checkout', 'bh_checkout_rate_limit', 1);
function bh_checkout_rate_limit() {
    $ip = $_SERVER['REMOTE_ADDR'];
    $transient_key = 'checkout_rate_limit_' . md5($ip);
    $attempts = get_transient($transient_key);
    $limit = 5; // attempts per time window
    $timeframe = 300; // seconds (5 minutes)

    if ($attempts === false) {
        set_transient($transient_key, 1, $timeframe);
    } elseif ($attempts >= $limit) {
        wp_die('Too many checkout attempts. Please try again later.', 'rate_limit_exceeded', ['response' => 429]);
    } else {
        set_transient($transient_key, $attempts + 1, $timeframe);
    }
}

This code sets a simple per‑IP transient and triggers a 429 “Too Many Requests” error when the limit is exceeded. Customize the $limit and $timeframe variables to match your traffic volume.

Layer 6: Protect the Checkout Form with Turnstile (Customer‑Friendly CAPTCHA)

Traditional CAPTCHAs (like reCAPTCHA) frustrate real customers and often still fail to block advanced bots that target your API. Cloudflare Turnstile is a modern alternative that runs silently in the background, uses behavioral analysis to separate humans from automation, and rarely requires any annoying puzzle solving.

To add Turnstile to your checkout page, first obtain a free site key and secret key from the Cloudflare dashboard. Then install a plugin that supports Turnstile (I recommend the official Cloudflare Turnstile plugin or Advanced noCaptcha & invisible Captcha). Enable protection for the “Checkout” form. That’s it – your checkout page now carries a silent, invisible shield. Turnstile often blocks carding bots before they even load the checkout page.

Layer 7: Dedicated Anti‑Fraud Plugin (For Manual Review)

When you need more granular control, a dedicated WooCommerce anti‑fraud plugin provides a scoring engine that can automatically place suspicious orders on hold for manual review.

WooCommerce Anti‑Fraud (from WooCommerce.com) assigns each order a risk score from 0 to 100 based on:

• Order amount
• Customer account age
• IP geolocation mismatch vs. billing address
• Email domain reputation
• Disposable email detection
• High‑risk BINs (Bank Identification Numbers)
• AVS/CVV mismatch results (when reported by your gateway)

You can set thresholds: orders under 50 auto‑accept, orders between 50 and 80 go to a review queue, and orders above 80 auto‑cancel. The plugin also includes a dedicated reviewer dashboard with inline notes and one‑click evidence exports for chargeback responses.

Other excellent plugins to consider: FraudLabs Pro (free tier available, includes email domain validation and geolocation checks) and Signifyd (enterprise‑grade AI with a chargeback guarantee).

Layer 8: Disable REST API Order Creation (High‑Security Tactic)

Modern card‑testing bots don’t bother loading your checkout page at all. They target the WooCommerce REST API and the Store API (/wc/store/v1/checkout) directly, bypassing your front‑end security measures and eventually performing card tests without rendering a single page.

If your store does not rely on external apps or headless frontends that need to create orders via the API, you can disable the ability to create orders through the REST API. This forces all checkout attempts to go through the standard checkout page, where your other defenses (rate limiting, CAPTCHA, etc.) are active. A small plugin or custom code snippet can hook into the REST authentication layer and block POST requests to /wp-json/wc/v3/orders for unauthenticated or unauthorized users.

Layer 9: Monitor, Tune, and Stay Vigilant

A “set and forget” security strategy is a recipe for disaster. Attackers constantly evolve, and your defenses must evolve with them. Build a simple 10‑minute weekly routine:

• Review Velocity Guard logs and Cloudflare analytics for blocked IPs, spikes in checkout attempts, and new attack patterns.
• Adjust rate limits if legitimate customers are getting blocked (rare) or if an attack is slipping through. Start with the conservative defaults and tighten incrementally.
• Update Radar rules as you see new fraud patterns emerge in your Stripe dashboard.
• Stay on top of plugin updates, especially for your security and payment gateway plugins. Many critical patches are released to address newly discovered vulnerabilities.

If you ever feel overwhelmed, remember that you don’t need 100% perfection. Blocking 99% of automated carding attempts (while letting real customers through) is an achievable, measurable goal. The layered approach described here will get you there without requiring a security PhD or an enterprise budget.

Final Thoughts: Block the Bots, Welcome the Humans

Carding attacks are not going away, and your WooCommerce store is a prime target. But you don’t need to live in fear or accept those $15 chargeback fees as a “cost of doing business.” With a handful of free and low‑cost tools—Stripe Radar, Cloudflare WAF, Velocity Guard, and a few smart configuration tweaks—you can stop 99% of automated checkout fraud without ever frustrating a real customer.

The best time to implement these layers was yesterday. The second‑best time is right now. Pick one layer, get it done this hour, and move to the next. Your payment processor (and your bank account) will thank you.

Related Reading

• AI Agents for Abandoned Cart – They Don’t Just Send Emails, They Negotiate
• Build a “Smart Search” That Sells: AI Search for WooCommerce in 30 Minutes
• Don’t Start an E‑commerce Store Until You Read This Margins Report
• Store Audit & Strategy Session ($197 – credited toward any package)