Charitable Documentation

Learn how to make the most of Charitable with clear, step-by-step instructions.

Popular Resources

Start Here

Donor Management

Recurring Donations

Peer-to-Peer Fundraising

Integrations

Extensions

Handling Donation Spam & Card Testing Attacks

If you are seeing thousands of “Pending” donations appear rapidly, you are likely the victim of a “Card Testing” attack. This is where bots use your donation form to test stolen credit card numbers to see which ones are valid.

This guide covers how to clean up the spam donations and general tips for both Lite and Pro users. For more information on how Charitable continues to work on anti-spam measures, feel free to visit our blog.

⚠️ Important: Backups & Responsibility Before running any bulk deletion plugins or custom database scripts, you must create a full backup of your site. If a cleanup operation removes data unintentionally or if the suggestions above do not resolve the issue, your safety net is restoring your site to a version saved before the changes were made. Please be aware that running database queries and third-party scripts is done at your own risk; WP Charitable is not responsible for data loss resulting from these operations. If you are unsure about how to use these tools, we strongly recommend consulting with a web developer or contacting our support team for guidance before you proceed.

Table of Contents

Removing Pending Donations

If you have a large amount of spam donations it’s not recommended to try to delete them manually in the WordPress dashboard. This will likely crash your browser or time out your server.

If you are using Charitable Pro (or the Lite plugin with Spam Blocker addon) there is a “Bulk Remove Donations” setting in the Charitable -> Settings -> Advanced/Misc that can remove ALL failed and pending donations in your WordPress install. Note that this might remove legit donations, so it is best to do an audit prior to using this feature.

Warning: This permanently removes all donations from all campaigns.

The easiest way to remove these records without touching code is to use a free plugin designed for this purpose. We also recommend this option because some plugins offer more control in what items to bulk delete.

  1. Go to Plugins > Add New and search for “Bulk Delete” (one such plugin is WP Bulk Delete, but use what you think matches your needs).
  2. Install and Activate the plugin.
  3. Go to Bulk WP > Bulk Delete Posts.
  4. Select Post Type: Choose Donations.
  5. Select Post Status: Choose Pending (or charitable-pending).
  6. Choose Action: Select “Move to Trash” or “Delete Permanently”.
  7. Run the deletion. Note: You may need to run this in batches if your server is slow.

Method 3: Use a Custom Script (Advanced)

If the plugin is struggling with the volume or you prefer a code-based solution, you can use our cleanup script.

  1. Install the free WPCode plugin.
  2. Use the following snippet to safely delete the pending donations directly from the database:

Important: Once the cleanup is done, remember to deactivate the snippet so it doesn’t continue running.

Steps To Take For Further Prevention

We recommend implementing measures in this order:

DNS & Server (The Best Defense)

The best place to stop a bot is before it even reaches your WordPress site.

  • Cloudflare: We highly recommend putting your site behind Cloudflare (their free plan is excellent). It includes “Bot Fight Mode” and rate limiting which can block these attacks at the DNS level.
  • Your Hosting Provider: Contact your host immediately. They can often see the attack patterns (e.g., traffic coming from a specific country) and block those IP addresses at the server level.

General WordPress Security

  • Security Plugins: Plugins like Wordfence or Solid Security have traffic monitoring tools that can detect aggressive bot behavior and block their IPs automatically.

Charitable Specific Settings

If you have a paid license and using Charitable (not the Pro plugin), ensure you have the Spam Blocker extension installed.

  • Rate Limiting: Helps prevent rapid-fire submissions.
  • CAPTCHA: Adds Google reCAPTCHA or hCaptcha to your forms.
  • IP Logging: Tracks the IP addresses of donors, allowing you to block specific offenders.

