is woefully underequipped to stop any attacks out of the box (you absolutely need to install aftermarket recaptcha, rate limiting, etc advanced systems to have any hope of not falling victim)
When your store gets hit, it can create tens of thousands garbage Users, Orders, Subscriptions overnight. These attacks have no upper time limit, it's only limited by how quickly site admins / devs can react, and deploy countermeasures.
Now you also have a massive cleanup operation to deal with, of which some parts have no "as it was before" solution - such as garbage sequential user/order/subscription IDs are not really possible to rewind, or gap-fill retroactively.
Solution Description
It's unlikely WooCommerce core can be adjusted to be more defensive any time soon.
To lower attack impact, I'm proposing to explore issue subject.
If we don't create Subscriptions immediately, there's less garbage not only because of attacks, but also regular business.
Testing instructions
N/A
Product impact
[x] Does this feature affect WooCommerce Subscriptions? yes/no/tbc, add issue ref
[ ] Does this feature affect WooCommerce Payments? yes/no/tbc, add issue ref
Dev notes
Order should gain all necessary meta (if it doesn't have it already), and status change hooks could do the job later.
Problem Description
This relates to combating increasingly widespread card testing attacks against WooCommerce stores.
From this attack perspective WooCommerce core
When your store gets hit, it can create tens of thousands garbage Users, Orders, Subscriptions overnight. These attacks have no upper time limit, it's only limited by how quickly site admins / devs can react, and deploy countermeasures.
Now you also have a massive cleanup operation to deal with, of which some parts have no "as it was before" solution - such as garbage sequential user/order/subscription IDs are not really possible to rewind, or gap-fill retroactively.
Solution Description
It's unlikely WooCommerce core can be adjusted to be more defensive any time soon.
To lower attack impact, I'm proposing to explore issue subject.
If we don't create Subscriptions immediately, there's less garbage not only because of attacks, but also regular business.
Testing instructions
N/A
Product impact
Dev notes
Order should gain all necessary meta (if it doesn't have it already), and status change hooks could do the job later.
Any reasons why not?
Additional context
https://github.com/woocommerce/woocommerce/issues/24603 https://github.com/woocommerce/woocommerce-gateway-stripe/issues/918 (maybe more)