Too many WooCommerce Failed Order emails ?

by May 5, 2023eCommerce, Fraud0 comments

Kinsta - Unlock 4 Months OFF Annual WordPress Plans
ecommerce

If you’re a WooCommerce store owner, you may have noticed an increase in the number of failed order emails you’re receiving. While it’s normal to get some failed orders, an overwhelming amount of them could indicate a problem.

In this blog post, we’ll explore what getting too many failed order emails means and how it could be a sign of a WooCommerce checkout attack.

First, let’s define what a failed order is.

A failed order occurs when a customer attempts to make a purchase but the transaction is not completed. This can happen for various reasons, such as an incorrect billing address, insufficient funds, or an expired credit card. As a store owner, you’ll receive an email notification for each failed order.

Now, if you’re getting a large number of failed order emails, it could be a sign of a problem. One possible explanation is that your checkout process is too complicated or confusing, causing customers to abandon their carts. However, if you’ve ruled out any issues with your checkout process, it’s possible that your store is being targeted by a WooCommerce checkout attack.

What is a WooCommerce checkout attack?

A WooCommerce checkout attack is when malicious actors set up scripts to perform hundreds, if not thousands, of requests against a specific WooCommerce store.

The goal is to validate a large amount of 💳 credit cards 💳 to find which ones work and which ones do not.

⚠️ These attacks are becoming increasingly common as more and more people shop online. ⚠️

Scripts can perform hundred of checkout requests against WooCommerce

During a WooCommerce checkout attack, the malicious actors will use bots to simulate the checkout process and attempt to make a purchase using stolen credit card information. When the credit card is declined, a failed order email is sent to the store owner. If the attack is successful, the malicious actors will have validated a large number of credit cards and can then use them for fraudulent purchases elsewhere.

So, what can you do if you suspect that your store is being targeted by a WooCommerce checkout attack?

The first step is to review your failed order emails and see if there is a pattern. If you notice a sudden increase in failed orders within a short amount of time, it could be a sign of an attack.

Checking your access logs

The first thing you need to check is to go to your access log and filter all the HTTP POST requests and then filter all requests that go to your checkout endpoints, by default WooCommerce will use any of the following:

  • /checkout
    or
  • /?wc-ajax=checkout

If you have SSH access you can easy run this command to get a list of all related requests:

grep POST access.log | grep -i checkout

The first part of the command will filter all the HTTP Post requests from your access.log so we can drill down and avoid unnecessary entries. The second part after the pipe, it filters ignoring the case, all requests that has the checkout keyword. This will help us only see all requests your site has received related to the checkout process.

An example from Kinsta’s access.log is below:

redacted.com 123.123.123.123 [19/Apr/2023:14:20:38 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.861 31.861
redacted.com 123.123.123.123 [19/Apr/2023:14:20:39 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1871 31.285 31.285
redacted.com 123.123.123.123 [19/Apr/2023:14:20:40 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.071 31.072
redacted.com 123.123.123.123 [19/Apr/2023:14:21:38 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.861 31.861
redacted.com 123.123.123.123 [19/Apr/2023:14:21:39 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1871 31.285 31.285
redacted.com 123.123.123.123 [19/Apr/2023:14:21:40 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.071 31.072
redacted.com 123.123.123.123 [19/Apr/2023:14:22:38 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.861 31.861
redacted.com 123.123.123.123 [19/Apr/2023:14:22:39 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1871 31.285 31.285
redacted.com 123.123.123.123 [19/Apr/2023:14:22:40 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.071 31.072
redacted.com 123.123.123.123 [19/Apr/2023:14:23:38 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.861 31.861
redacted.com 123.123.123.123 [19/Apr/2023:14:23:39 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1871 31.285 31.285
redacted.com 123.123.123.123 [19/Apr/2023:14:23:40 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.071 31.072

From this example log, we can see the IP 123.123.123.123 is doing 3 checkout requests per minute, which is quite excessive and is a good indicator of an automated WooCommerce Checkout Attack. In this case the malicious actor setup the script to hit the checkout via WooCommerce Ajax query strings /?wc-ajax=checkout&elementor_page_id=40.

🚨 To stop this attack you can do any of the following actions 🚨:

  • Block the IP via nginx setup file nginx.conf or Apache’s .htaccess file.
  • Block the IP via your server firewall such as IP Tables, CSF, etc.
  • If you’re using an plugin based WAF such as WordFence, iThemes Security, All-in-One Security Firewall; you can review your plugin documentation and block all the offending IPs via your security plugin settings.
  • If you’re using a WAF such as Sucuri or CloudFlare, you can also block the IP from their settings.

