Protecting WP Full Pay Forms from Card Testing Attacks

This article explains how to recognize card testing activity on your WP Full Pay forms and what steps you can take to prevent it.

How to Recognize a Card Testing Attempt

Card testing (also called carding) is a type of fraud where automated bots submit a high volume of payment attempts to discover valid card details. Look for these signs in your Stripe Dashboard:

• A sudden spike in payment_intent.created events, even though few or no payments are completing
• Multiple failed payment attempts with small fixed amounts (for example, $1.00 or $0.01)
• A high volume of declined transactions from many different card numbers in a short period

Recommended Solution: Use the Payment Form with Checkout Layout

The most effective step you can take is to use a WP Full Pay donation form with the Checkout layout. The Checkout layout includes built-in rate limiting and bot detection managed by Stripe, reducing automated abuse without requiring additional configuration.

📝 Note: With the Checkout layout, visitors are redirected to a Stripe-hosted page to complete their payment and then returned to your site. See The difference between inline and checkout form layouts for a full comparison of the two layouts.

How to create a Checkout donation form

The form layout is selected when a new form is created. To replace an existing donation form with a Checkout version:

1. In your WordPress admin, navigate to Full Pay > Payment Forms.
2. Click Add form to create a new donation form.
3. Enter a display name for the form.
4. Under Form layout, select Checkout (not Inline).
5. Click Create & edit form.
6. On the Payment tab, configure your donation settings (currency, suggested amounts, donation frequency).
7. Optionally configure a Thank you page on the General tab.
8. Save the form and copy the new shortcode.
9. Replace the old form shortcode on your donation page with the new Checkout form shortcode.

💡 Tip: After switching to the Checkout layout, check your Stripe Dashboard after a few days. You should see a significant reduction in payment_intent.created events and failed payment attempts.

Additional Mitigations

Consider applying these additional protections alongside the Checkout layout.

Enable Google reCAPTCHA

WP Full Pay supports Google reCAPTCHA v2 on both inline and Checkout forms. Enabling reCAPTCHA adds a challenge step that makes it harder for bots to submit your forms.

To enable reCAPTCHA:

1. Navigate to Full Pay > Settings > Security.
2. Check the box next to Inline forms and/or Checkout forms to enable reCAPTCHA on those form types.
3. Paste your Google reCAPTCHA Site Key and Secret Key into the fields provided.
4. Click Save settings.

📝 Note: You need to register your site with Google to obtain reCAPTCHA API keys. See Register your website for Google reCAPTCHA for step-by-step instructions.

Use Stripe Radar Rules

Stripe Radar is Stripe's built-in fraud detection system. You can add custom rules in your Stripe Dashboard to automatically block suspicious payment patterns, such as:

• Multiple payment attempts from the same IP address in a short period
• Payments below a minimum amount threshold (to catch $0.01 or $1.00 test attempts)
• Cards issued in countries outside your normal customer base

To configure Stripe Radar rules, go to your Stripe Dashboard and navigate to Radar > Rules. Refer to Stripe's Radar documentation for guidance on writing effective rules.

Verifying the Improvement

After switching to the Checkout layout and enabling reCAPTCHA, verify the changes are working:

1. In your Stripe Dashboard, open Payments > All transactions and filter by payment_intent.created events or failed payments.
2. Over the next 24–48 hours, the volume of incomplete payment intents and declined attempts should drop significantly.