now is over 100,000 it is coming through your plugin, even though I took the shortcode away from the page they cannot give, but they are still trying through ajax
I have been on the phone for almost 4 hours with cloudflare, with stripe, with my host, and it all points back to your plugin
That’s certainly not what we want! I want to be as helpful as I can, to get this resolved for you.
Don’t just remove the shortcode from the site: completely remove the donation form by making it a draft:
That should stop it as far as is possible from our side. Beyond that, either your host or Cloudflare will need to be the ones to turn off the flood.
You mention DDOS, so is the site completely down? Cloudflare should definitely be able to stop a DDOS attack: that’s what they do.
Once you get the site back operational, we can definitely work with you to get your donations back up and running, but the step before the first step is to stop the DDOS attack. That’s not something that we can help with, and it’s directly in Cloudflare’s wheelhouse.
Cloudflare said it was injecting through your plugin as well as Stripe also said that and the report from the team at my hosts also have logs showing your plugin is effected. Maybe recaptcha will help your plugin.
I’m happy to help in any way I can, but I am not clear yet as to whether you took my advice to completely remove the form from the site.
If you did, and the attack is still ongoing, Here are two ways you can potentially fend this off from the WordPress side of things:
1) The Zero Spam Plugin This is not a plugin that we developed, but the developers there have been excellent at providing support: https://wordpress.org/plugins/zero-spam/
It claims to support GiveWP right out of the box. There’s a chance that it will help, but given that you say the attack is happening via admin-ajax at this point, I am not sure that will help.
5) Implementing a reCAPTCHA We don’t generally recommend the reCAPTCHA option because it slows down the donation experience and looks unsightly. It can harm your donations sometimes more than benefit them. But sometimes it’s really your last line of defense. So if you really want to implement it, here’s how:
If you need assistance implementing custom code on your website we have this guide.
We want to help, but the distributed nature of WordPress itself means that we can only really provide pointers and we rely on you to give us as clear a picture as possible of exactly how GiveWP is being exploited. If there is sensitive data that you’d rather not post on this public forum, you can reach out to us at https://givewp.com/contact-us and mention this forum post.
