Title: Card testing attacks
Last modified: October 21, 2025

---

# Card testing attacks

 *  Resolved [stepfaul](https://wordpress.org/support/users/stepfaul/)
 * (@stepfaul)
 * [5 months, 3 weeks ago](https://wordpress.org/support/topic/card-testing-attacks/)
 * Over the past two weeks we have started to see many failed orders which have 
   been declined by PayPal and marked as failed by WooCommerce for low order amounts.
   I ended up disabling PayPal payments for a week which obviously solved the issue.
   A week later I re-enabled PayPal payments again and to my surprise the card testing
   attacks started almost straight away again.
   PayPal is now disabled again as I
   don’t want to face any issues with PayPal themselves or any chargebacks for orders
   that may be successful. Is there any way to stop this as we have been accepting
   PayPal payments for the past 13 years and have only started to see this behaviour
   in the last 2 weeks.
 * Thanks
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fcard-testing-attacks%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 7 replies - 1 through 7 (of 7 total)

 *  Thread Starter [stepfaul](https://wordpress.org/support/users/stepfaul/)
 * (@stepfaul)
 * [5 months, 3 weeks ago](https://wordpress.org/support/topic/card-testing-attacks/#post-18690161)
 * I appreciate there have already been a number of posts on this and I have read
   your responses – I just wanted to raise one for our site for awareness. It looks
   like you are working on an update to the plug-in.
 *  Plugin Support [Syde Jamie](https://wordpress.org/support/users/jamieong/)
 * (@jamieong)
 * [5 months, 3 weeks ago](https://wordpress.org/support/topic/card-testing-attacks/#post-18690356)
 * Hi [@stepfaul](https://wordpress.org/support/users/stepfaul/) ,
 * Thank you for reaching out to us, we are here to help.
 * We have been monitoring closely and sharing the helper package to affected merchants:
   Download helper package.
 * This package provides the following protections:
    - **Detects and removes fraudulent orders** to keep your WooCommerce backend
      clean and reduce noise from failed payment attempts.
    - **Blocks the specific endpoint** that bots have been using to initiate fake
      card payments via direct API access.
    - **Marks bots by IP** using a 1-hour transient to prevent repeated attempts.
      If the IP cannot be retrieved due to server configuration, it falls back to
      PHP sessions.
 * It is important to understand that carding attacks is not completely preventable–
   there will always be new ways of running these attacks. As plugin developers,
   we work closely with PayPal to find the best ways to mitigate these attacks.
 * PayPal is also one of the biggest payment gateways globally, making it a target
   as well since many merchants are using it. We understand that this is not the
   merchant’s problem, but it is something that we have to solve every now and then
   when these attackers come up with more sophisticated ways to launch an attack.
 * Let us know if you have further questions, we would be glad to help.
 * Best Regards,
   Jamie
    -  This reply was modified 5 months, 3 weeks ago by [Yui](https://wordpress.org/support/users/fierevere/).
      Reason: link removed
 *  Plugin Support [Syde Jamie](https://wordpress.org/support/users/jamieong/)
 * (@jamieong)
 * [5 months, 3 weeks ago](https://wordpress.org/support/topic/card-testing-attacks/#post-18690395)
 * Hi [@stepfaul](https://wordpress.org/support/users/stepfaul/) ,
 * We would like to ask you reach out to us directly. Here is how to do it: [Request Support](https://paypal.inpsyde.com/docs/request-support/)
   
