Preventing spam and fraudulent orders in WooCommerce

Practical measures for reducing fake orders in WooCommerce — tightening account settings, adding CAPTCHA, enabling payment verification and reviewing orders for fraud.

Preventing spam and fraudulent orders in WooCommerce

Fake orders are a common problem for WooCommerce stores. They waste time, tie up stock, skew your analytics and can lead to costly chargebacks from payment providers.

Most spam orders come from bots — automated scripts that submit checkout forms in bulk, often to test stolen credit card numbers. Others are manual fraud attempts where someone uses stolen card details to place real-looking orders. The measures below address both types.

Tighten account and checkout settings

Under WooCommerce → Settings → Accounts & Privacy, consider disabling guest checkout so that only registered users can place orders. Requiring account creation adds friction for bots and makes it easier to trace repeat offenders.

Enabling email verification during registration helps filter out throwaway addresses and automated sign-ups.

Bear in mind that requiring registration can reduce conversion rates for legitimate customers, so weigh this against the volume of spam you're dealing with. For some stores, keeping guest checkout but adding CAPTCHA (see below) is a better balance.

Add CAPTCHA to checkout and registration

CAPTCHA challenges distinguish human visitors from bots by requiring a simple interaction — like clicking a checkbox or solving a visual puzzle — before a form can be submitted. Adding CAPTCHA to your checkout, login and registration forms is one of the most effective ways to stop automated spam orders.

Look for a WooCommerce-compatible CAPTCHA solution that supports Cloudflare Turnstile or Google reCAPTCHA. You'll need to generate a site key and secret from the CAPTCHA provider's dashboard and configure it within the plugin's settings.

Test your checkout thoroughly after enabling CAPTCHA. Some implementations can interfere with the payment flow or cause issues with certain themes, so confirm that real customers can still complete an order without problems.

Enable CVV and address verification

Most payment gateways support two important fraud prevention features that are worth enabling if they aren't already:

  • Card Verification Value (CVV) — requires the customer to enter the three or four digit security code from their card, confirming they have the physical card and not just a stolen card number.
  • Address Verification Service (AVS) — compares the billing address entered at checkout with the address the card issuer has on file. Mismatches are flagged or declined automatically.

Check your payment gateway's settings (usually found under WooCommerce → Settings → Payments) to make sure both are enabled. These won't stop every fraudulent order, but they significantly reduce card-not-present fraud.

Use an anti-fraud solution

For stores dealing with persistent fraud, consider adding a dedicated anti-fraud tool. Look for solutions that can score orders based on risk factors such as mismatched billing and shipping addresses, unusual order values, high-risk geolocations, rapid repeat attempts from the same IP and use of known disposable email providers.

Many anti-fraud tools can automatically hold or cancel orders that exceed a risk threshold, saving you from reviewing every order manually. When choosing a solution, look for one that lets you adjust the sensitivity so you can fine-tune it over time without blocking legitimate customers.

Review suspicious orders manually

Automated tools catch a lot, but it's worth knowing the common red flags so you can spot problems yourself:

  • Unusually large quantities or order values from a first-time customer.
  • Multiple failed payment attempts in a short window, which can indicate card testing.
  • Billing and shipping addresses in different countries with no obvious reason.
  • Free or disposable email addresses on high-value orders.

When in doubt, contact the customer to verify the order before dispatching. A quick email can save you a chargeback.

Block repeat offenders

If you notice spam from specific IP addresses or ranges, you can block them at the server level through your hosting firewall or your site's security settings. Rate limiting on checkout endpoints is also worth considering — it slows down automated scripts that submit orders in rapid succession.

Keep your software updated

Outdated versions of WooCommerce, WordPress and payment gateway extensions can have known vulnerabilities that attackers exploit. Keeping everything updated is a basic but important layer of defence. Enable auto-updates for security releases where possible, and test major updates on a staging environment first.

Need help with WooCommerce fraud prevention?

If spam or fraudulent orders are a persistent problem and you'd like help configuring your store's defences, my emergency WordPress support service includes WooCommerce security and fraud prevention setup.

Last reviewed 6 April 2026

Adam Greenough

Written by Adam Greenough

Freelance web developer with over 15 years of experience building and fixing WordPress sites. I work with businesses across the UK on everything from emergency support to full builds.

About me Services Get in touch

Also in WooCommerce

Fixing WooCommerce product variations not showing How to fix WooCommerce variable product variations that are not appearing on the front end, covering attribute configuration, variation creation, stock settings, theme template issues and plugin conflicts. Fixing WooCommerce order emails not sending How to troubleshoot and fix WooCommerce order notification emails that are not sending, including email settings, order status triggers, template issues and SMTP configuration. Fixing WooCommerce checkout not working How to troubleshoot and fix WooCommerce checkout problems including payment failures, blank checkout pages, shipping calculation errors, coupon issues and JavaScript conflicts.

Need hands-on help?

I offer emergency WordPress support with a no-fix, no-fee guarantee.

Get Emergency Help Contact Me