[ad_1] For the past few weeks, members of the Advanced WordPress Facebook (AWP) group have been discussing methods of combatting Stripe Card Testing fraud. WordPress developer Jon Brown opened the topic after seeing fraudulent charges on five different websites, including four using WooCommerce and one using the Leaky Paywall platform. “All five were on Cloudflare with bot fight mode on when it first happened,” Brown said. “I’ve added CAPTCHA to all 5, I’ve enabled CloudFlare’s ‘Under Attack’ mode on the cart/checkout page.” The WooCommerce sites didn’t have a reoccurrence but the Leaky Paywall site did. Brown said the client didn’t notice it, as he had Stripe emails going to his spam folder. “It went on for two weeks until the load spike took the site offline and I noticed it,” he said. “About 1,200 successful transactions for $2.99, with 100,000 blocked.” Brown said he doesn’t understand why Stripe doesn’t recognize and block the fraudulent charges since they all follow a similar pattern using a randomized Gmail address. His client had to dispute approximately 100 of these transactions. “Each dispute costs $15 to resolve,” Brown said. “Each non-disputed refund costs $0.40 since Stripe (like PayPal now) keeps the fee. “So 100 * $15 + 1100 * $0.40 = $1940 in lost revenue to fees and that’s obviously AFTER also refunding the $2.99 per fraudulent transaction. That means $3,600 in fraud ($2.99 * 1200) just resulted in a net loss of $1940 – that’s insane.” Many other developers in the conversation have been hit with similar attacks, some with honeypots in place that didn’t prevent anything. One recommended using the WooCommerce Fraud Prevention plugin. It allows store owners to block orders from specific IP addresses, emails, address, state, and zip codes. This might help once attacks have started but doesn’t fully prevent them. Some developers had success stopping attacks using reCaptcha for WooCommerce, a commercial plugin that implement’s Google’s reCaptcha V2 (checkbox) and reCaptcha V3 to stop things like unauthorized login attempts, fake registrations, fake guest orders, and other automated attacks. “We ran into this about a year ago,” WordPress developer John Montgomery said. “It’s a way for hackers/thieves to check a list of card numbers for ones that are valid. Once they confirm the card works on a site, they can use to purchase products for real. In the end, a big annoyance but honestly not a huge deal for us in the end because we have digital products and they weren’t really interested in those.” Montgomery installed a plugin called Limit Orders for WooCommerce, developed by Nexcess, that disallows orders after a certain threshold is met. “I set it up to x orders per hour ( above any historical numbers)…so if we get say 100 orders in an hour it will shut off orders,” he said. “It’s a bit of a sledgehammer, but it did help us once already.” Although many store owners are hesitant to add any friction to the checkout process, technology consultant Jordan Trask recommends requiring customers create accounts before continuing and verify emails. He wrote a guide on dealing with card testing attacks. “The gist of the rules is blocking all countries except those you serve,” Trask said. “However, for WooCommerce, I would put in a JS Managed Challenge for the cart and checkout. “There is rate limiting built into Cloudflare that might help, but it’s more request based versus per order which is what you need based on IP potentially. If the requests come from the same IP address, you can look at limiting orders per IP since the email differs each time.” The Checkout Rate Limiter plugin, available on GitHub, offers checkout rate limiting on WooCommerce checkout based on IP address. Trask’s guide also recommends checking payment processor logs when investigating fraudulent charges: Always check your payment processor logs to verify where the charges are being created. A staging site may exist with production API keys, or your site was hacked, and the API keys were stolen. Most payment processors will have further details in their logs with additional information. WordPress developer Rahul Nagare recommends checking out Stripe’s Radar fraud protection, which uses machine learning to provide advanced protection and identification of fraudsters. “This will let you setup custom rules on Stripe to reject suspicious transactions,” Nagare said. “This used to be a free service with Stripe, but they changed it last year. I’d look into blocking all transactions with risk score higher than the average, and maybe the region of the card testers.” WooCommerce’s documentation has a section on responding to card testing attacks, which has many of the same recommendations discussed in the recent AWP thread. A CAPTCHA plugin is the first line of defense. It also recommends avoiding pay-what-you-want or donation products with no minimum, as these products are often targeted for card tests with small transactions that cardholders might miss. Swiftly refunding any successful fraudulent orders will decrease the possibility of disputes. Category: E-Commerce, News [ad_2] Source link
