Stop Card Testing Bots from Spamming Your Store with Failed Orders

If you’re seeing hundreds of failed payment attempts with random names and email addresses, bots are testing stolen credit cards on your store. They hit your checkout over and over trying to see which cards work.

This happens because WooCommerce has a REST API endpoint at /wp-json/wc/store/v1/checkout that bots can access directly. It was built for headless stores and block-based checkouts, but most stores don’t use those features. Bots know this endpoint exists on every WooCommerce site, so they hammer it with stolen card numbers. No need to load your actual checkout page, no CAPTCHA to solve, just direct API calls.

Your payment processor sees all these failed transactions and might flag your account. Your server gets hammered with bot traffic. You get notification emails for every failed order. And if you’re on a payment plan with per-transaction fees, you’re paying for bot attacks.

Want the easiest fix? Our free Checkout Shield plugin handles this automatically. Works with Block Checkout, any caching setup, and requires zero configuration. Just activate and you’re protected. The snippet below is for those who prefer a code-only approach.

The code fix is simple: block the Store API endpoints. If you’re using the standard WooCommerce checkout (not headless, not block-based), you don’t need this API exposed. This snippet redirects any Store API access to a 404 page.

/**
 * Block Store API checkout endpoint to stop card testing attacks
 *
 * Problem: Bots hit WooCommerce Store API directly to test stolen credit cards
 * Solution: Block direct access to Store API checkout and cart endpoints
 *
 * This is the most widely recommended solution by WooCommerce security experts
 * Safe to use if you're NOT using headless WooCommerce or block-based checkout
 */

// Block Store API checkout endpoint
add_action( 'rest_api_init', function() {
    $current_url = $_SERVER['REQUEST_URI'];

    // Check if someone is accessing the Store API checkout endpoint
    if ( strpos( $current_url, '/wp-json/wc/store/v1/checkout' ) !== false ||
         strpos( $current_url, '/wp-json/wc/store/checkout' ) !== false ) {

        // Redirect to 404, bots can't proceed
        wp_redirect( home_url( '/404' ) );
        exit;
    }
});

// Block cart API access from direct calls (no referrer)
add_action( 'rest_api_init', function() {
    $current_url = $_SERVER['REQUEST_URI'];

    // Block direct Store API access without referrer
    if ( strpos( $current_url, '/wp-json/wc/store/' ) !== false ) {
        $referrer = $_SERVER['HTTP_REFERER'] ?? '';

        // If no referrer (direct API call), block it
        if ( empty( $referrer ) ) {
            wp_redirect( home_url( '/404' ) );
            exit;
        }
    }
});

The first function checks if someone is trying to access the checkout endpoint and redirects them to 404. The second function blocks any Store API call that doesn’t have a referrer header. Real customers will have a referrer (your site), bots hitting the API directly won’t.

Your regular checkout still works fine. Customers never use the Store API unless you’re running a headless setup, so they won’t notice anything different.

This works with any payment gateway you’re using, Stripe, PayPal, Authorize.net, whatever. The block happens before any payment processing starts.

Don’t use this snippet if you’re using Block Checkout or a headless setup. You need the Store API for those, and this code will break your checkout. For Block Checkout compatibility, use Checkout Shield instead, it validates requests rather than blocking the API entirely.

To verify it’s working, try visiting https://yoursite.com/wp-json/wc/store/v1/checkout in your browser. You should get a 404 instead of API data.