Spam Orders

Hi @energenetics,

WooCommerce creates an “order” as soon as checkout is attempted, so bots hitting the checkout page can generate many failed orders even if payment never succeeds.

Please try these steps to reduce or stop the failed orders:

1. Enable Rate limit Checkout: Go to WooCommerce → Settings → Advanced → Features → Rate limit Checkout. This helps slow or block automated requests to the checkout endpoint.
2. Use a checkout anti-spam plugin or honeypot: Install a lightweight plugin that adds a honeypot field or JavaScript validation to the checkout. These plugins catch bots that bypass reCAPTCHA and stop many automated checkout attempts before they create orders.
3. Add a firewall / bot protection layer: Use a WAF (Cloudflare, hosting firewall, etc.) to block malicious traffic before it reaches your site.
4. Clean up existing failed orders: Go to WooCommerce → Orders → Filter → Status: Failed → Bulk Actions → Move to Trash. Increase Screen Options rows if you have many orders to remove.

Hi @energenetics,

Wordfence is absolutely acceptable, it’s a solid firewall and should help block many automated checkout attempts once its rules learn the pattern. Just make sure:

• Wordfence → Firewall → Manage Firewall → Firewall Mode is set to “Enabled and Protecting.”
• And under Rate Limiting, you set limits for excessive hits from the same IP.

Combined with the honeypot you installed, this should significantly reduce or completely stop the failed spam orders.

If the failed orders continue:

• Try enabling WooCommerce → Settings → Advanced → Features → Rate limit Checkout (if not already enabled).
• And check Wordfence’s Live Traffic to see if certain IPs or countries are repeatedly hitting the checkout page; you can block them directly.

Feel free to update the thread if the spam attempts continue, and we can troubleshoot further.

Hi @energenetics,

Thanks for the update.

If Wordfence rate limiting is set to Unlimited, then bots can make unlimited requests to your checkout. Setting some limits usually helps reduce these failed orders.

You can try values like:

How should Wordfence handle crawlers: Throttle it
If anyone’s requests exceed 60 per minute: Throttle it
If a human’s page views exceed 30 per minute: Throttle it
If a bot’s page views exceed 20 per minute: Throttle it
Block excessively slow access to pages: Enabled

These settings help slow down automated traffic.

The “Live Traffic” section is definitely available in Wordfence. To see all incoming requests (including bots hitting the checkout page), please try this:

1. Go to Wordfence → Tools → Live Traffic
2. Change Traffic logging mode to All Traffic
3. Save the settings
4. Wait a few minutes and refresh the page — you should start seeing the IPs and URLs being accessed

This will help you identify whether specific IPs or bots are repeatedly targeting the checkout page.

If the spam still continues after adjusting rate limiting and the honeypot, consider adding Cloudflare on the free plan with Bot Fight Mode turned on. It blocks many automated scripts before they reach your server.

Feel free to share the results, and we can help you further.

Hi @energenetics,

You don’t need to block entire countries, and you also shouldn’t have to manually block every single IP, which can turn into an endless cycle because bots constantly rotate IP addresses.

A more effective approach is to block them by behavior, not by geography or single IP.

Here are a few things you can do:

1. Use Wordfence’s “Block IPs that hit this URL” rule: Since all spam activity is targeting the checkout, you can block any IP that tries to access it too aggressively. 

Go to Wordfence → Firewall → Blocking → “Block IPs that access these URLs”
Add:
/checkout/
and optionally
/checkout/*

This will automatically block any IP that repeatedly hits the checkout in a short time, without you needing to block manually.

1. Raise the rate-limit sensitivity slightly: Bots typically load the checkout page far faster than real customers. If you lower the limits a bit more for “human” and “bot” page views (for example, 10–15 per minute), Wordfence will throttle them automatically.
2. Enable Wordfence “Failed Login / Invalid Access” blocks: Even if they aren’t logging in, bots often trigger other rules. Make sure Wordfence → Firewall → Brute Force Protection is enabled and blocking after a small number of failures.
3. Cloudflare Bot Fight Mode (even on the free plan): This helps a lot because it blocks aggressive bots before they reach your site. No changes to countries or IPs required.
4. If your honeypot plugin isn’t working, try a different one. Some bots ignore honeypots; others trigger them instantly. Switching to a plugin like Zero Spam for WordPress or Antispam Bee sometimes helps. 

You definitely don’t have to keep blocking every IP manually; let automated rules do the heavy lifting. 

Hi @energenetics,

I understand how frustrating it can be to get logged out of your own website and then be unable to access it again. It can feel overwhelming.

To help figure out what’s happening, could you let me know what specific action you took on your site before you got locked out? Also, when you try to log in now, what exactly occurs? Do you see an error message or a security warning?

If you can, please share screenshots using snipboard.io. In case you already know which plugin is blocking your access, for example Wordfence or another security plugin, you can disable it by going to your website’s root directory, navigating to wp-content > plugins, and renaming the folder of the plugin (e.g., rename wordfence to rename-wordfence). After renaming it, try accessing your website again.

I’ll be waiting for your feedback on what action caused the lockout and what you see when you attempt to log in so we can provide a more accurate solution.