Return to previous page

XStore AJAX registration endpoint (admin-ajax.php) being abused

This topic has 2 replies, 2 voices, and was last updated 1 day, 2 hours ago ago by Jack Richardson

Andrea

Participant

June 3, 2026 at 10:28

Hello,

We are experiencing a serious bot-registration problem on our WooCommerce store running the XStore theme, and after investigation we have traced the root cause to the theme’s AJAX registration flow. We need your help to mitigate it.

What we found

We pulled all 2026 user registrations with no associated orders from the database. The volume is significant and clearly automated:

– 4,202 fake registrations over 6 weeks, starting March 18, 2026, at a steady rate of 100+ per day.
– Registrations arrive in daily blocks — for example, 135 users on 2026-04-25.
– Between April 25–27, just two IPs accounted for 367 registrations:
146.19.125.71 -> 206 registrations
146.19.125.65 -> 161 registrations

Bot request pattern (from our access logs):

GET /account/
POST /wp-admin/admin-ajax.php -> redirect
GET /account/?registered=&nocache= <- account created The bot rotates its User-Agent on every request (various Chrome 103 strings on Windows 6.1/6.2/6.3/10, WOW64, etc.), uses HTTP/1.0, and registers roughly once every 5–6 minutes. Note: our contact forms are not the vector. We reviewed the last 6 days of logs and saw no abnormal pattern there; the contacts page gets very few views per day. The abuse is exclusively through registration. Root cause The registration is submitted via admin-ajax.php, not through the standard WooCommerce /my-account/ form. That AJAX endpoint has no reCAPTCHA / Turnstile / honeypot protection. The register_nonce alone is not sufficient, because the bot simply reads the nonce from the page before issuing the POST. Our questions 1. Is there a supported way to disable the XStore AJAX registration call and force registration through the standard WooCommerce (non-AJAX) /my-account/ form? 2. If not, can the AJAX registration endpoint be made to honor reCAPTCHA v3 / Cloudflare Turnstile / a honeypot field? We have been unable to find any setting to do this anywhere in the theme options. 3. Is there a theme hook or filter we can use to inject our own server-side validation (CAPTCHA verification) into this AJAX handler? This is currently polluting our user base with thousands of fake accounts, so a way to either disable the AJAX endpoint or attach bot protection to it is urgent for us. Thank you for your help. Best regards, Dynamica

Content is visible for topic creator and
support staff only.

#470970 Copied

1 Answer
Jack Richardson

Support staff

June 3, 2026 at 16:01
Hello @Andrea,

Our theme does not perform any AJAX registration or login actions. However, it includes code that adds additional verifications during the login and registration processes to make non-caching processes.

We have added the following code snippet to the “child-theme/functions.php” file on your website to prevent the theme’s code from affecting the registration process:

function etheme_woocommerce_force_proper_registration_redirect( $redirect ) { return $redirect; }

This restores the default behavior, similar to the default Storefront theme (that you can also test), without adding any extra parameters to the URL. We kindly ask you to check it now.

If you would also like to use the default login process, you can uncomment the code we added in your “child-theme/functions.php” file (see: https://gyazo.com/26d00f6e5de53f6b7eb96753acbec329).

Please note that if you wish to insert any custom code into the registration process, it would require an additional customization request, as this is not included in our basic support scope.

Best regards,
Jack Richardson
The 8Theme’s Team
#470995 Copied
Viewing 2 results - 1 through 2 (of 2 total)