Hi @techlynetta,
No — no such issue has been raised recently, nor in the past, that allows bots to bypass reCAPTCHA v2 on the WooCommerce checkout page.
Do the access logs show bot submissions for the checkout page? Please cross-check once.
Are the requests coming from the same IP address or country?
Bots are submitting fake orders and not actual humans. You should also check the turnstile CAPTCHA option to see if it resolves the issue.
Regards
Thread Starter
techlyn
(@techlynetta)
Thank you for your reply… a couple questions:
- You ask “Do the access logs show bot submissions for the checkout page? Please cross-check once.” How do I know if they are bots? What do I look for?
- You ask “Are the requests coming from the same IP address or country?” In the visitor logs, I see different IP addresses. It doesn’t show country.
I have installed the All in One Security Premium to try to block by country, but I cannot get that setup until a bug with AIOSEO is fixed.
I also tried to follow the Cloudflare Turnstile instructions, but they want access to DNS and I don’t feel comfortable with this. I created an account and they are requiring me to add a widget which requires access to your DNS.
Please let me know how I can find out if these submissions are done by bots or by people. Only 1-2 orders are coming in each hour, and I have Google reCaptcha V2 on where they have to check a box, so it’s possible they’re human.
Hi @techlynetta,
If they are bots with a specific user agent, you may be able to identify them as particular bots in server access logs.
However, from your final comment, it appears they are human spammers placing fake orders every 1–2 hours. If they are human, it would explain how they are able to bypass the reCAPTCHA v2 check each time. If it were a bot, it might attempt multiple times and only succeed occasionally.
If it is indeed a human spammer, then using Turnstile will not make a difference, as they are placing orders in the same way as genuine site users.
Regarding the country blocking feature issue, unfortunately, WordPress.org rules do not allow us to use their forums for support related to paid software. You will, however, find more details on the website, or you can raise a support ticket there.
Regards