If you are using the free (Charitable Lite) version, you can use these settings and code snippets to add barriers:

  • Increase Minimum Donation Amount: Bots often test with very small amounts (e.g., $1.00) to keep the transactions unnoticed.
    • Go to your Campaign editor.
    • Locate the Donation Options tab.
    • Increase the Suggested Minimum Donation amount (e.g., raise it from $1 to $5 or $10).
    • Note: While helpful, sophisticated bots can adapt to this, so do not rely on this as your only defense.
  • Block by Email Pattern: If the bots are using a specific email pattern (e.g., random letters or specific domains), you can use this snippet to block them:
  • Change URL: Temporarily changing the URL of your donation page can sometimes stop a bot that is targeting a specific link.

Note that Charitable Pro users have a “security” tab that includes many of the featured mentioned above. For example here is a guide on advanced email validation.

Payment Gateway Protection (Stripe & PayPal)

Your payment processor often has advanced tools that can block fraud before it even notifies your website. Note the below info is accurate at time of writing – for the most updated information please check your own gateway provider sites.

Stripe Users: Stripe Radar Stripe has a built-in fraud detection tool called Radar.

  • Standard Radar (Free): Comes with all Stripe accounts. It uses machine learning to block payments that look suspicious. You can also manually add specific email addresses or cards to a “Block list” in your Stripe Dashboard under Fraud & Risk > Lists.
  • Radar for Fraud Teams (Paid Upgrade): This version allows you to write Custom Rules.
    • Tip: If you notice bots are all using the same email domain (e.g., [email protected] or [email protected]), you can create a rule to block that entire domain.
    • AI Assistant: The paid version includes an AI assistant that lets you type natural language requests like “Block all payments where the email domain is example.com” and it will generate the rule for you.
    • Read more about Stripe Radar here.

PayPal Users: Fraud Protection PayPal offers similar protections for Business accounts.

  • Fraud Protection: Go to Business Tools > Manage Risk > Fraud Protection. PayPal currently has a free fraud protection plan with upgrades possible.
  • You can set up filters to flag or decline transactions based on high dollar amounts, address mismatches (AVS), or card security code failures (CVV). If you identify specific email addresses or IP addresses repeatedly targeting you, you can add them to your negative lists within the PayPal Fraud Protection settings.
  • Read more about PayPal Fraud Management here.

We recommend monitoring your site closely for the first 24-48 hours after changes have been enacted. If you see the spam start again, immediately switch your campaign status back to ‘Draft’ and increase your security settings (e.g., enable “Under Attack Mode” in Cloudflare).

Check Your Stripe/PayPal Dashboards While “Pending” donations in Charitable usually indicate that the payment was abandoned or failed, you should always double-check your Stripe or PayPal dashboard directly. Verify that no successful charges slipped through during the attack. If you find any successful unauthorized charges, refund them immediately through the payment processor to avoid potential dispute fees or chargebacks later.

A Note on “Card Testing” Please remember that “Card Testing” is a common issue affecting the entire e-commerce and donation industry, not just your specific site. Bots look for any open form to test stolen data. By using a combination of server-level blocking (like Cloudflare) and the on-site restrictions outlined above, you make your site an unattractive target, encouraging the bots to move on.

Misc Requests

If you are using any version of Charitable, including Charitable Lite, and need to contact our support team about anything not covered above feel free to use our support form. If the inqury is Stripe related feel free to supply any business name and information associated with the account you used to connect your website to Stripe via Charitable. This will ensure that information exchanged will be kept private and secure.

Still have questions? We’re here to help!

Submit a Support Ticket
Contact Us

Last Modified:

What's New In Charitable

🔔 Subscribe to get our latest updates
📧 Subscribe to Emails

Email Subscription

Join our Newsletter

We won’t spam you. We only send an email when we think it will genuinely help you. Unsubscribe at any time!

Integration New

Add Image Galleries to Fundraising Campaigns With Envira Gallery

Showcase the impact of your mission like never before. We are excited to announce our brand-new integration with Envira Gallery, the best WordPress gallery plugin, designed to help you tell your story through powerful, high-performance visuals.

The Ultimate Storytelling Experience

A picture is worth a thousand words – and now, it’s worth even more for your fundraising. Connect your visual impact directly to your cause by creating stunning, responsive galleries that engage donors and drive contributions.

