Additional SPAM Donation protection.
under review
Ben Meredith
Some users are reporting SPAM donations even with all of our recommended methods of SPAM prevention.
One suggestion is an encoded timestamp on the form which GiveWP would check for validity when the form is submitted, to prevent donations that are happening as a result of pinging a URL without visiting a form.
Either way, we need to more aggressively combat donor spam.
IBA RadioPharma Solutions
Indeed it's a mess with the carding attacks, it should be stopped by GiveWP directly. Same with all anti spam plugins and protections, we still get attacks and the most strange is that the attacks are not visible in the WP back-end (no donation, no visit). Additional security in the plugin is needed. As ticket is "under review" for more than 3 years, can we expect a solution in the next months or should we go to another plugin? Thanks
Rudolf Wagner
My observations to prevent loads of donor spam mainly from Russian (mail.ru) domain:
Despite most spam donors are very easy to identify for a human (last name is most of the time a slight variation of the first name) they are not detected by the recommended anti spam plugins and even register as WordPress users.
What doesn't work:
- Akismet Integration (does nothing)
- Setting the minimum donation amount higher (not working)
- Cloudflare as DNS (did not help)
- Zero Spam plugin (did not help and even caused other problems)
What worked (kind of):
- The Stop Donor Spam plugin (kept spammers from showing up as donors and prevented spam donations but not registering as WordPress users)
- reCAPTCHA (Some spammers still came through)
I now use both the Stop Donor Spam plugin and the Google reCAPTCHA and for now it works pretty well. I can only hope it doesn't prevent some real donors from donating.
What I do not understand is why the only solutions that work are not really supported by Give WP. The Stop Donor Spam plugin for some reason has been removed as recommendation from the page https://givewp.com/documentation/core/frequent-troubleshooting-issues/donor-spam-troubleshooting/
and the reCAPTCHA is apparently treated as an after thought where you have to tweak code and add it to your functions.php file instead of a proper integration in the form builder.
The biggest problem I see is that Give WP creates WordPress users regardless if the donation went through or not.
Why?
I really can't see any possible reason to do that. With the Stop Donor Spam plugin I managed to not fill the database with fake donors and donations but still lots of fake WordPress users got created. That causes a lot of trouble because they all get transferred to my CRM where they have to be removed manually.
M
Mark Root-Wiley
In my experience, our credit card testing "attacks" almost always use the same low amount and come in gigantic waves that far exceed what's normal for a site. I wonder if Give could develop some calculations for baseline expected giving amount variation and rate and then temporarily halt donations when those limits are exceeded. 10 consecutive $10 dollar donations is weird. 20 donations on a single day when an org gets 5 a month is also weird. This could potentially be an opt-in feature if folks knew they'd be running unusual campaigns.
Lisa Spangler
We just started getting hit with some donor spam, so just installed Zero Spam -- we were already doing the other recommended security measures -- we have WordFence, SiteGround security, Cloudflare, Akismet. I think having a reCaptcha on the donor form could be a possible solution. Thanks!
Emily Perrier
Commenting to say that this ticket is almost three years old and I'm still having the same problem, even after all security measures recommended are employed.
We have thousands of 'pending' transactions I keep having to delete manually from the database (because Stripe is doing their job and blocking them) never resolve as failed, and crash the site constantly.
Emily Perrier
Adding that this is happening with all these setup/installed: Akismet (professional license for NonProfits given for free with contact), Wordfence, ZeroSpam and Wordfence, setting minimum amounts, blocking IPs, updating webhooks and APIs etc etc etc... We don't want to force our donors to register but it's looking like that might be the only solution until we switch plugins.
While it's a great plugin with a lot of features, it isn't worth it for us the way it's currently handling security issues.
Ben Meredith
Merged in a post:
Dealing w/ Spam Donations
E
Ed W
Hi - We're trying to block spam donations (and user creations) that are coming in through GiveWP and we're pretty unhappy that we've had to spend quite a number of hours already to do such. One of your recommendations is to use "the free version of Akismet" but that's available only for non-commercial use. Otherwise, it costs at least $100/yr. We've tried the Zero Spam plugin and found that it blocked real customers (false positives). We've tried the CleanTalk plugin, which seemed to accurately flag spam but pending Donation entries (and users) were still created by GiveWP, not really solving the problem. We find this to be very frustrating!
Options to limit when Donation entries and users are created might be helpful. Or offering built-in support for free or low-cost services like StopForumSpam.com (rather than having to pay $$$ for Akismet). Or... a setting were Pending donations made through non-offline gateways (and associated users) would automatically be deleted after 24 hours or some such.
In general, we're pretty unhappy with how GiveWP has handled this. It's largely a great plugin but the handling of this issue we find quite unsatisfactory.
Thank you.
J
Jeffrey Maher
I would like to add that GiveWP should be able to block donations when 10+ come in the same minute from the same IP Address. There are few circumstances where an organization is getting 10+ donations at the exact same minute.
Kyle Johnson
under review