Hi there. This is a quick post that I hope will show up in search engines to spare others the suffering I’ve had to deal with recently. You need a captcha plugin or something like it on your WooCommerce sites. If you don’t have some barriers, a bot will take advantage of your site and use it for carding attacks.

What is a carding attack? That is when a hacker or other nefarious type person buys a list of credit cards on the Dark Web (or whatever) and uses a website like yours to test those cards to see which ones are still compromised. They like websites with small purchases that are likely to go unnoticed- so RPG publishers selling $1 PDFs are a popular target, I have learned.

A carding attack will take this list and generate hundreds or thousands of fraudulent orders on your store. Most will fail, but some will succeed and need to be canceled and refunded or you risk your merchant account.

So why a captcha? Captchas typically stop these bots pretty well – we use Cloudflare TurnStile to decent effect. We require human confirmation at checkout, and this saves us a lot of trouble.

I don’t really like blogging about my day job – I have huge imposter syndrome about what I do and I am terrified that someone more knowledgeable than me will come along and call me a fraud. But it’s a huge part of my life so I need to start blogging about it more often. We’ll see if I can get over this hangup.