Blocking Spam Orders
An unfortunate trait of the internet is spam and automated bots disseminating that spam. Most of us are used to receiving spam emails, but as a business operator on the internet, you may also receive support requests and orders submitted in bulk by automated bots.
This guide looks at some of the ways you can help mitigate the impacts.
Block them from your website
The most effective mitigation method is to use a smart and responsive Web Application Firewall service, which can quickly identify undesirable traffic and block it from your website entirely.
If the bots never reach your website, they can't place orders, so the problem is solved! This should not have any impact on your genuine customers.
Some potential services (in no particular order and with no implied endorsement are)
Add Invisible reCAPTCHA to Checkout
We have developed an action hook which adds an additional transparent human verification check to WHMCS. It applies specifically to the checkout page of the order form:
Powered by Google Invisible reCAPTCHA technology, this will help block orders from automated bots whilst allowing the majority of customers to place orders without any interruption. If there is any confusion, users may be required to complete an image identification pattern before their order is entered into WHMCS.
To install the hook, follow the steps below.
- Download the hook (attached at the bottom of this post)
- Upload to the /includes/hooks/ directory of your WHMCS installation
- The hook leverages the same Google reCAPTCHA configuration as defined in Setup > General Settings > Security. Therefore, please ensure the Captcha settings are configured there as follows:
- Captcha Form Protection: "Always On" or "Off when logged in"
- Captcha Type: reCAPTCHA (Google's reCAPTCHA system)
- reCAPTCHA Site Key & Secret Key: Provided
NOTE: When registering your site on the reCAPTCHA site, be sure to select the Invisible type option:
Block Problematic Domains
If you are receiving multiple orders from different email addresses on the same domain, that domain can be blocked form placing any more orders:
- Navigate to Setup > Other > Banned Emails
- Enter the domain you wish to block
- Click Add Banned Email
Orders from the blocked domain will no longer be permitted.
Remove Unnecessary Forms
Any point a spam bot can complete an automated form is a potential vector for them to make some more automated submissions.
You might not require some of the forms in WHMCS, which could be switched off without any loss to you.
- UNtick Setup > General Settings > Other tab > Allow Client Registration
- Use a support department for sales, rather than email. Select a department from the Setup > Genreal Settings > Mail tab > Presales Form Destination dropdown.
- Review your Setup > Support > Support Departments to make sure they are marked Clients Only, except the ones which truly need to be client-facing (such as Sales)
Thwart them with human verification
Whilst no human verification captcha is 100% bullet proof, Google reCaptcha v2 is effective. This can be enabled in WHMCS on the Setup > General Settings > Other tab.
Once configured; this will help protect the client registration page, the ticket submission pages and contact form, as well as the homepage domain checker. Configuration settings are located under Setup > General Settings > Security tab.
You could even go one step further and add a manual question on the order form which a real human can easily understand and answer, using a custom client field. This can be configured under Setup > Custom Client Fields
Field Name: Are You Human?
Field Type: Text Box
Description: To help prevent automated submissions, please answer "YES" if you are a real human
Required Field = Yes
Show on Order Form = Yes
Automatically detect fraudulent orders
If an order does get through, the Maxmind module within WHMCS can automatically cancel orders from spam bots before payment. This will ensure they aren't able to make a fraudulent payment.
Setup is quick and easy via Setup > Fraud Protection.
You will need an account, and you can sign up for one here.
Share knowledge with your peers
Sharing experience and knowledge about what combination of techniques effectively combated a problem, is an excellent tool to defeat those trying to cause trouble on the internet.
Join this discussion in the WHMCS Community.