Issue with Bots, CC Checks, and Blocks

  • Hi,

    I’ve been looking all over and I can’t find a definitive answer, I hope it’s because this is a relatively new product.

    We are having an issue with bots trying to check out and failing causing orders to go from draft -> failed (From my research drafts only happen when using block checkout). This triggers an email being sent out for every failure. Sometimes hundreds at a time.

    In the past we solved this using the hook: woocommerce_checkout_process
    However, this hook is no longer available with WooCommerce Blocks

    1. We dont have woocmmerce blocks enabled. I just double checked in the checkout page, we are still using the shortcode checkout.
    2. When I try and checkout regularly the hook fires correctly.

    So, I have a few questions:

    1. Is there an equivalent hook to woocommerce_checkout_process for WooCommerce Blocks when I can manually check my honeypot var (We are using woocommerce_checkout_process & woocommerce_review_order_after_submit accordingly).
    2. How are these bots by passing my regular checkout and and checking out via blocks if I’m using the shortcode checkout?

    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Zubair Zahid (woo-hc)

    (@doublezed2)

    Hello binaryfabric,

    Thank you for contacting WooCommerce support.

    I understand you’re dealing with an issue where bots are triggering failed checkout orders and email notifications, and you’re unsure how they’re bypassing your regular shortcode-based checkout.

    WooCommerce Blocks handle checkout differently, relying on JavaScript and REST API for functionality, so traditional PHP hooks like woocommerce_checkout_process aren’t available.
    I suggest you consult a professional WooCommerce Developer who can assist you with achieving your goal.

    I also suggest reading this guide: How to Prevent and Respond to Card Testing Attacks, which may provide useful insights.

    If you’re using the shortcode checkout, WooCommerce Blocks shouldn’t be active.
    To assist you better, could you please share your site’s System Status Report?
    You can find it under WooCommerce > Status. Select Get system report and then Copy for support.

    If your site URL is redacted in the report, please share it separately.

    Looking forward to your response. ??

    Thread Starter binaryfabric

    (@binaryfabric)

    Hi,

    I don’t feel comfortable sharing that information publicly, is there a place where I can share it privately?

    Also, I am the dev. I built all the security measures that are currently in place and they have been working. As stated above i was able to hook into woocommerce_checkout_process for verification purposes.

    However, now that blocks are enabled, I’m not even sure how, I need a new method. I’ve tried searching the docs for new hooks, but was unable to find any solutions which is why I came here.

    Thanks

    • This reply was modified 2 months, 3 weeks ago by binaryfabric.
    Plugin Support Mahfuzur Rahman(woo-hc)

    (@mahfuzurwp)

    Hello @binaryfabric,

    Thank you for reaching out with your questions.

    1. Equivalent Hook for woocommerce_checkout_process in WooCommerce Blocks:
      In WooCommerce Blocks, the equivalent hook to woocommerce_checkout_process is woocommerce_store_api_checkout_process_validation. This hook allows you to perform custom validation during the checkout process when using the Store API, which is utilized by WooCommerce Blocks.
    2. Bots Bypassing Shortcode Checkout and Using WooCommerce Blocks:
      If you’re not using WooCommerce Blocks for your checkout page, bots cannot directly bypass the shortcode-based checkout and use Blocks unless:
      • Exposed WooCommerce Blocks Endpoints: WooCommerce Blocks provides REST API endpoints for cart, checkout, and product functionalities. If these endpoints are exposed and accessible, bots might target them directly.
      • Draft Orders via REST API: Draft orders can also be created through the WooCommerce REST API. If these APIs are enabled, bots might exploit them.
      • Indirect Introduction of Blocks Functionality: Another plugin or custom code might be introducing Blocks functionality indirectly, allowing bots to exploit it.

    Recommendations:

    • Restrict Access to Store API Endpoints: Implement security measures to restrict access to the Store API endpoints. This can be done by requiring authentication for API requests or using security plugins to block unauthorized access.
    • Disable Unused REST API Endpoints: If certain REST API endpoints are not in use, consider disabling them to prevent unauthorized access. This can be achieved by removing their existence from the REST server using filters.
    • Review Plugins: Check for plugins that might introduce WooCommerce Blocks functionality unintentionally.

    For more detailed information, you can refer to the following resources:
    ? WooCommerce Store API Documentation
    ? How to Block All REST API Endpoints Except Custom Ones

    I hope this helps, thank you!

    Thread Starter binaryfabric

    (@binaryfabric)

    I will try and look into that. Thank you!

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.