Title: Card testing attack
Last modified: September 23, 2021

---

# Card testing attack

 *  Resolved [tomc](https://wordpress.org/support/users/tomcannavan/)
 * (@tomcannavan)
 * [4 years, 6 months ago](https://wordpress.org/support/topic/card-testing-attack/)
 * I run the Stripe Payments plugin. Over the past 18 hours I have had 60,000 card
   testing attempts at making payments, around 300 of which have succeeded. Stripe
   support advised refunding these immediately, which I am doing.
 * But each attempt results in either a success email from WordPress, or an Error
   email from WordPress, so I have had 60,000 emails in the past 18 hours.
 * In the plugin settings I have reCaptcha enabled, and the box to have error emails
   sent to me is not checked. But all of these emails are still arriving.
 * All 60,000 attempts are for the same product, which does not exist, so this is
   clearly not going through the product form on my web site.
 * Can you advise urgently please?

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Thread Starter [tomc](https://wordpress.org/support/users/tomcannavan/)
 * (@tomcannavan)
 * [4 years, 6 months ago](https://wordpress.org/support/topic/card-testing-attack/#post-14901084)
 * I have resolved this
 *  [SpeedOfLike](https://wordpress.org/support/users/speedoflike/)
 * (@speedoflike)
 * [4 years, 6 months ago](https://wordpress.org/support/topic/card-testing-attack/#post-14944772)
 * [@tomcannavan](https://wordpress.org/support/users/tomcannavan/) Can you please
   share how you resolved this? We’ve been getting thousands of these attempts over
   the last 2 days. I’ve tried to ban IP addresses and they keep coming back from
   another address.
 * Mods/Devs – This is a serious issue for us. We’re running the latest version (
   updated today) and have had to turn off the plugin to stem the attacks, which
   is also costing us actual purchases as well.
 *  Thread Starter [tomc](https://wordpress.org/support/users/tomcannavan/)
 * (@tomcannavan)
 * [4 years, 6 months ago](https://wordpress.org/support/topic/card-testing-attack/#post-14944846)
 * I found an old test installation of the Stripe plugin, where I had set up one
   product to sell. It did not have the full range of ‘friction’ settings to stop
   such abuse: reCaptcha enabled, required fields for credit card CVV and postcode,
   etc. That was the product that the card testers were using but it took me a while
   to remember I had this test installation on another web site. Once I deleted 
   the product, the card testing stopped immediately. Hope this is of some help.
    -  This reply was modified 4 years, 6 months ago by [tomc](https://wordpress.org/support/users/tomcannavan/).

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Card testing attack’ is closed to new replies.

 * ![](https://ps.w.org/stripe-payments/assets/icon-128x128.png?rev=2705524)
 * [Accept Stripe Payments](https://wordpress.org/plugins/stripe-payments/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/stripe-payments/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/stripe-payments/)
 * [Active Topics](https://wordpress.org/support/plugin/stripe-payments/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/stripe-payments/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/stripe-payments/reviews/)

 * 3 replies
 * 2 participants
 * Last reply from: [tomc](https://wordpress.org/support/users/tomcannavan/)
 * Last activity: [4 years, 6 months ago](https://wordpress.org/support/topic/card-testing-attack/#post-14944846)
 * Status: resolved