Title: Multiple orders attack Last modified: September 11, 2022 --- # Multiple orders attack * Resolved [kimaldis](https://wordpress.org/support/users/kimaldis/) * (@kimaldis) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/) * I’ve just discovered thousands of failed WooCommerce orders on this site along with nearly 4000 new registered customers. I’ve updated all WordPress and all plugins on the site and blocked the IP address from where this attack is coming but I’m concerned that this could resume from a different IP. Is there a way to prevent this? The WooCommerce versiion was 4.5.5, quite old. Could this issue have been picked up in recent versions? * And finally, is there a quick way of deleting several thousand customers and failed orders, without deleting the legitimate ones * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fmultiple-orders-attack%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 15 replies - 1 through 15 (of 15 total) * [Rafy](https://wordpress.org/support/users/nawaz0705/) * (@nawaz0705) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-15998685) * Hi [@kimaldis](https://wordpress.org/support/users/kimaldis/) * Thank you for reaching out! * I can only imagine how frustrating this is to get all these spam orders! * In general, sites and stores can indeed trigger scammers and spammers, and that is especially true when your site starts to grow. If you want extra security for your store, I would suggest a few things you can start with to prevent spammy orders: - Update your WooCommerce to the latest version for better security - You could add a Terms and Conditions checkbox. It depends on if the thing doing the spam is checking for that field, but similar to ReCaptcha, it needs to be manually clicked before trying to process: [https://woocommerce.com/document/configuring-woocommerce-settings/#terms-and-conditions](https://woocommerce.com/document/configuring-woocommerce-settings/#terms-and-conditions) - You can also use our [WooCommerce Anti-Fraud](https://woocommerce.com/products/woocommerce-anti-fraud/?aff=10486&cid=1131038) extension, which will help you pick up fraudulent transactions and catch them as they happen. - [reCaptcha for WooCommerce](https://woocommerce.com/products/recaptcha-for-woocommerce/?aff=10486&cid=1131038) is another extension that will help prevent spammy orders. * I also recommend the best practices mentioned in the below articles: - [How to prevent spam and fake orders in WooCommerce](https://quadlayers.com/how-to-prevent-spam-in-woocommerce/) - [Managing Fraud Orders in WooCommerce](https://devpress.com/managing-fraud-orders-in-woocommerce/) * > And finally, is there a quick way of deleting several thousand customers and > failed orders, without deleting the legitimate ones * You can use the `Bulk actions` option to delete failed orders and users. * For the failed orders, you can navigate to `WooCommerce > Orders > Failed` and select the orders you want to delete and then select `Move to Trash > Apply`. * For the customers, you can delete them from `WooCommerce > Users > All Users` page. * I hope this helps. * Thread Starter [kimaldis](https://wordpress.org/support/users/kimaldis/) * (@kimaldis) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-15998706) * Brilliant answer. Thanks very much. * [Rafy](https://wordpress.org/support/users/nawaz0705/) * (@nawaz0705) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-15998802) * Hi [@kimaldis](https://wordpress.org/support/users/kimaldis/) * > Brilliant answer. Thanks very much. * You are welcome! 🙂 * I am marking this thread as resolved, but please let us know if any additional issues arise! * Thank you! * Thread Starter [kimaldis](https://wordpress.org/support/users/kimaldis/) * (@kimaldis) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16000783) * There doesn’t seem to be a way to delete users in the Woocommerce user page? * [Rafy](https://wordpress.org/support/users/nawaz0705/) * (@nawaz0705) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16000871) * Hi [@kimaldis](https://wordpress.org/support/users/kimaldis/) * Please navigate to **WP Admin > Users > All Users > Customer** and then select` Delete` and click on `Apply` button as shown in this screenshot: [https://d.pr/i/TZYxGz](https://d.pr/i/TZYxGz) * Let us know how this goes. * Thread Starter [kimaldis](https://wordpress.org/support/users/kimaldis/) * (@kimaldis) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16001062) * I’m talking about WooCommerce customers here. I have 153 rows of customers under WooCommerce->customers but only 13 WordPress users. There’s nothing in the Customer page that lets me to delete customers. * Thread Starter [kimaldis](https://wordpress.org/support/users/kimaldis/) * (@kimaldis) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16001080) * Looking through the timeline of this event, it looks as though a very large number of purchases was made in only a few minutes. I have 3,747 new orders accepted in less than 2 minutes. Doesn’t WooCommerce check for this kind of thing when orders are created? * [xue28 (woo-hc)](https://wordpress.org/support/users/xue28/) * (@xue28) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16004008) * Hi [@kimaldis](https://wordpress.org/support/users/kimaldis/) * > I’m talking about WooCommerce customers here. I have 153 rows of customers > under WooCommerce->customers but only 13 WordPress users. There’s nothing in > the Customer page that lets me to delete customers. * Can you please share with us a clear screenshot of what you see on your end so that we could address you more effectively? * If you don’t already have a screenshot service installed, you can try [https://snipboard.io](https://snipboard.io) or [http://skitch.com/](http://skitch.com/). You can share the direct link to the image as