Spam Orders

Automated bots and the spam that they create are just part of doing business online. In addition to spam emails, you may also receive support requests and orders in bulk from automated bots.

Many methods exist both within and external to WHMCS to help you with this problem.

Firewalls

A responsive firewall that can quickly identify undesirable traffic and block it from your website entirely. This is the most effective method and will not have any impact on your legitimate customers.

We do not endorse any particular firewall service. However, the following list includes some of the most popular choices:

Captchas

  • We strongly recommend using reCAPTCHA v3 or hCaptcha® as your captcha type.
  • We added full support for reCAPTCHA v3 and hCaptcha in WHMCS 8.11.

Captchas like hCaptcha and Google®’s reCAPTCHA help block automated bots from accessing parts of your site or performing certain tasks, like placing orders. WHMCS supports several different captcha types that use verification codes, checkboxes, or invisible monitoring of visitor behavior to determine whether a visitor is human.

To use this, enable the desired captcha type in the Security tab at Configuration () > System Settings > General Settings. When you do this, make sure to check Shopping Cart Checkout under Captcha for Select Forms.

For more information, see Captcha Protection.

Banned Email Domains

If you are receiving multiple orders from different email addresses on the same domain, you can block them at Configuration () > System Settings > Banned Emails.

Unnecessary Forms

Spam bots often target automated forms in order to create more spam. We recommend disabling any WHMCS forms that you do not specifically need:

  • Disable Allow Client Registration in the Other tab at Configuration () > System Settings > General Settings.
    The Other tab in General Settings
  • Use a support department for sales inquiries. To do this, select the desired department for Presales Form Destination in the Mail tab at Configuration () > System Settings > General Settings.
    The Mail tab in General Settings
  • Check Clients Only for all support departments at Configuration () > System Settings > Support Departments that do not need to be client-facing.
    Editing a support department in the Admin Area.

Custom Client Fields

You can add a manual question that a human can easily understand and answer using a custom client field at Configuration () > System Settings > Custom Client Fields.

Use the following configuration:

Field NameAre you human?
Field TypeText Box
DescriptionTo help prevent automated submissions, answer "YES".
Validation/[Y]+[E]+[S]/
Required FieldYes
Show on Order FormYes

Automatically Detect Fraudulent Orders

If an order still passes through these preventative measures, the MaxMind module in WHMCS can automatically cancel orders from spam bots before payment. This will ensure they aren’t able to make a fraudulent payment.

You can configure this at Configuration () > System Settings > Fraud Protection.

Only Auto Provision for Existing

You can configure WHMCS to only automatically provision services and register domains if the client already has an existing service or domain in the Active status. This allows you to prevent fraud by offering full automation for clients that you have already reviewed and fraud-checked while requiring manual review for everyone else.

To use this, enable the Only Auto Provision for Existing setting in the Ordering tab at Configuration () > System Settings > General Settings.

Last modified: December 3, 2024