
Prevent card-attack fraud on WooCommerce stores by rate-limiting the "place order" button

Checkout Rate Limiter

Rate limit "Place Order" on WooCommerce checkout.

Rate limits /?wc-ajax=checkout by IP.


Download the latest version from releases and configure inside WooCommerce settings:

Then when the "Place Order" button on checkout is pressed too frequently, the customer will be blocked:

Three rates can be set, progressively punishing problematic people.


Your website can be attacked by running 100s of fake credit card numbers through your gateway. Your gateway will often charge per transaction, even if they are declined. You also likely have a daily limit of transactions and of total number of transactions. When this is reached, you can no longer take legitimate orders. Some examples:

This solution uses rate limiting per IP address to stop how often one IP can send a request to /?wc-ajax=checkout

The WooCommerce code to handle /?wc-ajax=checkout can be found at:

Then, the simplified version of what this plugin does is:

add_action( 'wc_ajax_checkout', 'rate_limit_checkout', 0 );

function rate_limit_checkout() {
    $rate_limiter = new WordPress_RateLimiter();
    $ip_address = WC_Geolocation::get_ip_address();
    try {
        $rate_limiter->limit( $ip_address, Rate::perMinute( 5 ) );
    } catch ( LimitExceeded $exception ) {
       wp_send_json_error( null, 429 );


Rather than write my own rate limiting code, I used nikolaposa/rate-limit, then added a PSR-16 wrapper for it (PSR-16), and used a PSR-16 implementation of WordPress transients as the cache. All that code should be external to this plugin.

The niceties of the plugin are:

  • Logs
  • Settings link on plugins.php
  • Settings link as admin notice until configured (or one week)


The correct way to address this problem for most people is with a captcha. We were not using captcha because when we enabled a captcha, customers could not checkout. Ultimately, this was a problem with WooCommerce Anti-Fraud, a plugin with a litany of issues.

Additionally, if you use Cloudflare, the logical thing seems to be to use Cloudflare's rate limiting, but:

Cloudflare's rate limiting could still be used on /checkout/. In the case I encountered, this would have helped because the bot was reloading /checkout/ each time, but I think a better designed bot could submit the AJAX checkout repeatedly without reloading the whole page.

For whole-site rate-limiting, I wish there were a tool to take recent Apache access logs and determine a 75% percentile customer access/minute, then rate limit everyone else. (where '75' can be learned).

Transients / Cache

Although this plugin is using transients, WordPress's implementation of transients (option.php:791's get_transient()) defers their storage to any available object cache. Using the object cache directly presumably affords benefits.

function get_transient( $transient ) {
    if ( wp_using_ext_object_cache() ) {
	    $value = wp_cache_get( $transient, 'transient' );


WordFence has rate limiting but it did not offer the option to be specific to /?wc-ajax=checkout. When I looked at its general rate limiting, and at Cloudflare's rate limiting, it is very hard to determine the correct numbers to use.

Cooling off

When a limit is reached, an additional punishment seems reasonable. This could be achieved easily with another transient.

Empty cart

The author of one of the Reddit posts quoted above replied to my query (after I had written most of this!), and the interesting difference of approach was that he emptied the "customer"'s cart every time they exceeded the rate limit. Clever! The only reason I haven't done it here is because the time taken so far. I like it, but I'm not sure I need it.


Having already written the crux of this, while I was searching my project, I found the class WC_Rate_Limiter. It doesn't seem to be an appropriate replacement, but it's always enlightening to see another corner of the WooCommerce code I haven't encountered.


A rate limiter for the WP REST API: WP REST Cop. I looked at this initially and hoped I could fork it or use it as a library, but as I read more I opted, after some hops, for the other approach. I'm a fan of the author, whose SatisPress plugin is essential.


Judging from the logs I've seen, the attack I've seen was probably via Selenium.

I saw that based on the User-Agent and the cadence of requests. Interesting articles:

See Also

In an unrelated project I needed to block ranges of IPs which I was able to do with WooCommerce Conditional Shipping and Payments by writing a plugin: IP Address Condition for WooCommerce Conditional Shipping and Payments.


More Information

