Captcha Protection

We strongly recommend that you update your settings to use reCAPTCHA v3 or hCaptcha®. These captcha options include enhanced protection against automated captcha solvers.

Preventing bots from accessing your website and store is challenging but vital for your business. Various verification methods can help you achieve this, with varying levels of accuracy for you and difficulty for your customers. Methods that are the most effective at catching bots can also create frustration for clients and cause you to lose of potential customers.

Captchas are one of the most popular methods of protecting against automated bot activity on sensitive pages.

For additional ways to prevent spam orders, see Spam Orders.

Captcha Methods

Different captcha types verify whether a visitor is human in differing ways:

Verification Codes

Some captchas display a verification code as part of an image that is difficult for bots to read. The visitor must enter the displayed code correctly before they can continue using your site.

To use this type of captcha, select Default (6 Character Verification Code) for Captcha Type in the Security tab at Configuration () > System Settings > General Settings.

Checkboxes

Some captchas display a checkbox that the visitor must interact with before they can continue using your site. These captchas will analyze the behavior of the user before, during, and after checking the checkbox. If the captcha system can verify that the user is human, the visitor can proceed. Otherwise, a mobile-friendly verification tool like a verification code captcha or an image selection challenge will appear.

Logging in to the Client Area with hCaptcha enabled.

To use this type of captcha, select reCAPTCHA v2 or hCaptcha for Captcha Type in the Security tab at Configuration () > System Settings > General Settings.

Invisible Captchas

Invisible captchas analyze visitor behavior without requiring them to check a checkbox. These captchas will determine whether they can verify that the visitor is human based on their behavior on your site. If the captcha system can verify that the user is human, the visitor can proceed. Otherwise, a mobile-friendly verification tool like a verification code captcha or an image selection challenge will appear.

If you use an invisible captcha type, a logo indicating the use of invisible captchas will appear in the bottom corner of protected pages.

Logging in to the Client Area with Invisible hCaptcha enabled.

To use this type of captcha, select Invisible reCAPTCHA v2, reCAPTCHA v3, or Invisible hCaptcha for Captcha Type in the Security tab at Configuration () > System Settings > General Settings.

Enabling Captchas

To enable captcha protection in WHMCS:

  1. Go to the Security tab at Configuration () > System Settings > General Settings.
  2. For Captcha Type, select the desired captcha type.
  3. If you are using Google reCAPTCHA or hCaptcha:
    1. Configure your Google or hCaptcha account.
    2. Copy the Site Key and Secret Key from that account into WHMCS.
    3. For reCAPTCHA v3, hCaptcha, or Invisible hCaptcha captcha types, enter a score threshold value.
  4. For Captcha for Select Forms, select the locations in which you want to use captchas.
  5. Click Save Changes.

For specific steps for your desired captcha type, see:

captchas client-area security

Last modified: September 6, 2024