Hi @suitsjen,
I understand how disruptive and exhausting it must be to deal with hundreds of failed orders piling up from card-testing bots, especially after you’ve already tried multiple layers of protection. You’ve clearly taken a thorough approach — honeypots, reCAPTCHA, Wordfence, PayPal filters, and even WP Engine’s UAM — so it’s understandable that this still feels overwhelming when the requests are hitting wc-ajax=checkout directly.
The WooCommerce team is aware of this type of attack pattern, and improvements are being explored to reduce the chance of order records being created before the gateway completes authorization. In the meantime, one of the most effective mitigations is to add a bot challenge directly at checkout. I recommend setting up Cloudflare Turnstile and making sure it applies to the checkout page specifically: https://wordpress.org/plugins/simple-cloudflare-turnstile/. This lightweight challenge tends to stop automated POSTs even when they bypass the visible form.
Also, I suggest reviewing this thread where other users experiencing the same card-testing issue have shared what worked for them: https://wordpress.org/support/topic/bots-using-my-store-to-test-credit-cards/. Several store owners were able to block the attacks after implementing the steps there.
Feel free to let us know how it goes, and we’ll continue to share updates as improvements are rolled out on our side.
Hi @suitsjen
I’m following up on the card testing attack on your site, thedottingcenter.com. Are you still experiencing a lot of failed orders after implementing what @lovingbro mentioned?
I have installed Cloudflare Turnstile. It seems to be working, but then I only just turned on Advanced Card Processing last night. I’ll give it another few days before celebrating.
Hi there,
Thank you for the update! That sounds good — let’s give it a few days to see if everything continues working smoothly. Please feel free to check back in and let us know if you experience any issues during this time.
Well, there aren’t any new failed transactions, but my site is not processing credit card transactions at all. It is throwing error messages when someone tries to check out. In checking the log, this is included in one of the errors:
“Declined by fraud tool (Fraud Protection / Chargeback Protection) due to potential fraud risk. Please review your fraud settings.”
PayPal’s response to my support ticket is to inform me that these fraud protections are in place for our protection. They then closed the support ticket. So, I guess they are okay with my not being able to process any transactions? This is frustrating, as it seems to be beyond my control and we are losing money every day that we can’t process payments on our website.
Hi @suitsjen,
Thank you for getting back to us. I completely understand how frustrating this must be, especially since it directly impacts your customers’ ability to place orders.
From what you shared, it sounds like the suggestions my colleague provided earlier did help, as you mentioned there haven’t been any new failed transactions.
However, you also noted that your site isn’t processing credit card payments at all. Could you clarify how you confirmed this? For example, did a customer report the issue, or did you test it yourself? Also, when you say credit card, do you mean specifically credit cards, or both credit and debit cards?
The reason I ask is that if PayPal is rejecting certain transactions with that error — and given that you previously experienced carding attacks — it’s possible that additional security measures were put in place to block similar activity.
I’ll be awaiting your clarification so we can better understand the situation
We had a customer report it to us and send us a screenshot of the error message. I don’t know if she used a debit or credit card. I then tried to check out a $25 product and I got the error. I was using a credit card. This is the error that we received when we tried to check out:
Failed to process the payment. Please try again or contact the shop admin. [UNPROCESSABLE_ENTITY] The requested action could not be performed, semantically incorrect, or failed business validation. https://developer.paypal.com/api/rest/reference/orders/v2/errors/#PAYEE_BLOCKED_TRANSACTION
Note: Two of the hundreds of failed transactions were actually processed, and we have a request for a refund on one of them. That could be a problem, but why prevent all credit card transactions?
Hi there,
Thank you for sharing the details and the error message. The error [UNPROCESSABLE_ENTITY] PAYEE_BLOCKED_TRANSACTION is coming directly from PayPal and typically indicates that PayPal has blocked the transaction due to a policy or business validation issue on the receiving account.
Since this issue is happening across multiple cards and customers, it’s likely not related to WooCommerce itself but rather to PayPal’s restrictions on your account.
I recommend:
- Logging into your PayPal account to check for any notifications, limitations, or compliance requests.
- Contacting PayPal Support directly with the error code and examples of failed transactions, as they’ll be able to clarify why these payments are being blocked.
Please let us know what PayPal says, or if you notice any changes after addressing this with them.
Also, could you please try installing another payment gateway such as Stripe Gateway for WooCommerce, enable Test Mode, and place a few test orders to see if the same error occurs? This will help determine whether the problem is specific to PayPal or affects other gateways as well.
Please let us know the results so we can assist you further.
I did reach out to PayPal and provided them with the error code and some additional information. They basically responded with something along the lines of this is our policy and it won’t change and they closed the conversation. I don’t think they are right. I think there is some setting in the fraud filters or chargeback area that isn’t visible to me in my account. I am having our treasurer increase my permissions so that I can see all that is there.
This is the response from PayPal to my reaching out to tech support:
Once PayPal’s automated fraud filters identified the payments as potentially unsafe and, for security reasons, prevents them from being completed.
It’s important to know that these risk checks are part of our fraud-prevention systems. They are automated, cannot be overridden, and are not something that the potential recipient of the payment (your charity) can change or influence. These filters are in place to protect both donors and charities by reducing the risk of fraudulent or unauthorized activity.
I realize this can be frustrating, but please know that these measures are designed to safeguard your account and your donors.
This conversation has been closed.
Hi there,
Thank you for sharing the update and the response from PayPal. Please note that we can only provide support for WooCommerce core features. Issues related to third-party services, such as PayPal’s automated fraud filters, are unfortunately outside the scope of our support.
As a next step, we recommend trying an alternative payment gateway, such as Stripe Gateway for WooCommerce. You can enable Test Mode and place a few test orders to confirm whether the issue is specific to PayPal or if it affects other gateways as well.
Here’s a link to the Stripe Gateway plugin:
Stripe Payment Gateway for WooCommerce
Thank you for your cooperation and understanding.
I will change payment gateways. That is the only viable option, since the problem lies with PayPal, and it is not responsive.
Hi @suitsjen,
Thank you for the update and for keeping us informed. If you run into any further questions or concerns after switching your payment gateway, please don’t hesitate to reach out — we’ll be glad to help.
In the meantime, if you’ve found the support here helpful, we’d really appreciate it if you could take a moment to leave us a review: https://wordpress.org/support/plugin/woocommerce/reviews/#new-post
