Hi Thomas,
I’m really sorry you’re dealing with this. Card testing is frustrating, especially when you’ve already taken sensible preventative steps.
You’re correct: disabling Guest Checkout (WooCommerce → Settings → Accounts & Privacy) and enabling CAPTCHA may stop fraudsters slightly, but it’s rarely a complete solution on its own.
Here are the measures that you can implement:
- Add bot protection at checkout
Even if it’s not fully automated, reCAPTCHA or Cloudflare Turnstile at checkout adds friction and blocks scripted attacks.
- Raise the minimum order amount
If possible, set a minimum cart total. Card testers typically try small-value transactions. Increasing the threshold could keep them away.
- Enable gateway-level fraud tools
Most gateways (Stripe, WooPayments, PayPal, etc.) have built-in fraud scoring, velocity limits, and decline thresholds. I’d strongly recommend reviewing those settings first.
- Disable saved cards (if enabled)
If your gateway supports “saved cards”, temporarily disable that option. Fraudsters sometimes validate cards by attempting to store them.
Also, make sure to urgently refund any successful fraudulent transactions to avoid disputes.
More information on Card Testing is documented in this guide: https://woocommerce.com/document/how-do-i-prevent-and-respond-to-card-testing-attacks/
Happy to help you lock this down properly.
Cheers,
Jim
Hi Thomas,
In addition to that, I checked your site and see you’re using Stripe as a payment provider.
You have access to Stripe Radar, their built-in fraud protection system that can be very effective against card testing attacks. Here’s what I recommend:
- Log into your Stripe Dashboard and review your Radar settings
- Enable rules to block transactions from high-risk countries, repeated failed attempts from the same IP, or suspicious velocity patterns
- You can learn more about configuring Stripe Radar here
Additional Stripe-specific steps:
- Consider temporarily disabling the “Enable payments via saved cards” setting in your Stripe configuration if fraudsters are trying to save cards to accounts
- Review your Stripe transaction logs to identify patterns (IP addresses, countries, card types)
Most importantly, review all recent transactions and refund any you believe are fraudulent – this prevents disputes and should be done urgently.
So the combination of disabled guest checkout, your email verification plugin, Stripe Radar, and potentially adding reCAPTCHA should significantly reduce these attacks. Many card testing operations rely on automation and will move on when they encounter multiple barriers.
I hope that helps. Let us know if you need anything else.
@jamesgreat @frankremmy
Many thanks for the useful advice – this is very helpful.
Death to scammers ;0
You’re very welcome @bidoowee! I’m really glad we could get everything sorted out for you.
Since things are now running as expected, I’ll go ahead and mark this thread as resolved on our end. Of course, if anything else pops up later on, don’t hesitate to open a new thread. We’re always here to help.
If you’ve been happy with the support you received, it would mean a lot to us if you could take a moment to leave a quick review for WooCommerce. It helps other store owners know what to expect and supports the team: https://wordpress.org/support/plugin/woocommerce/reviews/
Thanks again for working through this with us, and wishing you smooth sailing with your store moving forward!
Hi @bidoowee glad to we were of help. Have an awesome time.
Cheers,
Jim
Thank you too @jamesgreat for your valuable contributions to this discussion!
Keep up the good work.
You’re welcome @frankremmy . I love WooCommerce and am glad to help. Much appreciated.
