The Invisible Attack Slowing Down WooCommerce Stores
Since March 2026, we’ve been tracking a pattern of bot traffic targeting WooCommerce stores. It doesn’t deface your site. It doesn’t steal customer data. It doesn’t even show up in most security scans. But it can quietly make your store so slow that real customers give up and leave.
If your WooCommerce site has been mysteriously sluggish over the past few weeks — pages timing out, checkout grinding to a halt, customers complaining they can’t browse — this might be what’s happening to you.
What We’re Seeing
Thousands of automated requests are hitting WooCommerce cart pages — adding products, removing them, sometimes both in the same request. Each request comes from a different source, and each one only visits once or twice. Individually, every request looks like something a normal shopper might do.
But no real shopper adds and removes a product in the same request. And real shoppers don’t arrive in coordinated waves from thousands of different locations.
Why It Matters for Your Store’s Uptime
Whatever the intent behind this traffic — and we’ll get to that — the effect on your store is what matters.
Every time something gets added to a WooCommerce cart, your store does a surprising amount of work behind the scenes: creating a shopping session, writing to the database, running plugin hooks. Each of those requests ties up your server for several seconds.
Your store can only handle a limited number of visitors at once. At just 20 to 30 of these bot requests per minute, a typical store has no capacity left for real customers. Your site isn’t crashed — it’s full. There’s a queue, and your real visitors are stuck at the back of it.
The tricky part: your hosting dashboard will probably show memory usage is fine. Your uptime monitor might say the site is up. The only clue is that pages take forever to load and your server’s workload creeps up — symptoms that could point to dozens of other causes.
What Might the Bots Be After?
Honestly, we can’t say for certain. It could be straightforward resource exhaustion — tying up your store to hurt your business or distract from something else. But there are other possibilities worth knowing about.
The “remove from cart” links in WooCommerce use a code that’s based on the product ID. Security researchers have pointed out that these codes are predictable — if you know a product’s ID (which is often visible on the page), you can work out the removal code. The bots may be probing for stores where certain security checks aren’t properly enforced, or fingerprinting sites to confirm they’re running WooCommerce and map out their product catalogues.
There’s also a well-documented pattern of bots using cart and checkout flows to test stolen credit card numbers. Adding items to a cart is the first step toward reaching a payment form.
Whatever the motivation, the uptime impact is real and immediate.
Why It’s Hard to Spot
It doesn’t look like a traditional attack. There’s no flood of traffic from one source. Each bot comes from a different location and only makes one or two requests.
Standard security measures don’t catch it. The usual approach of blocking visitors who make too many requests is useless when each visitor only makes one. The traffic arrives through normal channels, looking like ordinary web requests.
Your monitoring probably won’t flag it. Server memory stays within normal limits. The only tell is rising page load times and an increasing server workload — but those symptoms could mean anything.
What You Can Do
If you suspect this might be affecting your store, here’s what to discuss with your hosting provider or web developer:
Ask about server worker capacity. The key metric isn’t memory or CPU — it’s whether your server has enough “workers” available to serve real customers. Your hosting provider can check this, and it’s the fastest way to confirm whether this pattern is affecting you.
Review your cart traffic. Your server logs will show requests to cart pages. A sudden increase in cart activity that doesn’t match your actual sales is a red flag.
Consider cart-specific protections. There are ways to add lightweight verification to cart actions — similar to how contact forms use anti-spam measures — without affecting the experience for real shoppers. A quick check before the cart does any heavy lifting can stop these requests from consuming server resources.
Talk to your hosting provider. This is a server-level issue that benefits from server-level solutions. A good hosting provider can implement filtering rules that catch this pattern without blocking legitimate customers.
Keep Your Store Available
Regardless of what these bots are ultimately trying to achieve, the practical problem is the same: your real customers can’t get through. The good news is that once you know what to look for, it’s very manageable. The bad news is that without the right monitoring in place, you could be losing sales right now without realising why.
If your WooCommerce store has been slower than usual lately — especially if your hosting provider says everything looks fine on their end — it’s worth investigating. Get in touch and we can check your server logs for signs of this pattern.
