How to prevent spam and fake orders in WooCommerce in 2022 (2023)

November 30, 2019

|In WooCommerce

|By irene

(Video) This is How Bots Spam WordPress (and how to stop them)

Spam can do a lot of damage to your website, especially to e-commerces. Regardless of the security mechanisms you use (software, scripts, tools), fake orders can cost a lot of money to your business and also affect your SEO ranking and credibility. That’s why today, we’ll show you how to prevent spam and fake orders in WooCommerce and we’ll have a look at the best security tools you should be using.

Interesting facts about spam in eCommerce

Fraud and spam in eCommerce are getting more and more common. But when looking at some statistics, the impact to the businesses is shocking:

  • Frauds in eCommerce increased by 45% in 2017 and 8 big industries reported nearly 58 billion USD in losses
  • Online shopping frauds grew by 30% in 2017
  • 92% of fraudulent online transactions in 2017 were made by credit card. And 38.6% of reported cases occurred in the US
  • The rate of credit card chargebacks is rising by 20% each year
  • People between 25 and 34 years old are the most likely to be affected by online fraud

Why do you receive fake orders in WooCommerce?

Spam and fake orders are one of the worst nightmares for every WooCommerce store owner. These fraudulent orders are placed by bots and scripts place and they usually involve big amounts. Additionally, they normally target stores with the Cash on Delivery option enabled because they need to provide less information.

Some other times, the goal of fake orders in WooCommerce is to deceive store owners. For example, they may place an order for a product that needs to be shipped but when the product reaches the destination, the address doesn’t exist.

On the other hand, hackers also use spam orders to try to find vulnerabilities in plugins. This is exactly what hackers did with a vulnerability found in WooCommmerce not long ago. WooCommerce 4.6.1 and previous versions were vulnerable to an exploit that allowed guest users to create accounts during the checkout even when the option Allow customers to create an account during checkout was disabled. This way, bots created accounts and placed fake orders to discover vulnerabilities in other plugins on the site. For more information about this and how to solve it, check out this post that explains everything about the WooCommerce 4.6.2 vulnerability.

That’s why you must put some security measures in place and authenticate the orders to prevent spam and fake orders in your WooCommerce store.

How to prevent spam in WooCommerce

There are several ways in which you can prevent fake orders in your WooCommerce store. Let’s have a look at the most effective ones to keep your store safe.

1) Set basic anti-spam settings

The first thing you can do to prevent spam in your store is to set up some basic anti-spam settings in WooCommerce. Let’s have a quick look at some of the things you can enable:

  • In your WordPress admin, switch off the Anyone can register option from the Settings > Generalsection. Please note that this only affects the admin side, not the WooCommerce registration forms.
  • In the Discussion section, uncheck the option Allow link notifications from other blogs (pingbacks and trackbacks) on new articles.
  • Make sure you have to approve the comments before they’re published. You can use plugins like Disqus or enable the Comment author must have a previously approved comment option to avoid spammy comments.
  • In the WooCommerce panel, you can disable the Allow customers to place orders without an account option to make sure that every order has at least a valid email address.

After you make sure you have those basic anti-spam settings in place, you can set other security measures.

2) Additional measures to prevent fake orders and registrations

Apart from the basic anti-spam settings, you can put in place additional measures to minimize spam orders and registrations in your WooCommerce store.

(Video) WooCommerce Anti-Fraud Plugin Review 2020 - Online Fraud Protection for Sellers

2.1) Create a custom registration page that spam can’t recognize

The common target for spammers is the “” page. So, by customizing the registration page, it will be harder for spammers to find it. To do this, you can use free plugins like WPS Hide Login or LoginPress.

2.2) Admin new user approval

With a plugin like Profile Press, you can manually approve new users from the dashboard or directly from your mail. Even though this adds another task to your process, if you have a small business and you want to have more control over your users, it may make sense to do it.

