How to prevent spam and fake orders in WooCommerce
Spam can do a lot of damage to your website, especially to e-commerces. Regardless of the security mechanisms you use (software, scripts, tools), fake orders can cost a lot of money to your business and also affect your SEO ranking and credibility. That’s why today, we’ll show you how to prevent spam and fake orders in WooCommerce and we’ll have a look at the best security tools you should be using.
Interesting facts about spam in eCommerce
Fraud and spam in eCommerce are getting more and more common. But when looking at some statistics, the impact to the businesses is shocking:
- Frauds in eCommerce increased by 45% in 2017 and 8 big industries reported nearly 58 billion USD in losses
- Online shopping frauds grew by 30% in 2017
- 92% of fraudulent online transactions in 2017 were made by credit card. And 38.6% of reported cases occurred in the US
- The rate of credit card chargebacks is rising by 20% each year
- People between 25 and 34 years old are the most likely to be affected by online fraud
Why do you receive fake orders in WooCommerce?
Spam and fake orders are one of the worst nightmares for every WooCommerce store owner. These fraudulent orders are placed by bots and scripts place and they usually involve big amounts. Additionally, they normally target stores with the Cash on Delivery option enabled because they need to provide less information.
Some other times, the goal of fake orders in WooCommerce is to deceive store owners. For example, they may place an order for a product that needs to be shipped but when the product reaches the destination, the address doesn’t exist.
On the other hand, hackers also use spam orders to try to find vulnerabilities in plugins. This is exactly what hackers did with a vulnerability found in WooCommmerce not long ago. WooCommerce 4.6.1 and previous versions were vulnerable to an exploit that allowed guest users to create accounts during the checkout even when the option Allow customers to create an account during checkout was disabled. This way, bots created accounts and placed fake orders to discover vulnerabilities in other plugins on the site. For more information about this and how to solve it, check out this post that explains everything about the WooCommerce 4.6.2 vulnerability.
That’s why you must put some security measures in place and authenticate the orders to prevent spam and fake orders in your WooCommerce store.
How to prevent spam in WooCommerce
There are several ways in which you can prevent fake orders in your WooCommerce store. Let’s have a look at the most effective ones to keep your store safe.
1) Set basic anti-spam settings
The first thing you can do to prevent spam in your store is to set up some basic anti-spam settings in WooCommerce. Let’s have a quick look at some of the things you can enable:
- In your WordPress admin, switch off the Anyone can register option from the Settings > General section. Please note that this only affects the admin side, not the WooCommerce registration forms.
- In the Discussion section, uncheck the option Allow link notifications from other blogs (pingbacks and trackbacks) on new articles.
- Make sure you have to approve the comments before they’re published. You can use plugins like Disqus or enable the Comment author must have a previously approved comment option to avoid spammy comments.
- In the WooCommerce panel, you can disable the Allow customers to place orders without an account option to make sure that every order has at least a valid email address.
After you make sure you have those basic anti-spam settings in place, you can set other security measures.
2) Additional measures to prevent fake orders and registrations
Apart from the basic anti-spam settings, you can put in place additional measures to minimize spam orders and registrations in your WooCommerce store.
2.1) Create a custom registration page that spam can’t recognize
The common target for spammers is the “https://yoursite.com/wp-login.php?action=register” page. So, by customizing the registration page, it will be harder for spammers to find it. To do this, you can use free plugins like WPS Hide Login or LoginPress.
2.2) Admin new user approval
With a plugin like Profile Press, you can manually approve new users from the dashboard or directly from your mail. Even though this adds another task to your process, if you have a small business and you want to have more control over your users, it may make sense to do it.
2.3) Use CAPTCHA
Nowadays, many stores use CAPTCHA to prevent spam in WooCommerce. Completely Automated Public Turing test to tell Computers and Humans Apart, also known as CAPTCHA, is software that requires the user to take certain action to get to the next step. This way, it protects websites against bots and makes sure that the visitor is a human being.
The most common example of this is when you have to select images that have certain figures, type an alphanumerical code, or perform a mathematical operation. This makes the process slightly slower for the visitor but it’s a very good way to verify that there is a human behind the operation.
