Rate Limiting to stop Credit Card transaction bots

We have an eCommerce site. For the last couple of days we have been attacked by bots that go to the Checkout page and try to place an order for some random item, using thousands of Credit Card numbers. We are charged for each attempt.

To prevent this we were thinking that some rate limiting could defend against this. After they hit “Place Order” too many times in a short period of time they could be blocked . The rules would ideally shut down bots but not be too bothersome to customers who mis-enter their Credit Card information and need to try a again. Some customers may take 3 or 4 tries to get it right, but they are slower than bots usually.

Is there a tutorial that could help us learn how to do this best?
If not, are there any support facilities or freelancers with experience that could help with this?

Any suggestions or help is greatly appreciated.


It may be more effective to try a Firewall Rule to JS Challenge requests to that checkout page. That should stop all the bots, and won’t let slower bots through when they figure out your rate limiting. Hopefully your customers won’t mind the five-second browser check.

Thanks, I will look into that. It may be more effective, however it is more obtrusive.
Any slowdown to checking out is a disaster. It doubles the number of Abandoned Carts which equal lost sales. I would prefer to try solutions that bother the customer less (if they do exist?) first. The bots may just give up and bother someone else if I can block them for a while.

Although I am computer literate, I have no experience with Cloudflare and I am looking for someone who already has learned the ropes with this to help me implement the changes.

1 Like

The ideal solution would probaby be to use Cloudflares Bot Management solution which is part of the Enterprise program.

Depending on the sophistication of the bots targeting your store, you may be able to find more a more cost effective solution such as increasing the security level for certain paths, enabling bot fight mode or using the firewall to implement more targeted rules to block bad behaviour.

Its difficult to give you a good recommendation on which tools to use without any technical details about your traffic/store. I’ll be happy to take a look if you wish - you can contact me through the details on my profile page.

If your customers are from one country, or a small set of countries, you can adjust the firewall rule to only apply to NOT customer countries, and then to ASNs of cloud providers, which is the source of many bots.

Our customers are mainly from the USA, the bots were coming from the Philippines. However when I blocked their country they started coming in from the USA. I put a JS challenge on the checkout page now, however this is far from optimum.

I would prefer something that does not slow down legitimate traffic.

You can also try Bot Fight Mode in Firewall → Tools.

Easier said than done, which it’s so important to comb through logs and look for commonalities for which traffic to allow, and which to challenge.


I have Bot Fight Mode enabled, a challenge on the Checkout page and blocked Philippines.

For now this has stopped them from flooding the site. I am not thrilled with the challenge on checkout. If things remain quiet I may try disabling that.

Again, thanks for all the sage advice.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.