2.3) Use CAPTCHA

Nowadays, many stores use CAPTCHA to prevent spam in WooCommerce. Completely Automated Public Turing test to tell Computers and Humans Apart, also known as CAPTCHA, is software that requires the user to take certain action to get to the next step. This way, it protects websites against bots and makes sure that the visitor is a human being.

The most common example of this is when you have to select images that have certain figures, type an alphanumerical code, or perform a mathematical operation. This makes the process slightly slower for the visitor but it’s a very good way to verify that there is a human behind the operation.

The easiest way to add CAPTCHA to your site is by using tools such as Advanced noCaptcha & invisible Captcha or Passster.

2.4) Block IP addresses

If most of the spam orders and registrations come from the same IP addresses, you can block those addresses from reaching your site. If you’re not sure how to do this, check your cPanel as most hosts offer the possibility to block IP addresses.

3) Install an anti-spam plugin

We also recommend using an anti-spam plugin to improve your store’s security. Some of the best plugins to prevent spam in WooCommerce are:

  1. Akismet
  2. Blocker
  3. Titan anti-spam
  5. NS8
  6. Limit Attempts
  7. Fake Customer Blocker
  8. Honeypot Contact Form 7

Let’s have a look at what each of them has to offer.

3.1) Akismet

With more than 5 million active installations, Akismet is one of the best plugins to prevent spam in WooCommerce. This tool promises to block 99.9% of spam from getting to your store. It automatically filters the spam comments and checks it against a global database, protecting your website from malicious content. Additionally, it automatically checks all the comments and discards the ones that seem to be spam.

Akismet is a freemium plugin. Once you activate it, you’ll have to get an API key to use. There are free keys for personal blogs and paid subscriptionsthat start at just 5 USD per month.

3.2) Blocker

This tool helps you prevent fake orders and keep fraudulent customers out of your shop. Blocker allows you to refuse orders from a specific IP address, state, and zip code, and add them to a blacklist. When this happens, it will interrupt the checkout or account and the user will get a notification explaining why the operation was blocked.

3.3) Titan Anti-Spam

Titan Anti-Spam is another popular plugin to avoid fake orders. This tool includes everything from anti-spam, firewall, malware scanner, site accessibility checking, and threat audits. It automatically blocks spam in the comments section and needs no CAPTCHA. You can also convert spam comments into regular comments. Additionally, it’s GDPR compliant so it doesn’t store unnecessary information about the visitors.

(Video) Speed Run #2 :: Send SMS verification codes to WooCommerce orders with to FraudLabs Pro

Titan Anti-Spam a blocking algorithm that’s based on the ‘invisible js-captcha’ and ‘invisible input trap’ (aka honeypot technique) methods.

Please note that this plugin isn’t compatible with Disqus, Jetpack Comments, AJAX Comment Form, nor bbPress.


With No CAPTCHA reCAPTCHA, visitors will only need to click the checkbox in the reCAPTCHA tool that Google creates to make sure they’re not robots. The main difference with a CAPTCHA is that it doesn’t require typing numbers, answering questions, or solving math problems.

3.5) NS8

NS8 protects WooCommerce sites from advertising fraud, order fraud, and performance issues. It scores every user, traffic, and order, detects patterns, and identifies the potential risk of fraud and spam.

It also monitors if:

  • SSL certificate is set to expire
  • Domain has been added to a spam list
  • Website is flagged for malware concerns
  • The site fails to load or your load performance drops against the global average.

NS8 has a very basic free version and premium plans that start at 29.95 USD per month.

3.6) Limit attempts

This IP Address blocker is very effective to prevent spam in WooCommerce. It helps you avoid brute force attacks, which are repeated attempts of access directed by some software that can damage your website. You can add and block IP addresses; hide login, register lost password forms for blocked or blacklisted IPs, and customize the error messages.

It’s compatible with Gravity Forms, ReCaptcha, Captcha Pro, and Captcha Plus.

This is a freemium tool. It has a free version that works very well but if you want more advanced functionalities, you can go for the premium plans that start at 23.90 USD per year.

