If you’re a WooCommerce store owner, you may have noticed an increase in the number of failed order emails you’re receiving. While it’s normal to get some failed orders, an overwhelming amount of them could indicate a problem.
In this blog post, we’ll explore what getting too many failed order emails means and how it could be a sign of a WooCommerce checkout attack.
First, let’s define what a failed order is.
A failed order occurs when a customer attempts to make a purchase but the transaction is not completed. This can happen for various reasons, such as an incorrect billing address, insufficient funds, or an expired credit card. As a store owner, you’ll receive an email notification for each failed order.
Now, if you’re getting a large number of failed order emails, it could be a sign of a problem. One possible explanation is that your checkout process is too complicated or confusing, causing customers to abandon their carts. However, if you’ve ruled out any issues with your checkout process, it’s possible that your store is being targeted by a WooCommerce checkout attack.
What is a WooCommerce checkout attack?
A WooCommerce checkout attack is when malicious actors set up scripts to perform hundreds, if not thousands, of requests against a specific WooCommerce store.
The goal is to validate a large amount of 💳 credit cards 💳 to find which ones work and which ones do not.
⚠️ These attacks are becoming increasingly common as more and more people shop online. ⚠️
During a WooCommerce checkout attack, the malicious actors will use bots to simulate the checkout process and attempt to make a purchase using stolen credit card information. When the credit card is declined, a failed order email is sent to the store owner. If the attack is successful, the malicious actors will have validated a large number of credit cards and can then use them for fraudulent purchases elsewhere.
So, what can you do if you suspect that your store is being targeted by a WooCommerce checkout attack?
The first step is to review your failed order emails and see if there is a pattern. If you notice a sudden increase in failed orders within a short amount of time, it could be a sign of an attack.
Checking your access logs
The first thing you need to check is to go to your access log and filter all the HTTP POST requests and then filter all requests that go to your checkout endpoints, by default WooCommerce will use any of the following:
/checkout
or/?wc-ajax=checkout
If you have SSH access you can easy run this command to get a list of all related requests:
grep POST access.log | grep -i checkout
The first part of the command will filter all the HTTP Post requests from your access.log so we can drill down and avoid unnecessary entries. The second part after the pipe, it filters ignoring the case, all requests that has the checkout
keyword. This will help us only see all requests your site has received related to the checkout process.
An example from Kinsta’s access.log is below:
redacted.com 123.123.123.123 [19/Apr/2023:14:20:38 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.861 31.861
redacted.com 123.123.123.123 [19/Apr/2023:14:20:39 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1871 31.285 31.285
redacted.com 123.123.123.123 [19/Apr/2023:14:20:40 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.071 31.072
redacted.com 123.123.123.123 [19/Apr/2023:14:21:38 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.861 31.861
redacted.com 123.123.123.123 [19/Apr/2023:14:21:39 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1871 31.285 31.285
redacted.com 123.123.123.123 [19/Apr/2023:14:21:40 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.071 31.072
redacted.com 123.123.123.123 [19/Apr/2023:14:22:38 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.861 31.861
redacted.com 123.123.123.123 [19/Apr/2023:14:22:39 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1871 31.285 31.285
redacted.com 123.123.123.123 [19/Apr/2023:14:22:40 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.071 31.072
redacted.com 123.123.123.123 [19/Apr/2023:14:23:38 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.861 31.861
redacted.com 123.123.123.123 [19/Apr/2023:14:23:39 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1871 31.285 31.285
redacted.com 123.123.123.123 [19/Apr/2023:14:23:40 +0000] POST "/?wc-ajax=checkout&elementor_page_id=40" HTTP/1.1 200 "https://redacted.com/checkout/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 123.123.123.123 "/index.php" - 0.82 1862 31.071 31.072
From this example log, we can see the IP 123.123.123.123
is doing 3 checkout requests per minute, which is quite excessive and is a good indicator of an automated WooCommerce Checkout Attack. In this case the malicious actor setup the script to hit the checkout via WooCommerce Ajax query strings /?wc-ajax=checkout&elementor_page_id=40
.
🚨 To stop this attack you can do any of the following actions 🚨:
- Block the IP via nginx setup file
nginx.conf
or Apache’s.htaccess
file. - Block the IP via your server firewall such as IP Tables, CSF, etc.
- If you’re using an plugin based WAF such as WordFence, iThemes Security, All-in-One Security Firewall; you can review your plugin documentation and block all the offending IPs via your security plugin settings.
- If you’re using a WAF such as Sucuri or CloudFlare, you can also block the IP from their settings.
Checking you email logs
Another quick way to find further clues about what is happening, is to check your server email logs or your SMTP provider logs.
Most hosting providers do not offer the ability to check how many emails has your website sent so it’s best to use a 3rd party SMTP service, for both reliability and for visibility/logging. Providers such as MailGun, SendGrid, AWS SES or MailChannels will allow you to access their console and review all emails sent by your website.
Below an example of WooCommerce default Failed Order notification email retrieved from the postfix queue of a Linux server:
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
2 Subject: [your woocommerce store]: Order #xxxxx has failed
Receiving several emails like this with consecutive orders over a short period of time is a huge indicator that your store might be subject to the WooCommerce Checkout Attack. Be sure to review the previous section and block all offending IPs or contact your hosting provider for further assitance. We in WP Mechanics can also assist you on stoping and preventing this issues, feel free to contact us.
What are the next steps?
Next, you should implement measures to prevent these attacks from happening in the first place. One solution is to use a plugin or service that can detect and block suspicious activity.
For example, the Jetpack Security plugin for WooCommerce includes a feature called “Brute Force Attack Protection” that can help prevent checkout attacks.
Implementing a CAPTCHA solution
Google reCAPTCHA
Another option is to implement an invisible reCaptcha (also known as reCaptcha V3) field on the checkout workflow.
The plugin Advanced Google Recaptcha is FREE and provides and easy way to implement this feature into your website.
CloudFlare Turnstile
It is also worth to note that recently Cloudflare has also launched a FREE CAPTCHA replacement named CloudFlare Turnstile.
You can use the plugin Simple CloudFlare Turnstile to integrate this CAPTCHA into your WooCommerce checkout page.
I know some readers, marketers or store owners will complain about CAPTCHA fields and state that this is negatively impacts both the conversions and the User Experience; but it is a valid technical option. And the most simple one to prevent this is disable guest checkout, and require user registration for each purchase.
In addition, you should ensure that your store is using secure payment gateways that comply with PCI DSS standards. This includes using SSL encryption, requiring strong passwords, and regularly updating your plugins and software.
In conclusion, if you’re receiving too many failed order emails, it could be a sign of a WooCommerce checkout attack. These attacks can be devastating for your store and your customers, so it’s important to take proactive measures to prevent them.
By staying vigilant and implementing security measures, you can protect your store and your customers from these types of attacks. And if you’d like further assistance, contact WP Mechanics for a FREE consultation.