WP Simple Pay Blog

Stripe Tutorials, Tips, and Resources for WordPress to Accept Payments

How to Prevent Fraudulent Payments in WordPress (6 Easy Ways)

Last updated on

Written By: author image Shahzad Saeed

Do you want to prevent spam and fraudulent payment attempts?

As a business that accepts online transactions (where you can’t guarantee the person making the transaction is the cardholder), you must take steps to protect yourself from fraud. If you fail to detect and prevent fraud, you could pay unnecessary fees, lose time dealing with disputes, and suffer reputation damage with payment processors and card-issuing banks.

In this article, we’d like to cover some essential steps you can take to prevent spam and fraud attempts. These simple actions will go a long way toward protecting your business.

1: Set Up reCAPTCHA

reCAPTCHA is an invaluable tool to protect your website from abuse and fraud. It prevents non-humans (bots and scripts) from interacting with your pages. This means that an automated system set up by a malicious party won’t be able to use your payment forms.

How does it work?

Basically, it understands how people behave differently than bots. If it identifies a bot, reCAPTCHA blocks its access. We strongly recommend it.

wp simple pay homepage

WP Simply Pay, the #1 Stripe payment plugin for WordPress, supports 3 different captchas as follows:

  1. Google reCAPTCHA: It works invisibly on your website to combat spam bots without bothering your customers.
  2. hCaptcha: One of the best choices for you if you prefer an anti-bot solution that protects user privacy.
  3. Cloudflare Turnstile: Another reCAPTCHA alternative that focuses on user privacy. Turnstile offers multiple CAPTCHA types: Managed, Non-interactive, and Invisible.

To enable reCAPTCHA, install WP Simple Pay, connect Stripe with your site, and enable one of the CAPTCHA options on your site.

2: Understand Card Testing

Card testing (also called “carding,” “account testing,” and “card checking”) is a type of fraudulent activity when someone tries to determine if a stolen card’s information is valid to make purchases.

Fraudsters might use your website to determine if a card is valid before using it on another website. They prefer to use authorizations because they don’t show on the cardholder’s statement. In other cases, they might try to make a small payment by making a small value purchase that’s less likely to be noticed by the cardholder.

This creates several negative effects for you.

  • A high number of declines damages the reputation of your business with card issues and networks, which makes all of your transactions seem risker.
  • Additional fees, such as authorization fees for custom pricing plans, and dispute fees.
  • Numerous network requests could put unnecessary strain on your website.
  • If testing succeeds, you’ll end up with payments that eventually get disputed as fraudulent. This results in disputes that cost money.

Stripe and other payment processors have tools and systems in place to detect and reduce this kind of fraud. This includes rate limiters, alerts, ongoing reviews, and more. These measures can’t prevent all card testing, however, so it’s important that you remain vigilant on your end.


You can identify card testing by keeping an eye on your declines, especially if they happen in a short period of time. In Stripe, you’ll see this in the Developers section of the Dashboard and in your failed request logs as 402 errors. Here are some ways to prevent card testing:

  1. Set up reCAPTCHA as we mentioned earlier. This will prevent automated card testing.
  2. Add rate limits. These are tailored responses to the specific type of card testing you’re seeing. For instance, if card testers try to validate cards using new customer accounts, you could limit the number of new accounts per IP address. WP Simple Pay provides built in IP-based rate limiting for requests.
  3. Use custom rules in Stripe Radar to mitigate fraudulent activity once you identify some kind of pattern you can fight back against.

In fact, it’s best to employ all of the methods we listed above so you don’t become a haven of card testers who use your site to check their stolen goods.

3: Set Up Stripe Radar

Radar is a powerful machine learning detection algorithm from Stripe that identifies fraudulent activity on their platform. It quietly reviews every transaction for signs of fraud and scores each payment based on thousands of signals. So far, Radar has blocked billions of dollars in fraud across the Stripe network for companies of all sizes.

What’s unique about Radar is that it’s not a static piece of software. It learns over time based on new data and improved models, learning from the millions of payments that happen on Stripe’s network. This trove of behavioral data makes it accurate at predicting patterns of fraud.

It’s true that other payment processors have systems to recognize fraud and block transactions. Radar, however, goes the extra mile by informing you why transactions are blocked. As a business owner, you need information when payments fail to go through so you can make smart decisions.

Furthermore, Radar also gives you control over what gets refused. For instance, instead of blocking a transaction completely, you may want to reach out to the customer for additional information to see if you can process the sale. You can also create your own custom rules to refuse transactions that Radar’s default rules don’t already block.

Fraud attempts

All in all, Radar is a powerful tool to have in your toolbox. It’s automated enough to protect you at scale, but it also gives you plenty of control to prevent fraud. Learn more in our deeper dive into Stripe Radar.

4: Email Verification

Enabling email verification is another effective strategy to stop spam payment attempts. Instead of asking all payers to verify their email addresses, which could potentially backfire, you can require email verification after a set number of declines.

WP Simple Pay makes it easy to enable email verification and set a threshold limit for fraud declines.

After installing the plugin, navigate to WP Simple Pay » Settings » General » Anti-Spam and click enable Email Verification.


Once the threshold has been reached, users will need to retrieve a one time code from their email address to enter in the payment form to complete the payment.

email-verification stripe

After the number of declines has reduced outside of the set threshold, the email verification step will automatically be removed.

5: Disable Guest Checkout

Disabling guest checkout is a common strategy among eCommerce merchants. With a single click, you can stop processing guest payments with WP Simple Pay.

require user authentication

When enabled, payment forms will not be hidden from guests, but they won’t be able to submit the form.

guest checkout preview

Here’s a step-by-step guide on disabling guest checkout with WP Simple Pay.

6: Run Address Verification

An Address Verification Service (AVS) is a fraud prevention system that verifies that the address entered by the customer matches the address on the cardholder’s account. This process happens in seconds. The customer has no idea. This simple check can spot fraud attempts and ultimately limit chargebacks.

Why does it work? The cardholder’s address is a collection of data points the cardholder would know, but aren’t available on the card. If the card were stolen, the thief would also need to acquire the address in some other way to complete the transaction.

Obviously, AVS isn’t perfect. If someone steals their friend’s card, there’s a chance they would know the address off hand. You should use AVS in conjunction with other fraud detection mechanisms, such as IP address verification, 3D Secure, device authentication, CVV, and even biometric analysis. But AVS greatly reduces the number of fraud attempts that complete a transaction. This is why most major credit card companies and payment processors use this service.

Where do you get AVS? The mainstream payment processors (such as Stripe) and gateways offer this service. If you have your own merchant account, you have access to AVS as well. If your processor or gateway doesn’t offer this service, you should consider paying a third-party service provider.

Stay Vigilant

When it comes to preventing spam and fraud, vigilance is key. Keep a watchful eye on the reports and metrics provided by your payment processor, especially in regard to blocked or declined transactions.

As our tools evolve, so will the fraudsters. With WP Simple Pay, we are committed to providing a product as secure as possible, and we continuously enhance our anti-spam and anti-fraud functionality. If you use WP Simple Pay, make sure to keep it updated to gain access to these additional layers of protection.

What are you waiting for? Get started with WP Simple Pay today!

To read more articles like this, follow us on Facebook and Twitter.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. We only recommend products that we believe will add value to our readers.

Start Accepting Payments Today

Start accepting one-time and recurring payments or donations on your WordPress website.