3.7) CleanTalk

CleanTalk is an excellent tool to stop spam in WooCommerce. This tool helps you stop spam comments and registrations, fake contact emails, spam orders, bookings, and subscriptions. Additionally, it can check and remove existing spam comments and users, and validates emails in real-time.

On top of that, CleanTalk also stops spam reviews in WooCommerce and spam emails via forms to make sure that your store is fully protected.

And the best part is that this plugin has a 7-day free trial and several premium plans that start at just 8 USD per year.

(Video) How to Add Custom Order Status in WooCommerce in 2022 FOR FREE | Woocommerce Tutorials

3.8) Fake customer blocker

This is a security add-on for WooCommerce that helps you block emails, domains, new orders with errors or notices, and fake orders. It also lets you inform the users why they can’t continue with their orders and customize every message.

This is a premium plugin that costs 14 USD.

3.9) Honeypot Contact Form 7

With this addition to Contact Form 7, users won’t have to put a CAPTCHA but it still maintains the anti-spam functions against bots in forms and shopping carts. This way, it avoids false orders in your store. And the best part is that it’s a free tool.

Gravity Forms Users

If you’re a user of Gravity Forms, we recommend you go to the Options section and activate Enable anti-spam honeypotbecause it’s disabled by default.

Call the customer

It may sound a bit invasive but if your products are services like assessments, ebooks, or online courses, for example, calling the customer and talking to them before the purchase can be a smart option. This way, you’ll get to know their expectations and even give them tips or extra information about the product or service they’re interested in.

Some e-learnings like Open English use this method. Platforms like UpWork also call their candidates and interview them before accepting their profiles to prevent spam.

Verify the CVV code of the credit card

The CVV code is the 3 number code at the back of the credit card and it must match with the registered card. If it doesn’t, it can be a fraud. This is a very extended verification method because it’s simple and effective.

User email confirmation

Another way to prevent spam in WooCommerce is to use some plugins so that the user must confirm their registration by clicking on a link sent to their email. Users who haven’t activated their accounts are pending and you can manually review and approve them. This is one of the safest methods because spammers don’t always get to that point.

Confirm before shipping

You can confirm all the order details via mail, text message, or phone call with the client. This will help you prevent fake orders in WooCommerce and you can use it as a gesture of responsibility to your customers.

Verify the address

You can also hire an Address Verification System (AVS). An AVS compares the billing address the user registered in the transaction with the address provided to the bank from the cardholder. Even though this isn’t a bulletproof measure, it helps a lot to collate the data and avoid losses.

Conclusion: Prevent spam and fake orders in WooCommerce

All in all, fake orders are becoming more and more common in eCommerce and can be quite costly for your business. That’s why you must put some security measures in place and prevent spam in your WooCommerce store.

If you can authenticate the orders, you’ll have great chances of stopping spam on your site. Apart from saving you some money, it will also help you keep your store clean of irrelevant or potentially harmful content for both you and your users. Besides, if you avoid fake orders, emails, and registrations you can concentrate on what matters the most: growing your business. Need some help with that? Here you can have a look at some tips to optimize your online store!

(Video) How to Stop Unwanted and Spam Registration | Full Control on User Registration of WordPress Website


How do I add a reCaptcha to WooCommerce? ›

reCaptcha for WooCommerce
  1. Download the . zip file from your WooCommerce account.
  2. Go to: WordPress Admin > Plugins > Add New and Upload Plugin with the file you downloaded with Choose File.
  3. Install Now and Activate the extension.

How do I speed up WooCommerce checkout? ›

5 ways to speed up a WooCommerce website
  1. Increase the WordPress Memory Limit.
  2. Optimize the WooCommerce Website Images.
  3. Use a high-quality hosting service.
  4. Disable AJAX Cart Fragments in WooCommerce.
  5. Use a cache plugin.
25 Jun 2020

How do I stop spam orders in WooCommerce? ›

Configure user registration

Disable WordPress registration if you don't need it. Disabling it will NOT affect your WooCommerce account registration. In your WordPress dashboard visit Settings -> General -> Membership and uncheck Anyone can register. This will effectively prevent spam WP user registration.