Checking you email logs

Another quick way to find further clues about what is happening, is to check your server email logs or your SMTP provider logs.

Most hosting providers do not offer the ability to check how many emails has your website sent so it’s best to use a 3rd party SMTP service, for both reliability and for visibility/logging. Providers such as MailGun, SendGrid, AWS SES or MailChannels will allow you to access their console and review all emails sent by your website.

Below an example of WooCommerce default Failed Order notification email retrieved from the postfix queue of a Linux server:

      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed
      2 Subject: [your woocommerce store]: Order #xxxxx has failed

Receiving several emails like this with consecutive orders over a short period of time is a huge indicator that your store might be subject to the WooCommerce Checkout Attack. Be sure to review the previous section and block all offending IPs or contact your hosting provider for further assitance. We in WP Mechanics can also assist you on stoping and preventing this issues, feel free to contact us.

What are the next steps?

Next, you should implement measures to prevent these attacks from happening in the first place. One solution is to use a plugin or service that can detect and block suspicious activity.

For example, the Jetpack Security plugin for WooCommerce includes a feature called “Brute Force Attack Protection” that can help prevent checkout attacks.

Implementing a CAPTCHA solution

Google reCAPTCHA

Another option is to implement an invisible reCaptcha (also known as reCaptcha V3) field on the checkout workflow.

The plugin Advanced Google Recaptcha is FREE and provides and easy way to implement this feature into your website.

CloudFlare Turnstile

It is also worth to note that recently Cloudflare has also launched a FREE CAPTCHA replacement named CloudFlare Turnstile.

You can use the plugin Simple CloudFlare Turnstile to integrate this CAPTCHA into your WooCommerce checkout page.

I know some readers, marketers or store owners will complain about CAPTCHA fields and state that this is negatively impacts both the conversions and the User Experience; but it is a valid technical option. And the most simple one to prevent this is disable guest checkout, and require user registration for each purchase.

In addition, you should ensure that your store is using secure payment gateways that comply with PCI DSS standards. This includes using SSL encryption, requiring strong passwords, and regularly updating your plugins and software.

In conclusion, if you’re receiving too many failed order emails, it could be a sign of a WooCommerce checkout attack. These attacks can be devastating for your store and your customers, so it’s important to take proactive measures to prevent them.

By staying vigilant and implementing security measures, you can protect your store and your customers from these types of attacks. And if you’d like further assistance, contact WP Mechanics for a FREE consultation.

Kinsta - Unlock 4 Months OFF Annual WordPress Plans
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Best Cryptocurrency Payment Gateways for WooCommerce: Expanding Your Digital Payment Options

Best Cryptocurrency Payment Gateways for WooCommerce: Expanding Your Digital Payment Options

As the world of e-commerce continues to evolve, accepting cryptocurrency payments has become an essential strategy for businesses seeking to stay ahead. With the ever-growing popularity of cryptocurrencies, integrating cryptocurrency payment gateways into your WooCommerce store can help you tap into a global customer base and provide a seamless payment experience.

In this blog post, we’ll explore some of the best cryptocurrency payment gateways for WooCommerce, providing you with a list of plugins and links to their respective websites for easy download and integration.

read more
PCI Compliance and WooCommerce: Part 3

PCI Compliance and WooCommerce: Part 3

Achieving PCI compliance for your WooCommerce store is not a one-time task. Maintaining compliance is an ongoing process that requires regular attention and updates to your store’s security measures. In this final part of our series on achieving PCI compliance for your WooCommerce store, we will cover the steps you need to take to maintain compliance over time.

read more
CAPTCHA, Fraud Prevention, SEO & UX Impacts in WooCommerce

CAPTCHA, Fraud Prevention, SEO & UX Impacts in WooCommerce

CAPTCHA fields have become an essential security measure for eCommerce platforms like WooCommerce to prevent checkout attacks. However, there has been a growing debate on the impact of CAPTCHA on the conversion rate and user experience. While CAPTCHA is a useful tool in preventing fraudulent transactions, it can also cause frustration among users, resulting in abandoned carts and lower conversion rates.

read more
PCI Compliance in WooCommerce: Part 1

PCI Compliance in WooCommerce: Part 1

If you’re running a WooCommerce store, you must ensure that your customers’ payment card data is secure. This is where PCI compliance comes into play. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

read more
Buy me a Beer
Ad - Web Hosting from SiteGround - Crafted for easy site management. Click to learn more.
Sucuri - Complete end-to-end security