Two clients recently faced a malicious bot attacking their WooCommerce stores. The first sign of trouble was in Google Analytics (GA4) showing hundreds of fake active visitors. The second sign of trouble was with the monthly billing from the managed WordPress hosting services, one of which showed hundreds of dollars per month in overage fees.
DDOS attacks are nothing new. However, the signature of this bot is new:
- IP addresses from China, Hong Kong, and Singapore, quite a number of different addresses
- User agent strings claiming to be real browsers such as Chrome on Window 10, Safari on macOS
- Hits the Shop page of Woo stores repeatedly
- Sends query string arguments to cache bust, mostly filtering on Brand
- Targets medium-sized stores containing brands that may relate to China
In the past I’ve seen DDOS attacks roll contact forms and password reset forms. These are usually remedied by adding Captcha to those forms. I’ve also observed plenty of brute-force login attempts and checkout card guessing attacks, both of which can also normally be fixed with Captcha, exception being PayPal Payments.
To remedy this new bot attack, clients must decide whether to block whole countries or target the behavior of the bot and block that more precisely. They must also decide whether to do this using a self-controlled firewall (e.g. Cloudflare) versus ask the hosting to set the rule within their internal firewall (usually the Cloudflare that the hosting controls). There’s even a third option to write code to return 403 on detected behavior pattern(s). These are business decisions that each client has to make.
In any case, continued monitoring is critical to detect these bots early, before they cause harm to the things mentioned above.
