If you are seeing thousands of “Pending” donations appear rapidly, you are likely the victim of a “Card Testing” attack. This is where bots use your donation form to test stolen credit card numbers to see which ones are valid.

This guide covers how to clean up the spam donations and general tips for both Lite and Pro users. For more information on how Charitable continues to work on anti-spam measures, feel free to visit our blog.

⚠️ Important: Backups & Responsibility Before running any bulk deletion plugins or custom database scripts, you must create a full backup of your site. If a cleanup operation removes data unintentionally or if the suggestions above do not resolve the issue, your safety net is restoring your site to a version saved before the changes were made. Please be aware that running database queries and third-party scripts is done at your own risk; WP Charitable is not responsible for data loss resulting from these operations. If you are unsure about how to use these tools, we strongly recommend consulting with a web developer or contacting our support team for guidance before you proceed.

Table of Contents

Removing Pending Donations

If you have a large amount of spam donations it’s not recommended to try to delete them manually in the WordPress dashboard. This will likely crash your browser or time out your server.

Method 1: Charitable Advanced Settings (Recommended)

If you are using Charitable Pro (or the Lite plugin with Spam Blocker addon) there is a “Bulk Remove Donations” setting in the Charitable -> Settings -> Advanced/Misc that can remove ALL failed and pending donations in your WordPress install. Note that this might remove legit donations, so it is best to do an audit prior to using this feature.

Warning: This permanently removes all donations from all campaigns.

Method 2: Use a Bulk Delete Plugin (Recommended)

The easiest way to remove these records without touching code is to use a free plugin designed for this purpose. We also recommend this option because some plugins offer more control in what items to bulk delete.

1. Go to Plugins > Add New and search for “Bulk Delete” (one such plugin is WP Bulk Delete, but use what you think matches your needs).
2. Install and Activate the plugin.
3. Go to Bulk WP > Bulk Delete Posts.
4. Select Post Type: Choose Donations.
5. Select Post Status: Choose Pending (or charitable-pending).
6. Choose Action: Select “Move to Trash” or “Delete Permanently”.
7. Run the deletion. Note: You may need to run this in batches if your server is slow.

Method 3: Use a Custom Script (Advanced)

If the plugin is struggling with the volume or you prefer a code-based solution, you can use our cleanup script.

1. Install the free WPCode plugin.
2. Use the following snippet to safely delete the pending donations directly from the database:
   • View Cleanup Snippet on WPCode Library

Important: Once the cleanup is done, remember to deactivate the snippet so it doesn’t continue running.

Steps To Take For Further Prevention

We recommend implementing measures in this order:

DNS & Server (The Best Defense)

The best place to stop a bot is before it even reaches your WordPress site.

• Cloudflare: We highly recommend putting your site behind Cloudflare (their free plan is excellent). It includes “Bot Fight Mode” and rate limiting which can block these attacks at the DNS level.
• Your Hosting Provider: Contact your host immediately. They can often see the attack patterns (e.g., traffic coming from a specific country) and block those IP addresses at the server level.

General WordPress Security

• Security Plugins: Plugins like Wordfence or Solid Security have traffic monitoring tools that can detect aggressive bot behavior and block their IPs automatically.

Charitable Specific Settings

If you have a paid license and using Charitable (not the Pro plugin), ensure you have the Spam Blocker extension installed.

• Rate Limiting: Helps prevent rapid-fire submissions.
• CAPTCHA: Adds Google reCAPTCHA or hCaptcha to your forms.
• IP Logging: Tracks the IP addresses of donors, allowing you to block specific offenders.

If you are using the free (Charitable Lite) version, you can use these settings and code snippets to add barriers:

• Increase Minimum Donation Amount: Bots often test with very small amounts (e.g., $1.00) to keep the transactions unnoticed.
  • Go to your Campaign editor.
  • Locate the Donation Options tab.
  • Increase the Suggested Minimum Donation amount (e.g., raise it from $1 to $5 or $10).
  • Note: While helpful, sophisticated bots can adapt to this, so do not rely on this as your only defense.
• Block by Email Pattern: If the bots are using a specific email pattern (e.g., random letters or specific domains), you can use this snippet to block them:
  • View Email Blocking Snippet
• Change URL: Temporarily changing the URL of your donation page can sometimes stop a bot that is targeting a specific link.

Note that Charitable Pro users have a “security” tab that includes many of the featured mentioned above. For example here is a guide on advanced email validation.

Payment Gateway Protection (Stripe & PayPal)

Your payment processor often has advanced tools that can block fraud before it even notifies your website. Note the below info is accurate at time of writing – for the most updated information please check your own gateway provider sites.

Stripe Users: Stripe Radar Stripe has a built-in fraud detection tool called Radar.

• Standard Radar (Free): Comes with all Stripe accounts. It uses machine learning to block payments that look suspicious. You can also manually add specific email addresses or cards to a “Block list” in your Stripe Dashboard under Fraud & Risk > Lists.
• Radar for Fraud Teams (Paid Upgrade): This version allows you to write Custom Rules.
  • Tip: If you notice bots are all using the same email domain (e.g., [email protected] or [email protected]), you can create a rule to block that entire domain.
  • AI Assistant: The paid version includes an AI assistant that lets you type natural language requests like “Block all payments where the email domain is example.com” and it will generate the rule for you.
  • Read more about Stripe Radar here.

PayPal Users: Fraud Protection PayPal offers similar protections for Business accounts.

• Fraud Protection: Go to Business Tools > Manage Risk > Fraud Protection. PayPal currently has a free fraud protection plan with upgrades possible.
• You can set up filters to flag or decline transactions based on high dollar amounts, address mismatches (AVS), or card security code failures (CVV). If you identify specific email addresses or IP addresses repeatedly targeting you, you can add them to your negative lists within the PayPal Fraud Protection settings.
• Read more about PayPal Fraud Management here.

We recommend monitoring your site closely for the first 24-48 hours after changes have been enacted. If you see the spam start again, immediately switch your campaign status back to ‘Draft’ and increase your security settings (e.g., enable “Under Attack Mode” in Cloudflare).

Check Your Stripe/PayPal Dashboards While “Pending” donations in Charitable usually indicate that the payment was abandoned or failed, you should always double-check your Stripe or PayPal dashboard directly. Verify that no successful charges slipped through during the attack. If you find any successful unauthorized charges, refund them immediately through the payment processor to avoid potential dispute fees or chargebacks later.

A Note on “Card Testing” Please remember that “Card Testing” is a common issue affecting the entire e-commerce and donation industry, not just your specific site. Bots look for any open form to test stolen data. By using a combination of server-level blocking (like Cloudflare) and the on-site restrictions outlined above, you make your site an unattractive target, encouraging the bots to move on.

Misc Requests

If you are using any version of Charitable, including Charitable Lite, and need to contact our support team about anything not covered above feel free to use our support form. If the inqury is Stripe related feel free to supply any business name and information associated with the account you used to connect your website to Stripe via Charitable. This will ensure that information exchanged will be kept private and secure.