danoewo

So we did finally end up having success with the following code snippet:

add_filter(‘woocommerce_rest_authentication_disabled’, ‘__return_true’);

/** disable wc_endpoint to stop carding attacks **/
function disable_wc_endpoint() {
$current_url = $_SERVER[‘REQUEST_URI’];
if (strpos($current_url, ‘/wp-json/wc/store/checkout’) !== false) {
wp_redirect(home_url(‘/404.php’));
exit;
}
}
add_action(‘rest_api_init’, ‘disable_wc_endpoint’);

This stopped it immediately for a couple weeks now, but then a couple days ago we were hit with more invalid orders, all with Origin Unknown, but from a different criminal group (orders didn’t have the same fingerprint as the previous group of orders). Fortunately blocking their IP addresses stopped those. Not sure how they got through at this point.

I agree, wooCommerce needs to find a way to secure the API. All fake orders show “Origin Unknown” – so if we could block that it sure would help.

Changed the system to not allow guest checkout and these spam orders continue to come in. Didn’t want to implement email verification but I guess that is the next step. Any other thoughts? Especially with the “Origin Unknown” – seems like that is an indicator of something we should be able to block.

We’re not ready to require users to register yet – many want to use the Guest checkout without creating an account. We are aware that they are using fake names, addresses, and emails. There has to be another way to block these. Can they be putting orders in programmatically via an API that I’m not aware of?