Combating Spam Order Bots


Stores without any anti-spam or antifraud measures in place may see an increase in spam orders due to a renewed attack from a bot probing sites for vulnerabilities.

The Details

In November of 2020, we shared an advisory for developers encouraging them to update to the latest version of WooCommerce due to a vulnerability we had recently addressed in the account creation flow. The WooCommerce core team discovered this vulnerability as a result of an attack from a bot that was creating spam orders and, by way of the aforementioned vulnerability, WordPress user accounts that it could use for probing a site for further vulnerabilities.

We have had an increase in reports about this bot from folks in the WooCommerce community over the past few weeks, which leads us to believe that there may be a new (or renewed) attack happening. While we have not been able to confirm whether or not any of the recent reports stem from unaddressed vulnerabilities in WooCommerce’s account creation flow, our internal audit so far has not revealed any.

We are still investigating this issue, but we wanted to share a few reminders about best practices for navigating things should your store experience an attack from this bot. Below you’ll find criteria to help you identify whether or not you might be affected by this bot attack, as well as steps you can take if you are.

How can I tell if I am affected?

As we mentioned in the original developer advisory, this bot probes WooCommerce stores for vulnerabilities by creating a spam order, which it then uses to create a spam user account. If it succeeds in creating a user account, it then uses the account to probe the site for further vulnerabilities by sending requests that require an authenticated WordPress user.

The details on spam orders are a quick way to know if you’ve experienced the attack. They tend to follow a consistent format:

Order info:
bbbbb bbbbb
74 xxxxxxx Rd
EX14 5HN
United Kingdom (UK)
xxx xxxx xxxx

WordPress and WooCommerce both have settings that allow an administrator to disable new user registration and customer account creation, respectively. If your store is running WooCommerce 4.6.1 or earlier, there is a bug that allows a customer account to be created even if the behavior has been disabled in your store’s admin settings. This vulnerability also affects stores running the feature plugin version of WooCommerce Blocks 3.7.0.

What action can I take?

If you are running a version of WooCommerce or WooCommerce Blocks that is affected, we recommend that you update to the latest release. These releases both contain a fix for the aforementioned bug, but it’s important to note that the fix does not prevent spam orders or accounts from being created. It only ensures that the user account creation flow in a store adheres to the settings the store administrator has configured. You can read more about managing customer account creation in the WooCommerce docs.

If you discover that your store has been attacked by this bot, we recommend you delete any accounts and orders the bot has created. There are instructions for deleting user accounts in this article. For guidance on bulk deleting spam orders, follow the instructions in the WooCommerce docs.

If you are concerned about preventing spam orders and accounts in your store, there are a number of solutions available. Because all stores have unique needs, we can’t recommend any specific solution over another, but here are a few options you may want to consider:

As we learn more about this vulnerability and related effects, we will be sure to keep you updated. If you have questions or additional information, please don’t hesitate to share them with us in the comments below or in the #developers channel of the WooCommerce Community Slack.

Leave a Reply

Your email address will not be published. Required fields are marked *