The easiest way to add CAPTCHA to your site is by using tools such as Advanced noCaptcha & invisible Captcha or Passster.
2.4) Block IP addresses
If most of the spam orders and registrations come from the same IP addresses, you can block those addresses from reaching your site. If you’re not sure how to do this, check your cPanel as most hosts offer the possibility to block IP addresses.
3) Install an anti-spam plugin
We also recommend using an anti-spam plugin to improve your store’s security. Some of the best plugins to prevent spam in WooCommerce are:
- Akismet
- Blocker
- Titan anti-spam
- No CAPTCHA reCAPTCHA
- NS8
- Limit Attempts
- Fake Customer Blocker
- Honeypot Contact Form 7
Let’s have a look at what each of them has to offer.
3.1) Akismet
With more than 5 million active installations, Akismet is one of the best plugins to prevent spam in WooCommerce. This tool promises to block 99.9% of spam from getting to your store. It automatically filters the spam comments and checks it against a global database, protecting your website from malicious content. Additionally, it automatically checks all the comments and discards the ones that seem to be spam.
Akismet is a freemium plugin. Once you activate it, you’ll have to get an Akismet.com API key to use. There are free keys for personal blogs and paid subscriptions that start at just 5 USD per month.
3.2) Blocker
This tool helps you prevent fake orders and keep fraudulent customers out of your shop. Blocker allows you to refuse orders from a specific IP address, state, and zip code, and add them to a blacklist. When this happens, it will interrupt the checkout or account and the user will get a notification explaining why the operation was blocked.
3.3) Titan Anti-Spam
Titan Anti-Spam is another popular plugin to avoid fake orders. This tool includes everything from anti-spam, firewall, malware scanner, site accessibility checking, and threat audits. It automatically blocks spam in the comments section and needs no CAPTCHA. You can also convert spam comments into regular comments. Additionally, it’s GDPR compliant so it doesn’t store unnecessary information about the visitors.
Titan Anti-Spam is a blocking algorithm that’s based on the ‘invisible js-captcha’ and ‘invisible input trap’ (aka honeypot technique) methods.
Please note that this plugin isn’t compatible with Disqus, Jetpack Comments, AJAX Comment Form, or bbPress.
3.4) No CAPTCHA reCAPTCHA
With No CAPTCHA reCAPTCHA, visitors will only need to click the checkbox in the reCAPTCHA tool that Google creates to make sure they’re not robots. The main difference with a CAPTCHA is that it doesn’t require typing numbers, answering questions, or solving math problems.
Update: The CAPTCHA reCAPTCHA plugin has been permanently closed as of March 2023 and is not available for download anymore.
3.5) NS8
NS8 protects WooCommerce sites from advertising fraud, order fraud, and performance issues. It scores every user, traffic, and order, detects patterns, and identifies the potential risk of fraud and spam.
It also monitors if:
- SSL certificate is set to expire
- Domain has been added to a spam list
- Website is flagged for malware concerns
- The site fails to load or your load performance drops against the global average.
NS8 has a very basic free version and premium plans that start at 29.95 USD per month.
3.6) Limit attempts
This IP Address blocker is very effective to prevent spam in WooCommerce. It helps you avoid brute force attacks, which are repeated attempts of access directed by some software that can damage your website. You can add and block IP addresses; hide login, register lost password forms for blocked or blacklisted IPs, and customize the error messages.
It’s compatible with Gravity Forms, ReCaptcha, Captcha Pro, and Captcha Plus.
This is a freemium tool. It has a free version that works very well but if you want more advanced functionalities, you can go for the premium plans that start at 23.90 USD per year.
3.7) CleanTalk
CleanTalk is an excellent tool to stop spam in WooCommerce. This tool helps you stop spam comments and registrations, fake contact emails, spam orders, bookings, and subscriptions. Additionally, it can check and remove existing spam comments and users and validates emails in real-time.
On top of that, CleanTalk also stops spam reviews in WooCommerce and spam emails via forms to make sure that your store is fully protected.
