Additional menu

Get MemberPress today! Start getting paid for the content you create! Get MemberPress Now
  1. Home
  2. Knowledge Base
  3. FAQs
  4. How To
  5. How to Prevent Card Testing and Fraudulent Sign Ups with Stripe

How to Prevent Card Testing and Fraudulent Sign Ups with Stripe

You have noticed an increase in payments, either failed or successful over a short period of time, and upon investigation, realize that your site is being used for card testing – what do you do now?

Use Stripe Checkout

First of all, if you are using Stripe Elements, go into MemberPress->Settings->Payments and change to Stripe Checkout. We have noticed issues with the Stripe Elements process and are working with the Stripe team to release a more secure integration – which will be available at the end of May 2023.

Turn on Card Testing Protection

Go to MemberPress->Settings->General and ensure that “Enable Card Testing Protection” is checked.

It is enabled by default, but it is good to check. If it is enabled, you can change the method of getting the user's IP Address.

If your site uses a Front-End Proxy:

  • Enable Use the X-Forwarded-For HTTP header OR Use the X-Real-IP HTTP header

If your site uses CloudFlare:

  • Enable Use the CF-Connecting-IP HTTP header

If your site DOES NOT use CloudFlare or a Front-End Proxy:

  • Enable Use PHP's built-in REMOTE_ADDR

Enable Radar Settings in Stripe

Stripe has settings that can help detect and block fraudulent activity. Learn more about these settings on Stripe's Risk Settings page.

Refresh Your API Keys

Refer to Stripe's API Keys documentation to learn how to Revoke an API key's access and Create a new API Key.

Then go to [yourdomain]/wp-admin/admin.php?page=memberpress-options&display-keys#mepr-integration and enter the new API keys in the boxes provided.

Install and Activate MemberPress Math Captcha

Go to MemberPress->Add-Ons and install and activate our Math Captcha add-on. This will add a simple math captcha to the registration and login page to help prevent spam sign-ups.

You can also use another captcha plugin if you would prefer or Simple Cloudflare Turnstile – CAPTCHA Alternative.

You can use one of them and math Captcha at the same time as well.

Refund and Cancel any Fraudulent Payments

If any payments were successfully created during the card testing, refund and cancel these subscriptions. You can do this either from MemberPress on your site – or through Stripe. If you do it through Stripe, you can mark the refund reason as “Fraud.”

There is no way to do a bulk cancel and refund in MemberPress. So, these will need to be done one at a time.

We also recommend recording the email addresses and any other information about the charge and card that were used so that if customers email in complaining, you can assure them that you have already refunded the fraudulent charge. And if you have the ability to – contact the customer directly to let them know what has happened.

Why Did This Happen?

Hackers can sometimes get a hold of the API secret and use it to spoof calls to Stripe for card testing purposes.

Will It Be Fixed?

Stripe and MemberPress are both aware of this vulnerability and are working together to release a new, more secure solution.

Was this article helpful?

Related Articles

computer girl

Get MemberPress today!

Start getting paid for the content you create.