Additional menu

Get MemberPress today! Start getting paid for the content you create! Get MemberPress Now
  1. Home
  2. Knowledge Base
  3. FAQs
  4. How To
  5. How to Prevent Card Testing and Fraudulent Sign-Ups with Stripe

How to Prevent Card Testing and Fraudulent Sign-Ups with Stripe

You have noticed an increase in payments, either failed or successful over a short period of time, and upon investigation, realize that your site is being used for card testing – what do you do now?

Switching to Stripe Checkout

First, if you use Stripe Elements, you could try switching to Stripe Checkout:

  1. Navigate to Dashboard > MemberPress > Settings > Payments tab.
  2. Find the Stripe payment gateway.
  3. Here, click the checkbox next to the Stripe Checkout option.

Switching to Stripe Checkout won't prevent card testing by itself. The purpose of this switch is to try interrupting card testers attacking your website. Switching to Stripe Checkout will shut down the endpoints testers might be using to run attacks through Stripe Elements. Once you applied all other security updates mentioned in this document and the attack is over, you can re-enable Stripe Elements.

Turn on Card Testing Protection

Go to Dashboard > MemberPress > Settings > General and ensure that Enable Card Testing Protection is checked.

It is enabled by default, but it is good to check. If it is enabled, you can change the method of getting the user's IP Address.

If your site uses a Front-End Proxy:

  • Enable Use the X-Forwarded-For HTTP header OR Use the X-Real-IP HTTP header

If your site uses CloudFlare:

  • Enable Use the CF-Connecting-IP HTTP header

If your site DOES NOT use CloudFlare or a Front-End Proxy:

  • Enable Use PHP's built-in REMOTE_ADDR

Enable Radar Settings in Stripe

Stripe has the Stripe Radar feature to help detect and block fraudulent activity. Learn more about these settings on Stripe's Risk Settings page.

Stripe Radar offers several card verification checks:

  • Card verification code check (CVC): this check will prevent any charges that fail the CVC verification check. The CVC is the verification code printed directly on a user's card. Users need to add the correct CVC code to the MemberPress registration form, for Stripe to process the payment.
  • Address verification (AVS): this check will prevent charges if the postal address check fails. When registering, users need to add the postal code and the street address to the MemberPress registration form. If this data doesn't match the billing address on file with the card issuer (e.g. bank), the payment will fail.

Install and Activate the Captcha Add-On

Card Testing is based on the (usually) automated bots that will repeatedly submit the membership registration form (spam sign-ups). Each time the bot submits the registration form, it will use different (stolen) payment data to check if the data is correct. Adding a captcha to your registration forms should help prevent spam sign-ups

Go to Dashboard > MemberPress > Add-Ons and install and activate our Math Captcha add-on. This will add a simple math captcha to the registration and login page.

You can also use the Simple Cloudflare Turnstile – CAPTCHA Alternative or another captcha plugin.

Furthermore, you can use the MemberPress Math Captcha add-on with Cloudflare Turnstile (or another captcha plugin) at the same time.

Simple Cloudflare Turnstile Add-On

Cloudflare Turnstile should also help in case your website gets compromised (hacked). If your website is hacked, it's possible for hackers to get a hold of your Stripe API client secret. This key can then be used for card testing even in other locations unrelated to your website.

As mentioned, you should use the Simple Cloudflare Turnstile – CAPTCHA Alternative plugin to add the Cloudflare Turnstile on your site. The built-in MemberPress integration allows you to enable Cloudflare Turnstile on MemberPress login and registration forms.

To set up the plugin, navigate to Dashboard > Settings > Cloudflare Turnstile and follow the plugin guide.

Note: When Turnstile is enabled for WordPress Login, the Only enable on default wp-login.php page sub-option will become available. Please be sure to uncheck this sub-option to apply Turnstile on the MemberPress login and keep it secure.

In addition, you can add MemberPress membership IDs to the dedicated field to apply Turnstile only on specific registration forms.

Refresh Your API Keys

If you applied all the above-mentioned suggestions and card testing is still ongoing, please try refreshing your Stripe API credentials. To do this, please follow these steps:

  1. Log in to your website as an administrator. After logging in, the URL in your browser's address bar should be like this: https://yourdomain.com/wp-admin/.
  2. Add the following to the end of your current URL: admin.php?page=memberpress-options&display-keys (e.g. https://yourdomain.com/wp-admin/admin.php?page=memberpress-options&display-keys). While still in the address bar, press the enter key on your keyboard.
  3. This will take you to the MemberPress Settings page (Dashboard > MemberPress > Settings). Click the Payments tab.
  4. Under the Stripe payment gateway settings, you should see a new Refresh Stripe Credentials button. Click this button to refresh your Stripe credentials.

Refund and Cancel any Fraudulent Payments

If any payments were successfully created during the card testing, refund and cancel these subscriptions. You can do this either from MemberPress on your site – or through Stripe. If you do it through Stripe, you can mark the refund reason as “Fraud.”

There is no way to cancel and refund in bulk in MemberPress. So, these will need to be done one at a time.

We also recommend recording the email addresses and any other information about the charge and card that were used so that if customers email in complaining, you can assure them that you have already refunded the fraudulent charge. If you have the ability to contact the customer directly, let them know what has happened.

Was this article helpful?

Related Articles

computer girl

Get MemberPress today!

Start getting paid for the content you create.