WooCommerce: Combating Spam Order Bots

In November of 2020, we shared an advisory for WooCommerce store owners encouraging them to update to the latest version of WooCommerce due to a vulnerability the WooCommerce team had recently addressed in the account creation flow. The WooCommerce core team discovered this vulnerability as a result of an attack from a bot that was creating spam orders and, by way of the aforementioned vulnerability, WordPress user accounts that it could use for probing a site for further vulnerabilities.

The WooCommerce team have had an increase in reports about this bot from users in the WooCommerce community over the past few weeks, which leads the WooCommerce team to believe that there may be a new (or renewed) attack happening. While the WooCommerce team have not been able to confirm whether or not any of the recent reports stem from unaddressed vulnerabilities in WooCommerce’s account creation flow, their internal audit so far has not revealed any.

The WooCommerce team are still investigating this issue, but we wanted to share a few reminders about best practices for navigating things should your store experience an attack from this bot. Below you’ll find criteria to help you identify whether or not you might be affected by this bot attack, as well as steps you can take if you are.

How can I tell if I am affected?

As mentioned in the original developer advisory, this bot probes WooCommerce stores for vulnerabilities by creating a spam order, which it then uses to create a spam user account. If it succeeds in creating a user account, it then uses the account to probe the site for further vulnerabilities by sending requests that require an authenticated WordPress user.

The details on spam orders are a quick way to know if you’ve experienced the attack. They tend to follow a consistent format:

Order info:
bbbbb bbbbb
bbbbb
74 xxxxxxx Rd
xxxxxxx
EX14 5HN
United Kingdom (UK)
xxx xxxx xxxx
[email protected]

WordPress and WooCommerce both have settings that allow an administrator to disable new user registration. If your store is running WooCommerce 4.6.1 or earlier, there is a bug that allows a customer account to be created even if the behavior has been disabled in your store’s admin settings. This vulnerability also affects stores running the feature plugin version of WooCommerce Blocks 3.7.0.

What action can I take?

If you are running a version of WooCommerce or WooCommerce Blocks that is affected, we recommend that you update to the latest release. These releases both contain a fix for the aforementioned bug, but it’s important to note that the fix does not prevent spam orders or accounts from being created. It only ensures that the user account creation flow in a store adheres to the settings the store administrator has configured

If you discover that your store has been attacked by this bot, we recommend you delete any accounts and orders the bot has created. There are instructions for deleting user accounts in this article.

If you are concerned about preventing spam orders and accounts in your store, there are a number of solutions available. Because all stores have unique needs, we can’t recommend any specific solution over another, but here are a few options you may want to consider:

• Search the WooCommerce MarketPlace for an anti-spam or antifraud There are a number of them available that all have certain functionality and certain limitations.
• For a quick and free solution, there is a WordPress plugin that combats this specific attack. Be aware that this plugin is hardcoded to block a very specific set of criteria, so it may fail to block attacks if this particular bot changes tack in the future.