Hi all,
We’re running a WooCommerce + Stripe store (lepure.com) on Kinsta and for the past several days we’ve been hit with a continuous wave of failed checkout attempts / manual card testing. Traffic is overwhelmingly from Philippines and Taiwan IPs — no legitimate customers in those regions, so blanket blocking is fine for us.
What we’ve tried so far:
-
Opened a chat with Kinsta support asking to block those ranges — either wasn’t applied or didn’t stick.
-
Manually added offending IPs to the IP Deny list in MyKinsta — attempts keep coming from fresh IPs in the same countries, so it’s a whack-a-mole.
What I’d like to hear from the community:
-
Has anyone managed to set up country-level geoblocking (PH / TW) cleanly on Kinsta? Is the Kinsta firewall the right layer, or is everyone doing this via Cloudflare in front?
-
For carding specifically on
/checkoutand/?wc-ajax=checkout, what’s working best — Cloudflare WAF managed rules, rate limiting, bot fight mode, a WooCommerce plugin, or a combination? -
Anyone blocking VPN / datacenter ASNs as well? Which ASN list / approach has been low-false-positive for you?
Goal is to stop this at the edge so it never hits PHP/Woo/Stripe. Any concrete rules, screenshots, or setups you’re happy with would be hugely appreciated.
Thanks!
