### [Customizing Stripe Card Testing Protection in WPForms](https://wpforms.com/developers/customizing-stripe-card-testing-protection-in-wpforms/)

**Published:** July 14, 2026
**Author:** Umair Majeed

**Excerpt:** Learn how to tune or disable WPForms' Stripe card testing protections using PHP filters.

**Content:**

WPForms 2.0 introduced 3 automatic protection layers that detect and block card testing attacks against the built-in Stripe integration: low-amount surge detection, a site-wide rate cap, and Stripe Radar session telemetry. Card testing (also called carding) is an attack where scripts probe stolen card numbers with small charges to find the ones that work.

The protections run automatically with tuned defaults and have no settings UI. Every threshold and behavior is controlled through the PHP filters documented on this page. If you’re looking for general Stripe setup instructions instead, see our [Stripe documentation](https://wpforms.com/docs/how-to-install-and-use-the-stripe-addon-with-wpforms/).

**Requirements:**

- WPForms 2.0 or later. The protections apply to Stripe payments in both the free and paid versions.
- By default, the protections only run on live mode payments. Stripe test mode payments skip them unless you opt in with the `wpforms_stripe_run_protections_in_test_mode` filter.

## How the Protections Work

- **Low-Amount Surge Detection:** Counts Stripe payment attempts at or below a threshold amount (default $3.00) across the whole site in a sliding window. When the count exceeds the limit, all low-amount Stripe payments are blocked for a set duration. Payments above the threshold keep processing. WPForms sends 1 email to the site administrator and shows a dismissible admin notice per block period.
- **Global Rate Cap:** Counts failed card attempts (Stripe `CardException` errors) across all visitors site-wide. When failures exceed the cap, all Stripe payments are blocked until the window expires. This extends the per-IP rate limit that has shipped with WPForms since version 1.8.2, and the 2 limits work independently.
- **Stripe Radar Sessions:** Creates a Radar session when a Stripe form loads and attaches it to the payment method. This feeds behavioral signals into Stripe’s own fraud engine so its risk scoring gets sharper. It’s passive telemetry with no thresholds and no blocking on the WPForms side.

When a payment is blocked by surge detection, the customer sees “Payment processing is temporarily unavailable. Please try again later or contact the site owner.” When the global rate cap blocks payments, the customer sees “Unable to process payment, please try again later.” Blocks lift automatically when their duration expires.

## Low-Amount Surge Detection Filters

FilterTypeDefaultDescription`wpforms_stripe_low_amount_surge_enabled`bool`true`Turns surge detection on or off.`wpforms_stripe_low_amount_threshold`float`3.00`Amount ceiling. Payments at or below this amount count toward the surge and are blocked while a block is active.`wpforms_stripe_low_amount_surge_count`int`10`Number of low-amount attempts inside the window that triggers a block.`wpforms_stripe_low_amount_surge_window`int`120`Sliding window length in seconds.`wpforms_stripe_low_amount_block_duration`int`HOUR_IN_SECONDS`How long the block lasts, in seconds.`wpforms_stripe_low_amount_surge_email_to`string`get_option( 'admin_email' )`Recipient of the card testing alert email.For example, a busy donation site that legitimately receives many small payments may want a higher surge count and a shorter block:

```

// Allow 30 low-amount attempts per window before blocking.
add_filter( 'wpforms_stripe_low_amount_surge_count', function () {
	return 30;
} );

// Shorten the block from 1 hour to 15 minutes.
add_filter( 'wpforms_stripe_low_amount_block_duration', function () {
	return 15 * MINUTE_IN_SECONDS;
} );

// Send the alert email to a dedicated inbox.
add_filter( 'wpforms_stripe_low_amount_surge_email_to', function () {
	return 'payments@example.com';
} );
```

**Note:** Surge state is stored in the `wpforms_stripe_low_amount_counter`, `wpforms_stripe_low_amount_block`, and `wpforms_stripe_low_amount_notified` transients. If you change these filter values while a block is active, delete the transients so the new values take effect immediately.

## Global Rate Cap Filters

FilterTypeDefaultDescription`wpforms_stripe_rate_limit_global_enabled`bool`true`Turns the site-wide rate cap on or off.`wpforms_stripe_rate_limit_global_allowed_attempts`int`50`Number of failed card attempts site-wide before all Stripe payments are blocked.`wpforms_stripe_rate_limit_global_expires_in`int`HOUR_IN_SECONDS`Length of the counting window and the block, in seconds.The pre-existing per-IP rate limit keeps its own filters and is unaffected by the global scope: `wpforms_stripe_rate_limit_allowed_attempts` (default `3`) and `wpforms_stripe_rate_limit_expires_in` (default 6 hours).

For example, to raise the global cap on a high-traffic store:

```

// Allow 200 failed card attempts per hour site-wide before blocking.
add_filter( 'wpforms_stripe_rate_limit_global_allowed_attempts', function () {
	return 200;
} );
```

## Stripe Radar Session Filter

Radar sessions send behavioral telemetry from the payment page to [Stripe Radar](https://docs.stripe.com/radar), Stripe’s fraud prevention engine. WPForms creates the session on form load in both the Card Element and Payment Element flows and attaches it to the payment method it creates. The call is best-effort: if the Radar API is unavailable, the payment proceeds normally without a session.

FilterTypeDefaultDescription`wpforms_stripe_radar_session_enabled`bool`true`Turns Radar session creation on or off.```

// Disable Radar session telemetry.
add_filter( 'wpforms_stripe_radar_session_enabled', '__return_false' );
```

**Note:** Stripe doesn’t attach Radar sessions to payments completed through Stripe Link. This is a Stripe platform limitation, not a WPForms setting.

## Testing the Protections in Stripe Test Mode

The protections skip Stripe test mode by default so normal development workflows aren’t affected by false positives. To exercise them in test mode, opt in and lower the thresholds so blocks trigger quickly:

```

// Run the protections in Stripe test mode.
add_filter( 'wpforms_stripe_run_protections_in_test_mode', '__return_true' );

// Trigger the surge block on the 3rd low-amount attempt.
add_filter( 'wpforms_stripe_low_amount_surge_count', function () {
	return 2;
} );

// Auto-unblock after 30 seconds for fast retries.
add_filter( 'wpforms_stripe_low_amount_block_duration', function () {
	return 30;
} );
```

With those filters active, submit 3 payments of $2 or less using a Stripe test card. The 3rd attempt is blocked, the alert email is sent, and the admin notice appears. A payment above the threshold still processes during the block. See our [guide to testing Stripe payments](https://wpforms.com/docs/how-to-test-stripe-payments-on-your-site/) for setting up test mode and test cards.

If a block from an earlier test is still active after you change filter values, clear the stored state with WP-CLI:

```

wp transient delete wpforms_stripe_low_amount_block
wp transient delete wpforms_stripe_low_amount_counter
wp transient delete wpforms_stripe_low_amount_notified
```

## Related

- [How to Install and Use the Stripe Addon With WPForms](https://wpforms.com/docs/how-to-install-and-use-the-stripe-addon-with-wpforms/)
- [Testing Stripe Payments](https://wpforms.com/docs/how-to-test-stripe-payments-on-your-site/)
- [A Complete Guide to Payment Field Types in WPForms](https://wpforms.com/docs/a-complete-guide-to-payment-field-types-in-wpforms/) (see the Minimum Price option, the recommended defense that makes low-amount card testing unprofitable)
- [Stripe Radar documentation](https://docs.stripe.com/radar)

---

