How to Stop Fake Orders WooCommerce & WordPress

We recently noticed several websites being bombarded with many failed new orders, resulting in downtime and slowdowns. Since the attack is carried out from various networks and countries, it’s very difficult to counter the malicious activity.

Try our free site check.

Stop fake orders

  • Review the traffic logs and get more information about the abusive IPs. IPinfo example: https://ipinfo.io/136.227.183.193
  • Block the IP range or the entire ASN.
  • A more strict approach would be to block all countries, allowing US and the country where your shop is serving.
  • Enable and configure the reCAPTCHA for WooCommerce plugin – not recommended for long-term use as it may affect conversion rate.

Delete spam orders

  • Run WP CLI to bulk delete orders, order status: wc-completed, wc-pending, wc-cancelled, wc-failed
  • wp post delete $(wp post list --post_type='shop_order' --post_status=wc-failed --format=ids) --force
    
  • Delete orders manually – to lower the server load, set the number of items per page.

Malicious POST requests:

136.227.160.207 - - [01/Dec/2024:09:38:56 -0500] "GET /wp-json/wc/store/products?stock_status=instock&order=asc&orderby=price&min_price=1&max_price=5000&type=simple&page=1&per_page=100 HTTP/1.1" 200
136.227.160.207 - - [01/Dec/2024:09:38:57 -0500] "GET /wp-json/wc/store/cart HTTP/1.1" 200 2290 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML like Gecko) Version/17.3.1 Safari/605.1.15" 
136.227.160.207 - - [01/Dec/2024:09:38:59 -0500] "POST /wp-json/wc/store/cart/add-item HTTP/1.1" 201 6967 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML like Gecko) Version/17.3.1 Safari/605.1.15" 
136.227.160.207 - - [01/Dec/2024:09:39:00 -0500] "POST /wp-json/wc/store/cart/update-customer HTTP/1.1" 200 7212 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML like Gecko) Version/17.3.1 Safari/605.1.15" 
136.227.160.207 - - [01/Dec/2024:09:39:01 -0500] "POST /wp-json/wc/store/cart/select-shipping-rate HTTP/1.1" 200 7212 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML like Gecko) Version/17.3.1 Safari/605.1.15" 
136.227.160.207 - - [01/Dec/2024:09:39:04 -0500] "GET /checkout/ HTTP/1.1" 200 169404 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML like Gecko) Version/17.3.1 Safari/605.1.15" 
136.227.160.207 - - [01/Dec/2024:09:39:07 -0500] "POST /?wc-ajax=ppc-data-client-id HTTP/1.1" 200 1282 "https://domain.com/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML like Gecko) Version/17.3.1 Safari/605.1.15" 
136.227.160.207 - - [01/Dec/2024:09:39:10 -0500] "POST /?wc-ajax=ppc-create-order HTTP/1.1" 200 862 "https://domain.com/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML like Gecko) Version/17.3.1 Safari/605.1.15" 
136.227.160.207 - - [01/Dec/2024:09:39:12 -0500] "POST /?wc-ajax=ppc-approve-order HTTP/1.1" 200 768 "https://domain.com/checkout/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML like Gecko) Version/17.3.1 Safari/605.1.15"
136.227.160.207 - - [01/Dec/2024:09:39:13 -0500] "POST /wp-json/wc/store/checkout HTTP/1.1" 400 2627 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML like Gecko) Version/17.3.1 Safari/605.1.15"

Bad networks & IPs:
AS20473 – The Constant Company, LLC
136.227.177.0/24
134.199.78.0/24
136.227.160.0/24
136.227.183.0/24

AS6939 – Hurricane Electric LLC
96.62.244.0/23
150.241.242.0/23
150.241.250.0/23

AS49544 – i3D.net B.V
162.245.204.0/22
31.204.128.0/19

AS9009 – M247 Europe SRL
38.132.118.0/24
37.120.213.0/24
146.70.28.0/24
152.89.162.0/24
192.145.127.0/24

AS22773 – Cox Communications Inc.
98.167.0.0/17

If you’ve recently noticed a high number of failed orders, we can help.

Our skilled malware analysts are available 24/7 to secure WordPress websites and clean up malware – reach out to us if you need help.

Hacked website? Try our free site check.

A security analyst will perform a free thorough external site check within the next minutes.