Hi @signherea
I understand how frustrating it is to keep getting these failed order emails — it definitely looks like your checkout is being spammed by bots rather than genuine customers. While disruptive, this usually isn’t a site compromise, but automated abuse of your WooCommerce checkout.
Here are a few practical ways to address it, with links you can use to get started:
1. Protect the Checkout Form
2. Reduce Email Spam
3. Block or Filter Requests
4. Anti-Spam / Fraud Prevention Plugins
5. Monitor & Confirm
Check WooCommerce → Orders and verify that all these spam attempts remain in Failed status. If no payments are being processed, you’re not losing money — it’s mainly an annoyance.
Once you’ve added protection, place a test order yourself to confirm checkout still works smoothly for legitimate customers.
I started seeing similar frequent failed logins yesterday morning. Over 60 by today. Added the Google reCaptcha and that appears to have stopped the ordering.
Some details. Obviously a distributed bot. Assorted IPs, none of those I checked were North American. The buyers were all supposed to be US addresses, Of course, they didn’t exist, nor do the email addresses that were used.
Each of these entered the site with a request that is not a normal entry
GET /wp-json/wc/store/products?stock_status=instock&order=asc&orderby=price&min_price=100&max_price=5000&type=simple&page=1&per_page=100
They then picked the least expensive item, added to cart and proceeded to checkout which they try using PayPal.
Ideally, this sort of entry into the site should not be allowed. Is there some way to do that?
Hi there!
WooCommerce core itself doesn’t currently provide settings to block this kind of request, but adding extra security/firewall measures will help prevent such automated bot traffic.
In the meantime, here’s a helpful guide that explains how you can prevent spam orders
https://woocommerce.com/document/how-do-i-prevent-and-respond-to-card-testing-attacks/#how-to-respond
If you have still have any question, I understand that you have a somewhat similar problem.
However, per forum best practices shown here, it is advised that you create a new thread so that we can address your issue(s) separately. You can create a new thread here: https://wordpress.org/support/plugin/woocommerce/#new-topic-0
Installed the Google reCAPTCHA for WooCommerce and applied to checkout and haven’t had another once since
Hi there!
Thanks for the update! I’m glad to hear that installing Google reCAPTCHA for WooCommerce resolved the issue — that’s a great step to prevent spam or bot-related activity during checkout.
If you found WooCommerce helpful in building your store, we’d really appreciate it if you could take a moment to leave us a ⭐⭐⭐⭐⭐ review — it helps us continue improving the plugin!
👉 Leave a review on WooCommerce
I can confirm that on my site, the reCAPTCHA addition has stopped the orders from being submitted to PayPal. However, they still come and end up with a 500 error code instead when they try to finalize the order.
It would be better to have them forbidden to use this sort of access to the site. Right now, it is just a nuisance. But I am concerned that it might eventually turn into a security issue. This seems like a bug.
Hi @vistagrande
Thank you for sharing the update — I completely understand your concern regarding the 500 error and the potential security risks.
To investigate this further, please create a new ticket and include as much detail as possible about the 500 error. It would also be helpful if you could share a screenshot of the error message or any related logs from WooCommerce → Status → Logs.
This will allow us to take a closer look and help identify what’s causing the issue.
You can create a new thread here: https://wordpress.org/support/plugin/woocommerce/#new-topic-0 and make sure to include as much information as you can.
Thanks for understanding!