🖼️ Visual Impact: Easily create beautiful, fast-loading galleries to show your nonprofit’s work in action, from field reports to event highlights.

🔗 Seamless Connection: Link gallery images directly to your fundraising campaigns, making it effortless for inspired visitors to go from viewing a photo to making a donation.

📱 Perfectly Responsive: Whether your donors are on a phone, tablet, or desktop, your galleries will look professional and load lightning-fast, ensuring a smooth experience on every device.

Integration New

👉🏻 New Divi Integration In Charitable Pro

Bring the power of Charitable directly into your favorite page builder and maintain total creative control with our brand-new Divi integration.

The Ultimate Design Experience

No more switching back and forth or relying on complex shortcodes. Use dedicated Divi modules to build, style, and launch high-converting donation pages without ever leaving the Divi Builder.

⚡ Native Divi Modules: Effortlessly drag and drop your donation forms, progress bars, and campaign details exactly where you want them.

⚙️ Visual Customization: Tweak colors, fonts, and spacing using Divi’s familiar design settings to ensure your fundraiser matches your brand perfectly.

🚀 Live Visual Editing: See your changes in real-time. What you see in the builder is exactly what your donors will see, ensuring a seamless giving experience every time.

donation form New

👉🏻 New Campaign Selector For Donation Forms

Take your campaign management to the next level. Find the perfect fundraiser for any page and stay in your creative flow with our new Campaign Selector integration.

The Ultimate Selection Tool

No more hunting for IDs or creating one page for every donation form. Use the new Campaign Selector to allow users to switch to a campaign with no code.

⚡ Instant Search: Quickly find any campaign leaving your page or post.

⚙️ Editor Agnostic: Whether you’re using the Block Editor, Elementor, or WPBakery, selecting your campaigns is now a unified experience.

🚀 Real-Time Previews: See exactly which campaign you’ve selected instantly, ensuring your donors always see the right cause.

Integration New

WordPress Command Palette Integration

Take your fundraising workflow to the next level. Speed up your site management and stay in your creative flow with our new WordPress Command Palette integration.

Supercharge Your Workflow
Navigate your fundraising dashboard faster than ever.

The Ultimate Keyboard Shortcut Hit Cmd + K (or Ctrl + K) to launch the Command Palette and manage your campaigns instantly.

⚡ Instant Navigation: Jump directly to your Campaigns, Donations, or Settings from anywhere in the editor.

➕ Quick Create: Start a new fundraising campaign or add a manual donation with a single command.

Efficiency Redefined
The tools you need, exactly when you need them.

⚙️ Contextual Actions: See relevant Charitable commands based on whether you’re editing a page or viewing your reports.

🚀 Seamless Integration: Built directly into the WordPress core experience for a lightweight, native feel.

Improvement New Security

📣 New Security Features

We’ve introduced a suite of new security tools to give you total control over who accesses your forms, plus a new way to tidy up your database.

Advanced Security Suite

Layered protection: Cloudflare, ReCAPTCHA, IP Controls, and Rate Limiting.

We have overhauled our security settings to stop bots without blocking real donors.

  • 🤖 Flexible Protection: Choose between Google reCAPTCHA v3 or the privacy-first Cloudflare Turnstile to block bots invisible.

  • 🚦 Rate limiting: Stop spam floods by limiting how many submissions an IP address can make in a set timeframe.

  • 🛑 Total control: Use the new IP Blacklist to block bad actors instantly, or the IP Whitelist to let your team bypass checks during testing.

The Clean Donation Tool

Go from “Testing” to “Live” in seconds.

Finished setting up your site and need to get rid of all those test transactions?

  • 🧹 Sweep it clean: Bulk delete test donations and donor records with a single click.

  • 📉 Accurate reporting: Ensure your revenue stats are 100% accurate for launch day.

  • ⚙️ Reset sequences: Automatically resets sequential invoice numbering.

Check out all the new security features »
View All Announcements