Hi @sibelius123
I am very sorry to hear this is happening. Here’s some information that I hope helps.
To start with I would refer you to this documentation article which covers ways to remove pending donations and some steps to help secure your site.
In summary (from the guide):
- Install a free “Bulk Delete” plugin. This will allow you to select the “Donation” post type and “Pending” status to delete them in batches without crashing your site. If that doesn’t work, the guide includes a link to a specific code snippet (Plan B) that handles the deletion for you.
Note the clear warning at the top of the article to backup your site before attempting any plugin or coding solutions.
That same guide has listed steps for prevention including free methods you can use right now:
- Increase Minimum Donation: Edit your campaign and raise the minimum donation amount (e.g., to $5 or $10). Bots often target $1 amounts. (Note: Do not rely on this alone, as bots can adapt).
- Cloudflare: Using their free plan to block bots at the DNS level is often the most effective way to stop these massive attacks.
- Hosting: Ask your host to block the IPs generating this traffic.
WordPress security plugins can be of help. If you are able to identify the IP addresses or patterns, your host is your best friend here!
Let me know if this helps or if you have any questions.
Hi there,
This is currently happening to my site as well. I use Stripe and implemented their Radar option. It lets you create rules to block spam donations from going through and has an AI assistant that helps you create them correctly. The main thing I saw on mine was that the email domain used by the bots was, @example.com so I created a rule to block anyone using that email domain. It’s blocked hundreds of attempts. I believe PayPal has a similar setup.
That is an excellent tip thank you for sharing it @apeacewithin
Stripe Radar is incredibly powerful. I do believe the ability to create Custom Rules (like blocking @example.com specifically) and the AI Assistant you mentioned are features of the “Radar for Fraud Teams” plan. Standard Stripe accounts get the machine learning protection (which is still good) but the custom rules engine usually requires that upgrade.
PayPal has a similar feature called “Fraud Protection” (found I believe under Business Tools > Manage Risk). they have different levels (including free) and unique features as well.
Dear WP Charitable,
I’ve followed your online guidelines regarding fraud, and I’ve refunded 12 fraud donations directly in Stribe.
How do I get the ‘WP Charitable application fee’ back again?
It is clearly fraud attemps, and of course it can’t be meant that I have to pay for these fees.
@sibelius123 in cases like this our team usually attempts to locate the account involved using any business name and other info in Stripe to reach out directly. That might already have happened – I would check emails the website is associated with the Stripe Connect account. If you don’t spot any communication then the documentation above has been recently updated to answer further questions. I hope this helps. Let me know if you have any further questions.
Dear David,
I have checked my mail and my strippe account, but can’t see any messages etc from your team. Could you please forward this tread and my question regarding refund to your team?
best regards
Martin
@sibelius123 I’ve confirmed from the team that the only contact information they have would be through the contact email on the website you shared at the start of this thread. I would check that email first, make sure to check spam folder as well. If you still cannot locate that again I would consult the documentation link I provided as it was updated to cover misc topics and it might be fruitful for you in case. I hope this helps. Let me know if you have any further questions.
