WP Simple Pay Blog

Stripe Tutorials, Tips, and Resources for WordPress to Accept Payments

How to Protect Your WordPress Site From Card Testing (7 Ways)



Last updated on

Do you want to prevent card testing fraud on your WordPress site?

Card testing is one of the most common fraudulent activities experienced by websites that accept online payments. Card testing often results in chargebacks, which puts you at risk of financial consequences from various chargeback monitoring programs.

In this article, we’ll show you how to protect your WordPress site from card testing.

What Is Card Testing?

Card testing, card cracking, or card checking is a fraudulent activity where someone with stolen card information makes a small purchase to validate the card numbers, so they can use it to make big purchases. This usually happens when a fraudster purchases a bunch of stolen credit card information and then tries to validate which one of those is still valid.

Even worse, fraudsters also test large batches of credit card numbers using automated software designed for card checking.

As someone who accepts online payments, you’ll need to ensure your website is safe from all sorts of card testing. Some of the consequences of card checking are:

  • Chargebacks: Successful tests will incur chargebacks. With automated card testing, the odds are high of getting hit with lots of chargebacks all at once, which increases your chargeback ratio.
  • High decline rates: A large number of declines caused by unsuccessful tests can sabotage the reputation of your business with card issuers. It makes all your transactions look riskier, resulting in declining even legitimate payments.
  • Overload network traffic: Automated card testing can overload your network traffic due to numerous network requests and operations, leading to declining even legitimate transactions.

7 Ways to Protect Yourself From Card Testing

If you suspect card testing on your site, it’s recommended that you take immediate measures as follows:

#1. Determine if the Declines are Due to Card Testing

If you see a significant increase in transaction declines, then card testing could be an issue. In your Stripe dashboard, you can also see why the payment was blocked and whether it is due to card testing.


#2. Refund Fraudulent Payments and Avoid Disputes

If you suspect a successful card testing on your website, you might want to refund it to avoid disputes. Remember… disputes and chargebacks aren’t possible on credit card charges that are fully refunded.

When a credit card owner disputes a charge with their bank, the disputed amount and a dispute fee will be debited from your Stripe account until the dispute is resolved.

And if there are too many disputes/chargebacks which exceed the thresholds dictated by major card networks, like, Visa or Mastercard, they’ll place you into their dispute monitoring programs. This will incur monthly fines and additional fees until you reduce your dispute or fraud levels in a sustained way.

#3. Stop Card Testing With CAPTCHA

One of the most efficient ways to combat fraudulent payment activity on your site is with reCAPTCHA. WP Simple Pay supports 2 different CAPTCHA options: reCAPTCHA and hCaptcha.

reCAPTCHA v3 works invisibly in the background. That way, you can combat spam bots without worrying about turning away your legitimate users because they’ll never see the reCAPTCHA on your WordPress payment forms.

hCaptcha, on the other hand, requires users to complete simple challenges to proceed.

With WP Simple Pay, enabling any of these Captcha options is easy. After installing the plugin, navigate to WP Simple Pay » Settings » General » Anti-Spam and you’ll find those 2 captcha options.

Google reCAPTCHA

Select the CAPTCHA you prefer and proceed with its configuration.

For more details, check out how to enable reCAPTCHA on WordPress payment forms.

Aside from protecting your site from card fraudsters, WP Simple Pay also makes it easy to accept Stripe payments with different payment modes like Google Pay / Apple Pay, Buy Now Pay Later, and more.

#4. Enable Email Verification

Another way to combat spam payments is to enable email verification on the payment forms. Now, asking all payers to verify their email addresses before making payments might negatively impact your conversions. This is why WP Simple Pay only requires email verification after a set number of declines have occurred in a given timeframe. That way, you can provide a simpler payment process until fraudulent activity is determined.

After installing the plugin, navigate to WP Simple Pay » Settings » General » Anti-Spam and click enable Email Verification.


Once the threshold has been reached users will need to retrieve a one time code from their email address to enter in the payment form to complete the payment.

email-verification stripe

After the number of declines has reduced outside of the set threshold the email verification step will automatically be removed.

#5. Require User Authentication

Requiring users to be logged in to submit on-site payments is a common strategy, especially among eCommerce merchants. With a single click, you can stop processing guest payments with WP Simple Pay.

When enabled, payment forms will not be hidden from guests, but they won’t be able to submit the form.

#6. Configure Your Site to Accept Stripe Webhooks

Webhooks allow Stripe to send messages back to your WordPress site. Setting up webhooks is needed for properly detecting charge declines due to fraud.

WP Simple Pay webhook settings

WP Simple Pay attempts to create webhook endpoints automatically, so you don’t have to worry about manually configuring your site to accept Stripe webhooks. However, we recommend reviewing your webhook endpoints to confirm they are configured as described in our webhook documentation.

#7 Enable Stripe Radar Rules

Stripe Radar is Stripe’s advanced fraud protection network that detects and blocks fraud using machine learning that trains on data across millions of global companies.

Stripe’s built-in Radar rules will automatically block payments that do not meet the set criteria of the enabled rules.

Enable all of Stripe’s built in rules for the best protection.

Stripe radar rules

Remove the additional 3% fee! 

Most Stripe plugins charge an additional 3% fee for EVERY transaction
…not WP Simple Pay Pro!

That’s it!

We hope this article helped you learn how to protect your WordPress site from fraudulent payment activities.

You might also want to check out the differences between setting up on-site vs. off-site Stripe checkout.

What are you waiting for? Get started with WP Simple Pay today to accept legitimate payments.

To read more articles like this, follow us on Facebook and Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start Accepting Payments Today

Start accepting one-time and recurring payments or donations on your WordPress website.