We’ve been seeing a rise in customers with spam WooCommerce orders coming through their site. These aren’t just a nuisance, they can be a huge issue especially if you using a 3PL for order fulfillment because if some portion of the fake orders get through, they may end up actually being shipped. Ultimately this means you lose twice, once on the fraud order that gets shipped and then again with the chargeback.
In this post we’ll show you how to stop these spam WooCommerce orders permanently. This general approach and the same principles apply for other CMSes so if you’re running Magento or Opencart, this will also solve your problem.
To get started, head over to our QuickFix service, order 1 x QuickFix service and our team will get cracking. Generally we can get this implemented within 1 business day or less of getting the access we need. We’ll need admin access to your hosting account, or more specifically, your DNS hosting and an email address you want to use to setup the Cloudflare account under.
Spam, fraud and fake orders are typically low dollar amounts. Malicious actors are essentially testing their list of credit card numbers to see which work or are genuine.
Orders will typically come through something like the screenshot below where there are several orders per hour all for the same product. Notice also that these orders more often than not will have the customer details all in lowercase as they orders typically originate from non-Western countries where the language doesn’t have uppercase character.
Table of Contents
Why Fake Orders Are a Serious Risk
Leaving fake orders unchecked can cause huge headaches for your business:
- If you use a 3PL or fulfillment partner, fake orders might actually get shipped.
- Your merchant account or payment processor could flag or suspend you due to suspicious activity.
- It clutters your order system, wastes your time, and damages trust with legitimate customers.
5 Steps to Stop Fake WooCommerce Orders
Here’s three simple steps to stop fake orders in your WooCommerce site (or any ecommerce site).
1. Enable Rate Limiting in WooCommerce
WooCommerce has some inbuilt rate limiting security features for the API and checkout. Typically this feature won’t be enough to stop most fake and spam order attacks because the rate of fake orders is too low but it’s worth turning on this feature anyway.
Do this in the WordPress backend under WooCommerce -> Settings -> Advanced -> Features and enabling “Rate limiting Checkout block and Store API”.
Learn more about this on the WooCommerce site here: https://developer.woocommerce.com/docs/apis/store-api/rate-limiting/
2. Use Cloudflare and Enable Country Filtering
Ideally you should be using Cloudflare for your WordPress site as even the free plan offers a whole bunch of features and benefits to improve site speed and your SEO.
With the Cloudflare firewall rules you can filter traffic outside your target country, countries or continents.
Using this technique will stop automated bots and tools that are typically using automation to place these orders.
Click here for a blog post on filtering traffic outside your target country using Cloudflare.
NOTE – you NEVER want to block countries outright as its inevitable real users will at some point be caught by the filter. Instead use the managed challenge or interactive challenge which will allow genuine users to get past the filtering through a captcha style mechanism.
3. Install a WooCommerce Fraud Plugin
There’s a whole bunch of these plugins and they all do similar things and will filter checkouts based on predetermined rules, IP blocklists and various other behaviours known to be fraudulent.
Here’s two options for you to try:
Fraudlabs Pro which is free for up to 500 orders per month: https://wordpress.org/plugins/fraudlabs-pro-for-woocommerce/
AntiFraud for Woocommerce which is a paid plugin but has a whole range of settings you can use to dial in filtering: https://woocommerce.com/products/woocommerce-anti-fraud/
4. For Stripe Users, Enable Stripe Radar
If you’re using Stripe, their Radar product will help identify and flag spam and fraud orders. There is a fee to using this service but it’s well worth it.
Learn more at https://stripe.com/radar
5. Review the server log and block based on activity (advanced)
We published this post in September 2025 because we had a bunch of customers over a weekend report fake orders. Some of these customers are selling digital products internationally so we can’t use the Cloudflare country blocking rules. Interestingly, because these were digital products, no shipping address was required but orders were showing up with shipping info – this is very strange given the checkout doesn’t have shipping details.
We did some server log analysis, looking at the IP addresses the orders came from (this should show on the individual order in Woocommerce) and filtering the server log based on these IP addresses and looked at the user behaviour.
What was happening in this particular case was that the malicious orders were being submitted by the WordPress REST API that was public facing. This was how orders were appearing with shipping info when there was no option to add this via the cart.
We traced the IP addresses back to a single hosting company too.
Using this info we were able to create a new rule in Cloudflare to block this activity. A screenshot of the rule is below – you’ll see we’re blocking two different API calls being used to add items to the cart and update the customer details. There’s another line in there to block a call that was being used to list all the products out and then a fourth line to block the network these attacks were coming from. We used the Cloudflare event log to determine the AS number which is the network ID these attacks were coming from.
Your server log is accessible via your hosting control panel. It’ll be called “Apache Access Log” or “Nginx Access Log” or just “Access Log”. Typically there will be an access log and an error log. You can usually filter these by IP in the web interface but if not you’ll be able to download these logs and search through them using Notepad or some other basic text editor.
What Doesn’t Work
Two common pieces of advice you’ll see around the web in relation to this problem are to “turn off guest checkouts” and “enable recaptcha or Cloudfalre turnstile on the checkout”
Don’t do this.
These are at best completely ineffective and will likely hurt your conversion rates.
Guest checkouts are better for your conversion rate in 99.9% of cases and won’t block the more complex attacks. All you’re doing is annoying real customers.
I’m sure you’ll agree, catpcha’s are horrible and with the advent of AI, are easily bypassed by malicious actors anyway. You’re better off using Cloudflare’s network level firewall rules as per above, which are massively more effective and won’t interfere with conversion rates or regular users in the same way a recaptcha does.
Need More Help or Want It Done For You?
We’re specialists in WordPress and Woocommerce and can help you to fix your spam and fraud order problem.
If you’re looking for help with your site, click here for a FREE Site Audit and one of the team will come back to you usually within a day or so and advise how we can help.