Stopping WooCommerce Bot Attacks Exploiting PayPal & Local Pickup with Cloudflare
Sep202525

Stopping WooCommerce Bot Attacks Exploiting PayPal & Local Pickup with Cloudflare

posted:

Stopping WooCommerce Bot Attacks Exploiting PayPal & Local Pickup

Over the past few weeks, we’ve had several people get in touch with us about a worrying WooCommerce issue. The problem? Fraudulent PayPal orders caused by bot attacks that target the WooCommerce products JSON endpoint.

These attacks typically use stolen or fake card details, automatically selecting Local Pickup at checkout to bypass shipping logic. As a result, site owners were seeing a growing number of failed PayPal orders in their dashboards.

This isn’t an isolated issue either – it’s been widely reported across Reddit and other forums by shop owners running WooCommerce.

What’s Going On Behind the Scenes?

  • Scraping the /wp-json/wc/store/products endpoint.
  • Making requests with rotating IP addresses.
  • Sending requests with no referrer header.

This combination makes them harder to block with traditional firewalls or blacklists.

How We Stopped the Attacks

After investigating, we successfully blocked the problem using a custom Cloudflare Firewall Rule. Here’s the exact rule that stopped the attacks:

(http.request.method eq "GET" and http.request.uri.path eq "/wp-json/wc/store/products" and http.request.uri.query contains "stock_status=" and not http.referer contains "ENTER-YOUR-DOMAIN")

What does this rule do?

  • Blocks GET requests targeting the WooCommerce products endpoint.
  • Filters requests specifically trying to query stock_status=.
  • Allows legitimate requests where the referrer is your own domain.

In short, it stops the automated bots dead in their tracks without affecting your real customers.

Tip: Replace ENTER-YOUR-DOMAIN with your actual site domain.

Why This Matters

For small businesses, every fraudulent transaction attempt is more than just admin hassle – it can trigger PayPal disputes, freeze accounts, or raise fraud risk flags. By putting rules like this in place, you’re adding a much-needed layer of protection to your WooCommerce store.

Final Thoughts

If you’re running WooCommerce and PayPal, it’s worth reviewing your firewall setup. This bot attack is becoming more common, and prevention is always better than cure.

If you’re not sure how to configure Cloudflare rules or you’re worried about security on your online store, get in touch with us at NW Design – we’ve already helped clients stop these exact attacks and can help secure your website too.