When your woocommerce is used by bot scammers

Typically wordpress and woocommerce work well together and like all websites there are vulnerabilities. Looking out for this can be achieved using plugins. Plugins can cause vulnerabilities. Being cautious about which plugins to use is wise! Lets assume you have been wise and cautious. You have applied due diligence and installed only safe tested plugins. And then from nowhere you receive 800+ orders all failed !

How is this possible you wonder. You trace back events over the last few weeks. What has changed that could have caused this. You pause and consider the damage and what you have to do to fix the problem – (its not currently a shitshow but has the potential to be one. You have to keep your cool.) Keeping cool when Zapier had been sending your orders to your accounting software which has now burst its limit of zaps. So real orders are no longer being sent and you’re going to have to manaully delete the 800 orders sent by the scamming bot.

At this stage you still dont know how the bot did this or that it was a bot.

You recall a while back that Google was putting through test orders and blocking the google bot was not recommended as google wants to know your site is functioning and that products are what they say they are ‘digitally speaking’ (price, description & shipping). Its

Before the 800+ failed orders there were other issues related to a newly installed CRM (FluentCRM).  FluentCRM had been endorsed by many Youtubers (Do not trust everything a Youtuber tells you!).  Due Diligence for Installing a Plugin can always be a little hit and miss and all good hosting companies will pull out their joker when something goes wrong!  

Yes I installed wordfence and as I could have predicted it has had zero effect and maybe this is a shock to you guys that this is not preventing the bot failed payments attempted fraudulent transactions.

I know and fully understand you are providing support to the server and what is running on the server is not your responsiblity in fact, we’re entering the stages where monitoring what is being run on servers will be governed and controlled by the authorities! 

Woocommerce being audited by the government !  The sheer hypocricy of governments is stagggering and we’ve all fallen in line ! GDPR was always a scam wolf in sheeps clothing!  protecting the poor innocent individual or fining large corporates or anyone the government can take down, everyone other than the ‘hacker’ !  How many scammers, fraudsters and crackers have been caught becuase of GDPR and yet we’re all ensuring the internet is safe!!! Mugs !!!!  This rant can go on and solve nothing and for this situation…  you must have known that the failed payments caused by the scam bot is not a human ! You must have known that recaptcha is not related to the api call they are using?  I did reference this several times over the last few weeks.  Maybe an AI support bot would have picked this up and provided a better solution than the Wordfence / Cloudflare suggestions. The custom code I applied, worked ! But it also prevented real users from completing checkout hence the references of this being a shitshow – Woocommerce 30,000 plugins to enhance your website !! OrderEndpoint.php:239 This all started when I installed Fluentcrm but as you know the main ticket for Fluent was the CRON shitshow that managed to send 200k emails through mailgun whilst running silently in the background.  It was the baraage of customer complaints that brought my attention to this.  I am now going to have to factor in a complete clean up, with the consideration of moving back to AWS.  Process for this and time allocated at least 40 hours.  Possibly cheaper to pay for a migration to shopify.  I feel incredibly stupid to have trusted the install of Fluentcrm and maybe a couple of other plugins.  It just confirms the amount of time I have wasted advancing my knowledge for hosting websites over the last 20 years.  The support tickets from Fluentcrm confirms that no one gives a shit ! Sell as many units are you can and if anyone finds a problem, refund them and tell them to go away quietly!

The letter was about to stop at this point as it was clear I was rambling to myself.  I had to recognise where the buck stops.  Its with me!  It’s with you!  We are responsible for our own setups.  This after all is the joker the hosting company pulls out!  They provide the hosting we can install whatever we like and run whatever code we like (as long as we’re not carrying out malicious behaviour, such as running a bot to test stolen credit cards through a woocommerce site!)