Blocking Spam Orders
An unfortunate trait of the internet is spam and automated bots disseminating that spam. Most of us are used to receiving spam emails, but as a business operator on the internet, you may also receive support requests and orders submitted in bulk by automated bots.
This guide looks at some of the ways you can help mitigate the impacts.
Block them from your website
The most effective mitigation method is to use a smart and responsive Web Application Firewall service, which can quickly identify undesirable traffic and block it from your website entirely.
If the bots never reach your website, they can't place orders, so the problem is solved! This should not have any impact on your genuine customers.
Some potential services (in no particular order and with no implied endorsement are)
Add Invisible reCAPTCHA to Checkout
WHMCS version 7.6 and above includes an additional transparent human verification check to the checkout page of the order form.
Powered by Google Invisible reCAPTCHA technology, this will help block orders from automated bots whilst allowing the majority of customers to place orders without any interruption. If there is any confusion, users may be required to complete an image identification pattern before their order is entered into WHMCS.
- Navigate to Configuration > System Settings > General Settings > Security.
- Configure the captcha settings as follows:
- Captcha Form Protection: "Always On" or "Off when logged in"
- Captcha Type: Invisible reCAPTCHA (Google's reCAPTCHA system)
- reCAPTCHA Site Key & Secret Key: Provided
- reCAPTCHA for Select Forms: Shopping Cart Checkout checked
3. Click Save Changes
V 7.6 Configuration:
NOTE: When registering your site on the reCAPTCHA site, be sure to select the Invisible type option:
More detailed instructions for configuring reCAPTCHA are located in our documentation.
Block Problematic Domains
If you are receiving multiple orders from different email addresses on the same domain, that domain can be blocked form placing any more orders:
- Navigate to Configuration > System Settings > Banned Emails
- Enter the domain you wish to block
- Click Add Banned Email
Orders from the blocked domain will no longer be permitted.
Remove Unnecessary Forms
Any point a spam bot can complete an automated form is a potential vector for them to make some more automated submissions.
You might not require some of the forms in WHMCS, which could be switched off without any loss to you.
- UNtick Configuration > System Settings > General Settings > Other tab > Allow Client Registration
- Use a support department for sales, rather than email. Select a department from the Configuration > System Settings > Mail tab > Presales Form Destination dropdown.
- Review your Configuration > System Settings > Support Departments to make sure they are marked Clients Only, except the ones which truly need to be client-facing (such as Sales)
Thwart them with human verification
Whilst no human verification captcha is 100% bullet proof, Google reCaptcha v2 is effective. This can be enabled in WHMCS on the Setup > General Settings > Other tab.
Once configured; this will help protect the client registration page, the ticket submission pages and contact form, as well as the homepage domain checker. Configuration settings are located under Configuration > System Settings > General Settings > Security tab.
You could even go one step further and add a manual question on the order form which a real human can easily understand and answer, using a custom client field. This can be configured under Configuration > System Settings > Custom Client Fields
Field Name: Are You Human?
Field Type: Text Box
Description: To help prevent automated submissions, please answer "YES" if you are a real human
Required Field = Yes
Show on Order Form = Yes
Automatically detect fraudulent orders
If an order does get through, the Maxmind module within WHMCS can automatically cancel orders from spam bots before payment. This will ensure they aren't able to make a fraudulent payment.
Setup is quick and easy via Configuration > System Settings > Fraud Protection.
You will need an account, and you can sign up for one here.
Share knowledge with your peers
Sharing experience and knowledge about what combination of techniques effectively combated a problem, is an excellent tool to defeat those trying to cause trouble on the internet.
Join this discussion in the WHMCS Community.