Continue readingTag Archives: Owners
Original Dark Mode Developer Relaunches Plugin After the Apparent ‘Cash Grab’ of the New Owners – WordPress Tavern
[ad_1] WordPress dashboard screen with Dark Mode 2. Daniel James, the original Dark Mode WordPress plugin creator, is stepping back into WordPress development after a two-year pursuit of other projects. His new plugin: Dark Mode 2. It is a response to the recent change to the original Dark Mode plugin for WordPress. Last month, I reported that the WPPool repurposed the plugin to include the commercial Iceberg editor, a feature entirely unrelated to providing a dark viewing mode for the WordPress admin. It is now called WP Markdown Editor. After the change, several plugin users left one-star ratings. However, its user base was small compared to that of ProfilePress (formerly WP User Avatar), which continues getting drenched in low ratings. Still, the change did not sit well with James. “After finding out that Dark Mode had been passed on to multiple people, I was disappointed to see so many people say they’d take it on without actually bothering to do anything with it,” said James. “It became even more disappointing when I learned the latest developers to have hold of it had ripped out the original functionality in favor of something completely different as a means of selling a product.” The Dark Mode plugin was once a feature proposal for WordPress. James began the process in 2018, but it never moved much beyond the initial stage. In 2019, he put the plugin up for adoption. It changed hands a couple of more times before WPPool became the owner. In hindsight, James said he should have just abandoned the plugin. At the time, he was stepping away from WordPress entirely to pursue other projects, including building applications with the Laravel PHP framework. However, he never stopped using WordPress completely and has kept an eye on the community. “I think there is more things that WordPress.org maintainers could do, specifically the Plugin Review Team,” he said. “I think more checks need to be done when plugins change ownership and/or are updated. As someone who used to put a lot of time into WordPress, I know how demanding it can be, so having volunteers tasked with more work is always a tricky thing to handle.” However, he said he did not have the solution to the problem. “When you take Dark Mode and, more recently, WP User Avatar having their code changed for what appears to be a cash grab, all it does is hurt developers, agencies, and site admins.” The repurposing of his former work was the catalyst that he needed to rebuild a solution from scratch. Now, Dark Mode 2 is on the scene. A New Plugin and a Fresh Take Manage posts screen with Dark Mode enabled. James says Dark Mode 2 is still early in its development lifecycle. However, he does not think it is far off from where the original plugin would be if he would have continued it. Maybe just shy an extra setting or two. “I’ve finally got it to a point where it’s ready to be used and replace the classic Dark Mode plugin,” he said. “The great thing about starting again is that it’s easier to style the WordPress dashboard. There is so much going on in the various wp-admin stylesheets that starting over was the only way. It means it supports the latest version of WordPress and cuts out any outdated styling that was previously there.” The plugin currently only has one setting, which individual users can set via their profile page. It is an option between “Light” and “Dark” viewing modes. Configuring Dark Mode from the user profile screen. There are several features James is eager to work on going forward. One of the most requested from the “classic” Dark Mode days is styling the WordPress editor. At the moment, the plugin steers clear of it. “I’ve always been hesitant to do that because of theme editor styles,” he said. “However, lots of themes tend to style the editors in a very basic fashion, so I’ll be looking at adding in ‘support’ styles for those that want a fully dark dashboard.” One of the other features he is working on is scheduling when Dark Mode is active or inactive. This would primarily work based on a user’s system preferences if they have their OS set up for light or dark mode at different times of the day. “For something that appears to be quite a basic plugin, there’s so much you can do with it,” said James. This time around, the plugin developer is making Dark Mode 2 a commercial-only plugin. He is pricing it at £25 (~$35.28 at today’s exchange rate). This includes lifetime updates with no installation limits. James said he wanted to keep the price low and not have people worry about another renewal fee every year while also still being supported for his effort. “I’m not going to make millions from this plugin, and that’s okay,” he said. “That’s not my goal. My goal is to make a plugin that helps people and makes it easier for them to manage their website. Plus, it’s about time WordPress got a proper Dark Mode!” Like this: Like Loading… [ad_2] Source link
Continue reading