And the best part is that this plugin has a 7-day free trial and several premium plans that start at just 8 USD per year.
3.8) Fake customer blocker
This is a security add-on for WooCommerce that helps you block emails, domains, new orders with errors or notices, and fake orders. It also lets you inform the users why they can’t continue with their orders and customize every message.
This is a premium plugin that costs 14 USD.
3.9) Honeypot Contact Form 7
With this addition to Contact Form 7, users won’t have to put a CAPTCHA but it still maintains the anti-spam functions against bots in forms and shopping carts. This way, it avoids false orders in your store. And the best part is that it’s a free tool.
Gravity Forms Users
If you’re a user of Gravity Forms, we recommend you go to the Options section and activate Enable anti-spam honeypot because it’s disabled by default.
Call the customer
It may sound a bit invasive but if your products are services like assessments, ebooks, or online courses, for example, calling the customer and talking to them before the purchase can be a smart option. This way, you’ll get to know their expectations and even give them tips or extra information about the product or service they’re interested in.
Some e-learnings like Open English use this method. Platforms like UpWork also call their candidates and interview them before accepting their profiles to prevent spam.
Verify the CVV code of the credit card
The CVV code is the 3-number code at the back of the credit card and it must match the registered card. If it doesn’t, it can be a fraud. This is a very extended verification method because it’s simple and effective.
User email confirmation
Another way to prevent spam in WooCommerce is to use some plugins so that the user must confirm their registration by clicking on a link sent to their email. Users who haven’t activated their accounts are pending and you can manually review and approve them. This is one of the safest methods because spammers don’t always get to that point.
Confirm before shipping
You can confirm all the order details via mail, text message, or phone call with the client. This will help you prevent fake orders in WooCommerce and you can use it as a gesture of responsibility to your customers.
Verify the address
You can also hire an Address Verification System (AVS). An AVS compares the billing address the user registered in the transaction with the address provided to the bank from the cardholder. Even though this isn’t a bulletproof measure, it helps a lot to collate the data and avoid losses.
Conclusion: Prevent spam and fake orders in WooCommerce
All in all, fake orders are becoming more and more common in eCommerce and can be quite costly for your business. That’s why you must put some security measures in place and prevent spam in your WooCommerce store.
If you can authenticate the orders, you’ll have a great chance of stopping spam on your site. Apart from saving you some money, it will also help you keep your store clean of irrelevant or potentially harmful content for both you and your users. Besides, if you avoid fake orders, emails, and registrations you can concentrate on what matters the most: growing your business. Need some help with that? Here you can have a look at some tips to optimize your online store!
About starting my online store and this was really helpful thanks
Thanks for your article. I also recommend using a password protection plugin to prevent spam in WooCommerce stores. This add an extra level of security to your site. Users firstly have to login, then enter the correct passwords to access and purchases the protected product.
great, thanks for sharing
It is not completely correct about turning off “anyone can register” in the admin panel. This can affect the account area in a standard Woocommerce installation depending on the theme. I have seen often that account icons then disappear.
Thank you
does anyone know of a plugin that stops multiple cvv guesses with the same card.
i.e. each card is only allowed 3 cvv guesses. Otherwise spammers have 20 cards but try 999 cvv guesses which flags on the payment processor end.
Your Merchant card processor should have spam settings and will hold an order if they have too many attempts
I don’t know why we can’t simply add a honeypot to woocommerce checkout page to get this crap over with. So stupid that WooCommerce hasn’t added this to it’s framework.
Good Article as we recently had 2500 fake orders created by a bot over a weekend. We had previously installed WP-Cerber plugin but we were still seeing brute force attacks. Decided to install Google re-CAPTCHA, its a setting within WP-Cerber, and then shot ourselves by not paying attention to a few particular RECAPTCH settings. So that this does not happen to you… make sure to DISABLE the option that removes re-CAPTCHA for logged in users and whitelisted i/p address. This is how we were burned, bot creates registration and hammers fake orders through.
The plugin “no-captcha-recaptcha-for-woocommerce” is permanently closed since 18 March 2023.
Thanks Edith, we’ll update the post