   Please include the URL of this thread in your ticket so we can keep everything
   connected.
 * Best Regards,
   Jamie
 *  Thread Starter [stepfaul](https://wordpress.org/support/users/stepfaul/)
 * (@stepfaul)
 * [5 months, 3 weeks ago](https://wordpress.org/support/topic/card-testing-attacks/#post-18693247)
 * Thanks for looking into this [@jamieong](https://wordpress.org/support/users/jamieong/),
   I have reached out to you directly via a support ticket as requested. I have 
   also installed the helper package and re-enabled PayPal (WooCommerce Official)
   again.
 * Just once last thing… Can I disable the Payment Provider **PayPal & PayPal Later(
   Legacy)** as this is currently active along with the official WooCommerce one?
    -  This reply was modified 5 months, 3 weeks ago by [stepfaul](https://wordpress.org/support/users/stepfaul/).
    -  This reply was modified 5 months, 3 weeks ago by [stepfaul](https://wordpress.org/support/users/stepfaul/).
 *  Thread Starter [stepfaul](https://wordpress.org/support/users/stepfaul/)
 * (@stepfaul)
 * [5 months, 3 weeks ago](https://wordpress.org/support/topic/card-testing-attacks/#post-18693275)
 * After enabling PayPal again and installing the helper plug-in I can see that 
   the attacks have re-started again (this is obviously expected). I can also see
   the helper plug-in moving orders to the Bin but I have since disabled PayPal 
   payments again as although the plug-in is performing some tasks I don’t like 
   the fact that orders are still being placed.
 *  Plugin Support [Krystian Syde](https://wordpress.org/support/users/inpsydekrystian/)
 * (@inpsydekrystian)
 * [5 months, 3 weeks ago](https://wordpress.org/support/topic/card-testing-attacks/#post-18693502)
 * Hello [@stepfaul](https://wordpress.org/support/users/stepfaul/)
 * That’s exactly why we suggested reaching out to us directly. The helper plugin
   is just a minor component of what we can provide. There are additional mitigation
   layers we can share, including filters to block unauthorized card attempts, rules
   to detect velocity-based attacks, and endpoint recaptcha.
 * Kind Regards,
   Krystian
 *  Plugin Support [Krystian Syde](https://wordpress.org/support/users/inpsydekrystian/)
 * (@inpsydekrystian)
 * [4 months, 1 week ago](https://wordpress.org/support/topic/card-testing-attacks/#post-18743211)
 * Hello [@stepfaul](https://wordpress.org/support/users/stepfaul/)
 * The latest version of the plugin introduces a native reCAPTCHA integration specifically
   designed to block automated abuse and card-testing activity at the PayPal payment
   endpoints. If you don’t have it yet, download it from here: [https://github.com/woocommerce/woocommerce-paypal-payments/releases/tag/3.3.0](https://github.com/woocommerce/woocommerce-paypal-payments/releases/tag/3.3.0)
 * Alternatively, the update can be installed directly from your WordPress dashboard.
 * This version combines **invisible** reCAPTCHA v3/v2 captcha for potential bots
   or automated requests to protect to the PayPal payment endpoints. The protection
   is active on both the classic and block-based checkout and helps prevent automated
   card testing and other forms of malicious activity that can result in random 
   declines or failed transactions. Unlike general CAPTCHA plugins, this implementation
   specifically protects the PayPal endpoints, so we recommend using it instead 
   of third-party CAPTCHA solutions.
 * After installing the update, go to: **WooCommerce → Settings → Integration → 
   WooCommerce PayPal Payments CAPTCHA**
   Or open directly: `/wp-admin/admin.php?
   page=wc-settings&tab=integration&section=wppc`
 * From there, generate your Site Key and Secret Key using the [Google reCAPTCHA admin console](https://www.google.com/recaptcha/admin)
   and paste them into the corresponding fields. Once saved, the CAPTCHA will silently
   protect the checkout process without disrupting legitimate users.
 * Documentation is also available here: [https://woocommerce.com/document/woocommerce-paypal-payments/fraud-and-disputes/](https://woocommerce.com/document/woocommerce-paypal-payments/fraud-and-disputes/)
 * If you need any help during setup feel free to reach out.
 * Kind Regards,
   Krystian

Viewing 7 replies - 1 through 7 (of 7 total)

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fcard-testing-attacks%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/woocommerce-paypal-payments/assets/icon-256x256.png?rev=
   3234615)
 * [WooCommerce PayPal Payments](https://wordpress.org/plugins/woocommerce-paypal-payments/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/woocommerce-paypal-payments/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/woocommerce-paypal-payments/)
 * [Active Topics](https://wordpress.org/support/plugin/woocommerce-paypal-payments/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/woocommerce-paypal-payments/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/woocommerce-paypal-payments/reviews/)

 * 7 replies
 * 3 participants
 * Last reply from: [Krystian Syde](https://wordpress.org/support/users/inpsydekrystian/)
 * Last activity: [4 months, 1 week ago](https://wordpress.org/support/topic/card-testing-attacks/#post-18743211)
 * Status: resolved