What is the difference between reCAPTCHA v2 and v3? ›

What is the difference between reCAPTCHA v2 and v3? ReCAPTCHA v2 requires the user to click the “I'm not a robot” checkbox and can serve the user an image recognition challenge. ReCAPTCHA v3 runs in the background and generates a score based on a user's behavior. The higher the score, the more likely the user is human.

How do I optimize my WooCommerce store? ›

How to Speed Up WooCommerce
  1. Optimize WooCommerce Settings for Performance. ...
  2. Get a Fast WooCommerce Theme. ...
  3. Go Easy on Plugins and WooCommerce Extensions. ...
  4. Increase WordPress Memory Limit. ...
  5. Compress Images and Optimize Delivery. ...
  6. Deliver Static Resources via CDN. ...
  7. Strip Unused Scripts and Stylesheets. ...
  8. HTTP/2 is Extremely Essential.

How do I optimize my WordPress ecommerce site? ›

Here is a quick overview of the topics we'll cover in this guide.
  1. Choose a Better Ecommerce Hosting Provider.
  2. Install a WordPress Caching Plugin.
  3. Use Latest PHP Version.
  4. Latest Version of WordPress & WooCommerce.
  5. Optimize Product Images for Performance.
  6. Use a DNS Level Website Firewall.
  7. Choose a Better WordPress Theme.
4 May 2021

Why is WooCommerce so slow? ›

Summary: WooCommerce speed almost always comes down to your infrastructure (hosting, CDN, theme, plugins, and cache plugin). There's a lot of misinformation out there on which one is best, so make sure you check specs and feedback in Facebook Groups like WP Speed Matters.

Is reCAPTCHA v3 free? ›

reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep automated software from engaging in abusive activities on your site.

What is the best CAPTCHA to use? ›

Google reCAPTCHA

Google reCAPTCHA is an excellent captcha tool that protects your website from bots, fraud, and abuse. Built by Google, it uses advanced technology to keep malicious threats away and makes sure that legitimate users can easily pass security checks.

Does reCAPTCHA v3 stop bots? ›

Like other CAPTCHA systems, reCAPTCHA v3 is designed to prevent bots, attackers, or other types of abusive traffic from interacting with a protected site.

How do I use Google reCAPTCHA in WordPress? ›

Adding CAPTCHA protection
  1. Log in to WordPress as the administrator.
  2. Under Dashboard, click Plugins, and then click Add New.
  3. In the Search text box, type google captcha.
  4. Click Search Plugins.
  5. Locate the Google Captcha (reCAPTCHA) plugin, and then click Install Now.

How do I add a Captcha to my custom form in WordPress without Plugin? ›

Add Google reCAPTCHAv2 to WordPress comments without plugin
  1. Go to and register your website.
  2. View the “Site key” and “Secret key” which will be used later in the code.
20 Nov 2017

How do I add reCAPTCHA v3 to WordPress? ›

In WordPress, open the dashboard for your website and click Contact Form > Settings. Click the Spam Control tab. Select "Version 3." In the Google reCAPTCHA section, paste the Site Key and Secret Key into their fields.

What is invisible reCAPTCHA badge? ›

The invisible reCAPTCHA badge does not require the user to click on a checkbox, instead it is invoked directly when the user clicks on an existing button on your site or can be invoked via a JavaScript API call. The integration requires a JavaScript callback when reCAPTCHA verification is complete.

Is Google reCAPTCHA free? ›

reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.

What is the best CAPTCHA to use? ›

Google reCAPTCHA

Google reCAPTCHA is an excellent captcha tool that protects your website from bots, fraud, and abuse. Built by Google, it uses advanced technology to keep malicious threats away and makes sure that legitimate users can easily pass security checks.

