Spam Orders
It has come to our attention that a targeted attack has been executed against a subset of clients, resulting in the generation of numerous spam orders in a brief period. The attack vector used involves an automated program that generates orders for identical products, but with usernames that differ only by appended digits. The program is designed to generate hundreds of orders while cycling through multiple IP addresses, which can evade website firewalls and result in the successful execution of the spamming campaign.
Regrettably, there is no fail-safe solution that CRU can implement automatically to stop this kind of attack. However, there are actions that both CRU and affected clients can take to mitigate the impact of these spam orders.
As a short-term solution, clients can switch off the guest checkout option, as this is the method the attackers select when creating orders, as they cannot create accounts at the same time. To do this, clients can head to their Wordpress dashboard, scroll down to Woocommerce>Settings, select the ‘Accounts & Privacy’ tab, and then uncheck the box next to ‘Allow customers to place orders without an account.’ This will stop any further spam orders from occurring.
To handle the spam orders that have already been generated, clients should simply delete any orders that have failed. Any orders that have the status of ‘Processing’ are orders that have a successful payment. For these orders, it is suggested to refund directly from the payment processor, such as Stripe or Eway, as most platforms will allow marking the refunded order/card as fraudulent. Then, refund the order manually within Woocommerce>Orders.
After some time has passed, it is recommended to switch back on the guest checkout option, as this can be a blockage to an eCommerce conversion. In CRU's experience so far, this means the attacker loses interest and moves onto another website. In a couple of cases, the spam orders have returned, and the above settings change implemented with success, and the attacker has not reattempted in the future.
Related Articles
Managing Orders - Woocommerce
Orders are created when a customer completes the checkout process, and they are visible to users with Admin and Shop Manager roles only. Each order is given a unique Order ID. Order IDs are non-sequential as they use the default WordPress ID ...How can I check orders using a specific coupon?
STEPS To check orders that used specific coupon/s, go to the order list (Woocommerce>Orders) and enter the coupon code to the search function. This will display all the orders for the searched couponChecking if there are double orders or double payment
From time to time, some customers, or you and your team, may think payment has gone through twice. There are some steps you can check to see if this has occurred. By checking payment Gateway As clients may use different payment gateways, we will look ...WooCommerce Pre-Orders - Feature
View Guide Links at the bottom of the page Installation 1 CRU CREDIT Setup (optional) 1 CRU CREDIT Ease Of Use Easy Want this feature? Request Here Purchase CREDITS Here Allow customers to order products before they are available. Set up pre-orders ...WooCommerce Customer / Order / Coupon Export - User Guide
For pricing and how to add to your website see at the bottom of the page. The WooCommerce Customer / Order / Coupon Export lets you export your site’s customers, orders, or coupons to a CSV or XML file. Here are a few of the features offered to make ...