• Resolved techlyn

    (@techlynetta)


    I have a problem that started yesterday. There is a spammer who is using my website to send orders through my WooCommerce store, which then get sent to PayPal, which then fail in PayPal’s system, which then sends them back to my store as failed orders.

    The issue I am having is the spammer or bot, is able to get around the recaptcha settings I have set up with AIOS. I am using Google reCaptcha V2 dropdown option in the AIOS > Brute Force > CAPTCHA settings. I have enabled the CAPTCHA on ALL wordpress and woocommerce forms, checkout process, etc…

    Has anyone else had this issue and what did you do to resolve it? Any help is greatly appreciated!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @techlynetta,

    No — no such issue has been raised recently, nor in the past, that allows bots to bypass reCAPTCHA v2 on the WooCommerce checkout page.

    Do the access logs show bot submissions for the checkout page? Please cross-check once.

    Are the requests coming from the same IP address or country?

    Bots are submitting fake orders and not actual humans. You should also check the turnstile CAPTCHA option to see if it resolves the issue.

    Regards

    Thread Starter techlyn

    (@techlynetta)

    Thank you for your reply… a couple questions:

    1. You ask “Do the access logs show bot submissions for the checkout page? Please cross-check once.” How do I know if they are bots? What do I look for?
    2. You ask “Are the requests coming from the same IP address or country?” In the visitor logs, I see different IP addresses. It doesn’t show country.

    I have installed the All in One Security Premium to try to block by country, but I cannot get that setup until a bug with AIOSEO is fixed.

    I also tried to follow the Cloudflare Turnstile instructions, but they want access to DNS and I don’t feel comfortable with this. I created an account and they are requiring me to add a widget which requires access to your DNS.

    Please let me know how I can find out if these submissions are done by bots or by people. Only 1-2 orders are coming in each hour, and I have Google reCaptcha V2 on where they have to check a box, so it’s possible they’re human.

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @techlynetta,

    If they are bots with a specific user agent, you may be able to identify them as particular bots in server access logs.

    However, from your final comment, it appears they are human spammers placing fake orders every 1–2 hours. If they are human, it would explain how they are able to bypass the reCAPTCHA v2 check each time. If it were a bot, it might attempt multiple times and only succeed occasionally.

    If it is indeed a human spammer, then using Turnstile will not make a difference, as they are placing orders in the same way as genuine site users.

    Regarding the country blocking feature issue, unfortunately, WordPress.org rules do not allow us to use their forums for support related to paid software. You will, however, find more details on the website, or you can raise a support ticket there.

    Regards

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Spammer getting around recaptcha settings’ is closed to new replies.