We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

How Freshy stopped a credit card attack with reCAPTCHA and gateway security rules

Nathan Chapman

A client’s eCommerce platform was targeted by a large-scale credit card “carding” attack — an automated attempt to test stolen card credentials by submitting thousands of small transactions. The attack caused abnormally high decline rates and triggered a fraud alert from the payment processor. Freshy’s development team quickly implemented a multi-layered defense, combining Google reCAPTCHA, gateway-level reject rules, and WordPress security hardening to stop the fraudulent activity within 24 hours.

Issue background

The payment processor notified the client that their account had been flagged for a card verification attack. In this type of fraud, bots exploit unsecured payment forms or account management pages to test stolen credit cards.

In this case, the fraudulent activity was traced not to the main checkout page, but to the “add payment method” section of the user account area — a common vulnerability in subscription-based WooCommerce setups.

The processor reported:

  • Over 17,000 declined attempts in one month
  • Repeat billing postal codes (e.g., 10001, 11201)
  • Reused customer IDs and fake email addresses
  • Obvious spam names and duplicate data

Because these verification attempts bypassed typical checkout processes, they went unnoticed until the gateway triggered fraud protection alerts.

Diagnosis

The Freshy team reviewed logs from the client’s payment gateway and website to identify where the attack originated.

Key findings included:

  • Fraud attempts were targeting the payment method management page, which lacked CAPTCHA protection.
  • Attackers were exploiting the Braintree vault verification endpoint through automated scripts.
  • Gateway-level rate limiting had already slowed the attacks but could not fully stop them.

The development team determined that implementing a CAPTCHA and tightening API-level rules would be the most immediate and effective mitigation strategy.

Resolution steps

  1. Implemented Google reCAPTCHA v3
    Added reCAPTCHA to the “add payment method” and “update card” forms in the WooCommerce account area. Ensured compatibility with Braintree and AJAX form submissions. Tested with legitimate user accounts to confirm smooth functionality.
  2. Enhanced Braintree gateway security
    Confirmed the following risk rules were activated:

    • Block requests with more than 5 verifications from the same postal code within 45 minutes.
    • Block requests with 3 or more verifications from the same email or customer ID within 30 minutes.

    Recommended rotating API keys and enabling two-factor authentication on gateway access.

  3. Audited user accounts
    Identified tens of thousands of user accounts, including fake or suspicious profiles created during the attack. Recommended removing fraudulent accounts and strengthening new user registration processes.
  4. Hardening WordPress environment
    Secured REST API endpoints used by WooCommerce Subscriptions. Implemented rate limiting and login attempt throttling via security plugins. Reviewed logs to confirm that no customer payment data was exposed or compromised.
  5. Testing and verification
    After deployment, the reCAPTCHA effectively blocked automated submissions. The payment gateway confirmed that all fraudulent verification attempts ceased within hours.

Final outcome

Following Freshy’s intervention, the payment processor reported that the credit card attacks had stopped completely.

  • The layered security response prevented further fraudulent charges.
  • Decline rates returned to normal levels.
  • The site’s overall security posture improved significantly.
  • The client’s payment processor relationship was fully restored.

Freshy’s rapid response and methodical troubleshooting prevented financial loss and preserved the site’s reputation with its payment gateway partner.

Key takeaways

  • Always secure account-related payment forms (not just checkout pages) with reCAPTCHA or similar anti-bot tools.
  • Enable and regularly review fraud prevention rules within your payment gateway (e.g., Braintree, Stripe, Authorize.net).
  • Use two-factor authentication and rotate API keys to protect against automated exploitation.
  • Regularly audit user accounts to identify suspicious registrations that could be part of automated attacks.
  • Partnering with an experienced WordPress team ensures fast, coordinated mitigation when fraud or security issues arise.

Need help securing your WooCommerce site from credit card or bot attacks?
Contact Freshy’s WordPress security experts for fast, professional help keeping your payment processes secure.

Nathan Chapmanhttps://freshysites.com/team/nathan-chapman/
Nathan was raised both a computer nerd and a musician. After receiving a bachelors degree in classical music (and quickly realizing it wasn’t an ideal career choice), he began to work in web development. With over 5 years of experience, he’s seen just about everything WordPress has to offer, and is always looking to learn more. He loves solving puzzles, building web pages, and custom coding anything he can think of. Although Boston born, he spends most of his time south of the border in Monterrey; the tacos are just impossible to give up.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Fixing intermittent 404 image errors for dynamic WordPress content using ShortPixel and custom cron jobs
Next Post
Restoring Zapier and WooCommerce integration after a two-factor authentication (2FA) conflict