a response to this topic. * Here’s how it shows on my end: * ![](https://i0.wp.com/snipboard.io/QIaRtH.jpg?ssl=1) * Image Link: [https://snipboard.io/QIaRtH.jpg](https://snipboard.io/QIaRtH.jpg) * > Looking through the timeline of this event, it looks as though a very large > number of purchases were made in only a few minutes. I have 3,747 new orders > accepted in less than 2 minutes. Doesn’t WooCommerce check for this kind of > thing when orders are created? * Orders are created when a customer completes the checkout process. As mentioned by Rafy, you could follow the best practices above in order to prevent spam and fake orders on your site. * Thread Starter [kimaldis](https://wordpress.org/support/users/kimaldis/) * (@kimaldis) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16004338) * Again, you’re showing me the WordPress _Users_ page, where I have 10 users. I’m concerned about the page shown at WooCommerce->Customers which shows over 3000 _users_ * first image shows my User page, second two show top and tail of WooCommerce-> Customers page: * [https://www.dropbox.com/sh/vcwt1o6ohblex4l/AAAsueB531SRLiQwz-ZNm_cUa?dl=0](https://www.dropbox.com/sh/vcwt1o6ohblex4l/AAAsueB531SRLiQwz-ZNm_cUa?dl=0) * Thread Starter [kimaldis](https://wordpress.org/support/users/kimaldis/) * (@kimaldis) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16007758) * sorry, “WooCommerce->Customers which shows over 3000 _**customers**_“ * [xue28 (woo-hc)](https://wordpress.org/support/users/xue28/) * (@xue28) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16011607) * Hi [@kimaldis](https://wordpress.org/support/users/kimaldis/) * Thank you for providing the screenshots, these are really helpful! 🙂 * In order to delete Customers on your site, please go to **WooCommerce > All Users > Customers**. * ![](https://i0.wp.com/snipboard.io/7ympqr.jpg?ssl=1) * Image Link: [https://snipboard.io/7ympqr.jpg](https://snipboard.io/7ympqr.jpg) * Based on the screenshots you provided here, these newly registered spam customers have the same name but different email addresses. In addition, they do not have any orders on your site. * ![](https://i0.wp.com/snipboard.io/AgSnfM.jpg?ssl=1) * Image Link: [https://snipboard.io/AgSnfM.jpg](https://snipboard.io/AgSnfM.jpg) * Aside from the helpful tips mentioned above, you could check these blogs for helpful tips to avoid spam registrations on your site: * – [5 ways to stop spam orders and registrations in WooCommerce](https://www.oopspam.com/blog/spam-protection-for-woocommerce) – [How To Stop Spam On Your WooCommerce Store](https://wholesalesuiteplugin.com/stop-spam-woocommerce-store/) * Thread Starter [kimaldis](https://wordpress.org/support/users/kimaldis/) * (@kimaldis) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16011749) * All 10 of the customers listed in the WP Users->customers page are legitimate customers that were added long before this attack took place. I should not delete these. * None of the customers “asdas asdas” listed in the WooCommerce customers page have equivalent users in the WP Users page. * the reason none of the customers listed in the WooCommerce->Customers page have orders is that I’ve delted all all suspicious orders. * [Igor H](https://wordpress.org/support/users/ihereira/) * (@ihereira) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16016423) * Hello, * I understand your point, if you would like to delete customers in bulk, you can check this thread below, it includes a way to delete the customers with no orders from the database: * [How do I delete customers with no orders?](https://wordpress.org/support/topic/how-do-i-delete-customers-with-no-orders/) * Please note before running this workaround, please create a **backup** of your data. * Also, you can check this: [How to Bulk Delete all WooCommerce Customer Accounts](https://jamesc.id.au/2015/02/bulk-delete-woocommerce-customer-accounts/) * I hope this helps. * Thread Starter [kimaldis](https://wordpress.org/support/users/kimaldis/) * (@kimaldis) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16016456) * Thanks. I’d pretty much worked that out but I’d hoped I wouldn’t have to use it. * Since it seems orphaned customers can appear, not being able to remove them seems like an odd omission? * [anastas10s](https://wordpress.org/support/users/anastas10s/) * (@anastas10s) * [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16019355) * Hi there [@kimaldis](https://wordpress.org/support/users/kimaldis/) 👋 * > Thanks. I’d pretty much worked that out but I’d hoped I wouldn’t have to use > it. > Since it seems orphaned customers can appear, not being able to remove them > seems like an odd omission? * Feel free to navigate to `WooCommerce > Customers` and use the advanced filters, targeting the specific date, for filtering them out, and subsequently deleting them from the system. * Here is a screenshot of what looks like: [https://snipboard.io/1jLMQp.jpg](https://snipboard.io/1jLMQp.jpg) * With kind regards Viewing 15 replies - 1 through 15 (of 15 total) The topic ‘Multiple orders attack’ is closed to new replies. * ![](https://ps.w.org/woocommerce/assets/icon.svg?rev=3234504) * [WooCommerce](https://wordpress.org/plugins/woocommerce/) * [Frequently Asked Questions](https://wordpress.org/plugins/woocommerce/#faq) * [Support Threads](https://wordpress.org/support/plugin/woocommerce/) * [Active Topics](https://wordpress.org/support/plugin/woocommerce/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/woocommerce/unresolved/) * [Reviews](https://wordpress.org/support/plugin/woocommerce/reviews/) * 15 replies * 5 participants * Last reply from: [anastas10s](https://wordpress.org/support/users/anastas10s/) * Last activity: [3 years, 6 months ago](https://wordpress.org/support/topic/multiple-orders-attack/#post-16019355) * Status: resolved