Coming Soon mode does not block API

Resolved mandy@nepeta
(@mandynepeta)

3 months, 3 weeks ago

We have a site that has been targeted by card stuffing attacks as described in the support topic https://wordpress.org/support/topic/attacked-by-card-testing-origin-unknown/

While working on the issue, I put the site into Coming Soon mode (store only) as I thought this would close the store but the attacks continued.

If the store is in coming soon mode, I would expect that it should make the content inaccessible to the outside world, but this is not the case if the store API is still active. This is pertinent in this case but also if you are setting up products for a launch and do not want the information to come out prematurely.

Can I request that you update the Coming Soom option to disable the API as well? You could make it an checkbox option to cover those cases where the API is used in other contexts.

I hope you will consider this for a future version.

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Support shahzeen(woo-hc)
(@shahzeenfarooq)

3 months, 3 weeks ago

Hi there,

Thank you for sharing your feedback and for explaining your use case in detail. I completely understand your concern having the WooCommerce REST API remain accessible while the store is in Coming Soon mode can indeed allow attacks like card stuffing to continue or expose store data before a planned launch.

At the moment, the Coming Soon / Store Visibility feature only controls the frontend display of the store, and does not disable the REST API. Authenticated API requests will continue to work even when the store is in Coming Soon mode, which is why you observed that the attacks continued.

I suggest submitting this as a feature request here so the WooCommerce team can review and consider it for a future release:
https://woocommerce.com/feature-requests/woocommerce/

Also, here are some helpful guide on how to stop card testing.
https://woocommerce.com/document/how-do-i-prevent-and-respond-to-card-testing-attacks/#preventing-card-testing

Also, if you are using the WooCommerce PayPal Payments plugin, you can enable the PayPal CAPTCHA feature for additional protection. For more details, please refer to this guide:
WooCommerce PayPal Payments – Fraud and Disputes

I hope this helps.

Plugin Support Feten L. a11n
(@fetenlakhal)

3 months, 1 week ago

Hi there,

We haven’t heard back in a bit, so I’ll go ahead and mark this as resolved for now. If you’d like to pick things back up later, we’re just a message away!

Apart from this, if you have a moment, we’d really appreciate a review: https://wordpress.org/support/plugin/woocommerce/reviews/#new-post

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

Tags