How do I add a Captcha to WordPress free? ›

Install a CAPTCHA plugin in WordPress
  1. Log in to WordPress.
  2. Go to Plugins, then click Add New.
  3. Enter "CAPTCHA" in the 'Search Plugins' box.
  4. Click on the name of the plugin to learn more about it.
  5. After locating the plugin you prefer, click Install Now.

How can I add Captcha without plugin? ›

  1. If your not using captcha plugin then.
  2. Step 1: Register your blog to Google reCAPTCHA.
  3. Step 2: Add captcha in WordPress comment form.
  4. functions.php.
  5. /*Add Google captcha field to Comment form*/
  6. add_filter('comment_form','add_google_captcha');
  7. function add_google_captcha(){

How do I make a Captcha account? ›

Go to the Google reCAPTCHA website and then click on the Admin Console button at the top right corner. After that, Google will ask you to sign in to your account. Once done, you will see the 'Register a new site' page. Enter your website name and then select reCAPTCHA v3 from the reCAPTCHA type option.

Is reCAPTCHA a plugin? ›

reCaptcha plugin is an effective security solution that protects your WordPress website forms from spam entries while letting real people pass through with ease. It can be used for login, registration, password recovery, comments, popular contact forms, and other.

How do I change CAPTCHA settings? ›

Settings Navigate to the settings category. Security & Membership -> Protection Under , select a . CAPTCHA settings Control to use Save the settings. When you change the CAPTCHA type, all web parts and features that have CAPTCHA enabled use the new type.

How do I add I am not a robot in WordPress? ›

Installing WP-reCAPTCHA
  1. Log into your WordPress Dashboard.
  2. Roll your mouse over Plugins, then click Add New.
  3. In the search box type wp-recaptcha and hit enter. Click Install Now next to the WP-reCAPTCHA plugin.
  4. On the next screen click the Activate Plugin link, and the WP-reCAPTCHA plugin will be installed and enabled.
6 Aug 2021

What is the difference between CAPTCHA and reCAPTCHA? ›

reCAPTCHA is a free service from Google that helps protect websites from spam and abuse. A “CAPTCHA” is a turing test to tell human and bots apart. It is easy for humans to solve, but hard for “bots” and other malicious software to figure out.

Can bots beat CAPTCHA? ›

Some bots can get past the text CAPTCHAs on their own. Researchers have demonstrated ways to write a program that beats the image recognition CAPTCHAs as well. In addition, attackers can use click farms to beat the tests: thousands of low-paid workers solving CAPTCHAs on behalf of bots.

What triggers reCAPTCHA? ›

ReCaptcha is driven by an “advanced risk analysis system” that evaluates requests and selects the difficulty of the captcha that will be returned. Users may be required to click in a checkbox, or solve a challenge by identifying images with similar content.


1. How to secure WooCommerce Store (Full Guide) ✅
2. Ready Your Sites for Payments and Transactional Emails in WooCommerce
(GoDaddy Pro)
3. I Found a website that teaches Nigerian Scammers How to Scam 2022
4. Duplicate Orders - WooCommerce Smart Orders Page
(FEST Plugins)
5. Email Marketing Strategy and Tips for Successful Campaigns 2022
(Zari Tech Support)
6. How to Secure Your Website From Hackers in 1 MIN (WordPress Website Security)
(Create a Pro Website)
Top Articles
Latest Posts
Article information

Author: Frankie Dare

Last Updated: 27/09/2023

Views: 5371

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Frankie Dare

Birthday: 2000-01-27

Address: Suite 313 45115 Caridad Freeway, Port Barabaraville, MS 66713

Phone: +3769542039359

Job: Sales Manager

Hobby: Baton twirling, Stand-up comedy, Leather crafting, Rugby, tabletop games, Jigsaw puzzles, Air sports

Introduction: My name is Frankie Dare, I am a funny, beautiful, proud, fair, pleasant, cheerful, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.