DEV Community

Kate
Kate

Posted on

Stopping WooCommerce Card Testing Bots with Edge Cryptography

If you've ever built a WooCommerce site for a client, you know that the checkout endpoint is a massive target for automated botnets. The most common attack vector is card testing.

Bots scrape stolen credit cards, bypass your frontend UI entirely, and blast your /?wc-ajax=checkout endpoint with thousands of rapid POST requests to see which cards are active.

Not only does this inflate Stripe authorization fees (at $0.30 a pop), but a massive spike in your client's decline rate will trigger Stripe's automated fraud systems, suspending the merchant account.

In this post, I want to talk about why the default "slap reCAPTCHA on it" response is actually a terrible engineering decision for checkouts, and how to solve it natively using cryptographic Proof-of-Work (PoW).

The Problem with Behavioral Telemetry

Historically, developers use Google reCAPTCHA v2 or v3 to block these bots. Here is why that fails at the checkout level:

Conversion Friction: Forcing a paying customer to identify crosswalks right as they click "Place Order" destroys mobile conversion rates.
ePrivacy / GDPR Liabilities: reCAPTCHA v3 uses behavioral telemetry. It places cross-site tracking cookies and monitors background mouse movements. The CNIL has explicitly ruled this requires a cookie consent banner. If you force a user to accept cookies just to check out, you are violating the GDPR.

The Architecture: Edge Cryptography
Instead of relying on invasive telemetry or picture puzzles, we can solve this by making the computational cost of requesting a checkout higher than the value of the validated credit card.

Here is the flow:

The Micro-Interaction: The user engages in a frictionless 2-second HTML5 canvas interaction (e.g., catching a falling object). Headless bots cannot easily parallelize canvas rendering.
The Payload: Upon completion, the edge network generates a time-stamped, HMAC SHA-256 signed payload.
The Interception: The payload is sent with the checkout data. We use a PHP hook to verify the cryptographic signature natively before the payment gateway is ever pinged.
The Code: Hooking into WooCommerce
To implement this, you hook into the native woocommerce_checkout_process action. If the request lacks a valid cryptographic signature, you halt the process immediately.

php

// Hook into the WooCommerce checkout validation process
add_action( 'woocommerce_checkout_process', 'validate_crypto_handshake' );
function validate_crypto_handshake() {
// 1. Retrieve the token generated by your frontend canvas interaction
$token = isset( $POST['cb_captcha_token'] ) ? sanitize_text_field( wp_unslash( $_POST['cb_captcha_token'] ) ) : '';
// 2. Headless bots usually bypass the frontend entirely, meaning the token is blank
if ( empty( $token ) ) {
wc_add_notice( _
( 'Security validation missing. Request rejected.', 'text-domain' ), 'error' );
return;
}
// 3. Validate the signature natively
$secret_key = get_option( 'my_secure_hmac_key' );

// Split your token into payload and signature, verify the HMAC
$is_valid = verify_token_against_edge_network( $token, $secret_key );
// 4. Halt the checkout if cryptography fails
if ( ! $is_valid ) {
    wc_add_notice( __( 'Automated bot behavior detected. Checkout halted.', 'text-domain' ), 'error' );
}
Enter fullscreen mode Exit fullscreen mode

}
By verifying the cryptographic signature natively in PHP, the server handles the rejection. Your payment gateway is never pinged, and your client pays $0 in authorization fees.

The Plug-and-Play Solution
Building a secure edge network to handle the HTML5 game generation and key exchange is a massive infrastructure project.

If you just want to implement this architecture on your client's WooCommerce site today, I built a zero-telemetry gamified CAPTCHA plugin that handles this out of the box.

It replaces annoying puzzles with delightful 3-second micro-games, generates the cryptographic handshakes, and completely stops card testing bots. It's 100% ADA compliant and completely GDPR friendly.

You can download it for free from the official WordPress repository: Conversion.Business Gamified CAPTCHA.

Let me know in the comments if you have any questions about handling WooCommerce security hooks or dealing with Stripe fraud rates!

Top comments (0)