A responsive firewall that can quickly identify undesirable traffic and block it from your website entirely. This is the most effective method and will not have any impact on your legitimate customers.

We do not endorse any particular firewall service. However, the following list includes some of the most popular choices:

• CloudFlare®
• Amazon® CloudFront
• Incapsula
• KeyCDN

reCAPTCHA v3 offers Google's best protection from spam and abuse, it uses advanced risk analysis techniques to tell humans and bots apart, this can help you prevent undesirable orders being placed. 

For WHMCS 8.10 you must first apply the hotfix:
 

1. Click Download this Hotfix to the right of the hotfix download page.
2. Upload and extract the file to your WHMCS installation's directory.
   1. If you have customised your admin directory, make sure to upload the contents of `admin` to your custom admin directory.
   2. When asked to override files, select yes.

For all versions, follow these configuration instructions: 

1. Go to https://www.google.com/recaptcha/admin
   1. Click + to register a new site
   2. Choose the Score based (v3) reCAPTCHA type.
   3. Enter your domain under the domains section.
   4. Click Submit
   5. Copy the Site Key and Secret Key that Google generated and enter them in WHMCS.
2. Return to WHMCS and to to Configuration > System Settings > General Settings > Security tab.
3. Enter the Google reCAPTCHA Site Key and Secret Key.
4. Check Shopping Card Checkout and Client Registration under reCAPTCHA for Select Forms.
5. For reCAPTCHA Score Threshold, enter the desired minimum score for reCAPTCHA verification. You can enter a value between 0 (least restrictive) and 1 (most restrictive). For example, `.5`.
6. Click Save Changes.
7. Submissions will start to be recorded on the Google reCAPTCHA site, alongside a score for each threshold. Use this information to adjust the reCAPTCHA Score Threshold setting as necessary to block automated submissions.

If you are receiving multiple orders from different email addresses on the same domain, you can block it at Configuration > System Settings > Banned Emails.

For more information, see Banned Emails.

Spam bots often target automated forms in order to create more spam.

To help with this, disable any WHMCS forms that you don't need:

1. Disable Allow Client Registration in the Other tab at Configuration > System Settings > General  Settings.
2. Use a support department for sales by selecting it for Presales Form Destination in the Mail tab at Configuration > System Settings > General Settings.
3. Ensure that you have checked Clients Only for any support departments at Configuration > System Settings > Support Departments that do not need to be client-facing.

You can add a manual question that a human can easily understand and answer using a custom client field at Configuration > System Settings > Custom Client Fields.

Use the following configuration:

Use the Client Email Verification feature to prevent visitors placing orders until they have first verified their email address via a time-limited one-time link.

See our Prevent orders from clients with an unverified e-mail address guide to learn how to implement this.

If an order does get through, the MaxMind and FraudLabs Pro modules in WHMCS can automatically cancel orders from spam bots before payment. This will ensure they aren't able to make a fraudulent payment.

You can configure this at Configuration > System Settings > Fraud Protection.