Hi @opusuno ,
Thank you for reaching out to us, we are here to help.
The wc-ajax=ppc-create-order in your logs indicates that attackers are specifically targeting the PayPal Payments plugin’s order creation endpoint, not the standard WooCommerce endpoints. This is why disabling general WC endpoints didn’t work – the attacks are going through PayPal’s dedicated AJAX handlers.
Regarding the possible card attacks, we also recommend reCaptcha for WooCommerce to prevent these card testing attacks from creating accounts and orders.
The documentation can be found here: https://woocommerce.com/document/how-do-i-prevent-and-respond-to-card-testing-attacks/#preventing-card-testing
Let us know how it goes.
Best Regards,
Jamie
Syde, respectfully, you admit there’s a problem. But then your solution is to tell me to use reCaptcha? We tried that before posting. ReCaptcha doesn’t fix it. Disabling PayPal, however, does.
Please fix the plugin.
Hello @opusuno
You’re right, reCaptcha will not resolve this issue in this case, as the fraudulent orders are being created via the Orders API, not through the regular checkout flow. We’ve confirmed this internally and are actively working on a mitigation for the plugin.
We’ll follow up once a fix is available. Thanks for your patience.
Kind Regards,
Krystian
In case it helps anyone, we have blocked access to /wp-json/wc/store/ in the .htaccess file as this is the prefix to the urls being using to create orders. The code snippet we used is:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/wc/store
RewriteRule .* - [R=404,L]
</IfModule>
Hi Krystian, I fully understand it’s the bad actors. And I agree. These actors stealing credit cards are scum. But I wanted you know — using both Authorize and Square our many clients have experienced none of these attacks. Only PayPal is currently being targeted. I’m patient. My clients? haha.. No comment. Thanks for your attention to the matter.
Hello @opusuno
If the attackers are using tools like Selenium or Playwright, detection becomes especially challenging.
In the meantime, we recommend enabling 3DS as mandatory for all card transactions. This ensures that no fraudulent orders can be completed. Everything beyond that ends up being just spam orders, which, while frustrating, can be safely trashed. We know this is not ideal, but it’s the best way to contain the issue until a more robust solution is deployed.
Kind Regards,
Krystian
@inpsydekrystian Could you please direct people to create their own topics instead of encouraging pile on topics?
If you need support and you are not the person who started this topic then per the forum guidelines please start your own topic.
https://wordpress.org/support/forum-user-guide/faq/#i-have-the-same-problem-can-i-just-reply-to-someone-elses-post-with-me-too
You can do so here.
https://wordpress.org/support/plugin/woocommerce-paypal-payments/
The many “I have this problem too” replies have been archived.
@inpsydekrystian please advise status on a possible fix.
Hello @opusuno
Some time ago, you reported incidents of fraudulent orders impacting your site. We’re pleased to share that a comprehensive prevention mechanism is now available, thoroughly validated across a wide user base during the release candidate phase.
The latest version of the plugin introduces a native reCAPTCHA integration specifically designed to block automated abuse and card-testing activity at the PayPal payment endpoints. You can download the release here: https://github.com/woocommerce/woocommerce-paypal-payments/releases/tag/3.3.0
Alternatively, the update can be installed directly from your WordPress dashboard.
This version combines invisible reCAPTCHA v3/v2 captcha for potential bots or automated requests to protect to the PayPal payment endpoints. The protection is active on both the classic and block-based checkout and helps prevent automated card testing and other forms of malicious activity that can result in random declines or failed transactions. Unlike general CAPTCHA plugins, this implementation specifically protects the PayPal endpoints, so we recommend using it instead of third-party CAPTCHA solutions.
After installing the update, go to: WooCommerce → Settings → Integration → WooCommerce PayPal Payments CAPTCHA
Or open directly: /wp-admin/admin.php?page=wc-settings&tab=integration§ion=wppc
From there, generate your Site Key and Secret Key using the Google reCAPTCHA admin console and paste them into the corresponding fields. Once saved, the CAPTCHA will silently protect the checkout process without disrupting legitimate users.
Documentation is also available here: https://woocommerce.com/document/woocommerce-paypal-payments/fraud-and-disputes/
If you need any help during setup feel free to reach out.
Kind Regards,
Krystian
