Scammers and spammers are among those we encounter when doing business online. Publishers can run into issues when nefarious actors use donation forms for things such as card testing. This is a common occurrence with payments on the web in general, not specific to Newspack sites.

If you are using Newspack or Stripe as your Reader Revenue platform, we recommend that you implement these best practices now to mitigate your site’s risk of card testing attacks.

  1. Set up reCAPTCHA for donations (for Newspack or Stripe donation options)
  2. Set a minimum donation level (for Newspack donation option only)

For those using a third-party service to manage donations, you’ll want to check with the provider to make sure that you are properly safeguarded against card testing attacks.


Setting up reCAPTCHA for donations

The reCAPTCHA for WooCommerce plugin is installed on every Newspack site. Only those who use “Newspack” as the Reader Revenue platform (which is built with WooCommerce) will need to activate this plugin.

The Stripe platform includes a native and integrated reCAPTCHA option. Only those who are actively using Stripe will need to update their settings for it.

If you haven’t already, you will first need to generate a Site Key and Secret Key with Google’s reCAPTCHA form.

Generating a Site Key and Secret Key

You can use the Google reCAPTCHA form to generate your keys. There are two options available: v2 and v3. Because it doesn’t require user interaction from folks who are donating, we recommend v3. If you are using Stripe as your payments platform, you must use reCAPTCHA v3. Learn more about the different versions.

In Google’s form, you will need to choose the following.

  • Label: Type in a label for your reCAPTCHA (e.g., your site name).
  • reCAPTCHA type: Select v3. Important: If you are using Stripe as your payments platform, you must use reCAPTCHA v3.
  • Domains: Add in your site’s domain(s). You can add more than one if you have several sites.
  • Owners: Add in the email addresses of anyone else (such as an admin on your team) who should have access to “own” and modify these reCAPTCHA settings.
  • Accept the reCAPTCHA Terms of Service: Check the box to accept.
  • Send alerts to owners: It’s best to keep this checked, as it will alert you via email if Google detects site issues via reCAPTCHA.
Screenshot of reCAPTCHA keys generated by Google's form
Google’s reCAPTCHA form will generate two keys like this.

Once you’ve generated these keys, follow the instructions below to add them to your settings for your site’s specific donation platform:

Setting up reCAPTCHA for the “Newspack” platform

The “Newspack” platform uses the reCaptcha for WooCommerce plugin to add a reCAPTCHA to the checkout page. The plugin comes bundled with all Newspack sites.

  1. Activate the reCaptcha for WooCommerce plugin. You can find this in your Plugins list, then activate it by selecting the Activate link under the plugin name.
  2. You will need a Site Key and a Secret Key to set this up. Make sure you’ve followed the instructions to use the Google reCAPTCHA form to generate two keys.
  3. Once you have the Site Key and Secret Key from Google, add those keys to your site’s WooCommerce settings. You can find this in your site’s admin area under WooCommerce > Settings, then the reCaptcha tab.

    You will need to fill in the following fields on this General Settings page.
    • Recaptcha Version: Make the same selection here, reCAPTCHA v2 or reCAPTCHA v3, that you did in Google’s form to set up your keys.
    • Site Key: Enter the site key generated by Google’s form.
    • Secret Key: Enter the secret key generated by Google’s form.
Screenshot of WooCommerce reCaptcha Settings tab
Select the Recaptcha Version and fill in the Site Key and Secret Key fields indicated.
  1. Select the Save changes button at the bottom of the page to save those settings.
  2. Next, you’ll need to add this reCAPTCHA to the checkout page. You can find this setting on the same reCaptcha tab in WooCommerce settings. Select the link for Woo Checkout Captcha settings.

    There, select the checkbox to Enable Recaptcha on Guest Checkout.
  1. Scroll to the bottom of the Woo Checkout Captcha settings page and select Save changes.
Screenshot of WooCommerce Woo Checkout Captcha Settings with the Enable Recaptcha on Guest Checkout checkbox checked
Check the box for Enable Recaptcha on Guest Checkout.

Setting up reCAPTCHA for Stripe

The Stripe donation platform includes a reCAPTCHA option.

  1. You will need a Site Key and a Secret Key to set this up. Make sure you’ve followed the instructions to use the Google reCAPTCHA form to generate two keys.
  2. Once you have used Google’s form to generate your Site Key and Secret Key, add those keys to your site’s Stripe settings. Go to Newspack > Reader Revenue, then the Stripe Settings tab. Scroll down to reCaptcha v3 Settings.

    You will need to fill in the following fields.
    • Use reCaptcha v3 to secure Stripe checkout: Check the box to reveal the form fields.
    • Site Key: Enter the site key generated by Google’s form.
    • Site Secret: Enter the secret key generated by Google’s form.
  1. Make sure to scroll down to the bottom of the Stripe Settings page and select the Save Settings button once you’ve filled in those settings.
Screenshot of the section of the Stripe Settings page with reCAPTCHA settings
Check the box for “Use reCaptcha v3 to secure Stripe checkout” to reveal the Site Key and Site Secret fields.

Setting a minimum donation level for the “Newspack” platform

To avoid fraudulent card testing payments, a good best practice is to increase the minimum donation for your site above the default of $1. Follow these steps to update this for each of your site’s donation options.

  1. Navigate to your site’s Products list to access your list of donation options.
Screenshot of Products list with two donation options set to a $1 minimum
This is an example of a site with $1 set as the minimum on two donation options.
  1. Edit each of the following Donate products to increase the minimum donation: “Donate: Yearly,” “Donate: Monthly,” and “Donate: One-Time.” You can skip the primary Donate product.
    • On the Edit product page, in the Product data meta box, update the Minimum Price field. We recommend setting this to $5.
    • Select Update at the top right of the Product page to save your settings.
Screenshot of Edit product metabox
Update the minimum price field.

You’ll know you’ve updated this correctly if you can see From: $5.00 listed for each of those donation options in your Products list.

Questions

Have any questions? Let us know, and we’ll be happy to help you sort this out.