Blocking Spam Orders

Automated bots and the spam that they create are just part of doing business online. In addition to spam emails, you may also receive support requests and orders in bulk from automated bots.

Many methods exist both within and external to WHMCS to help you with this problem.


A responsive firewall that can quickly identify undesirable traffic and block it from your website entirely. This is the most effective method and will not have any impact on your legitimate customers.

We do not endorse any particular firewall service. However, the following list includes some of the most popular choices:

Invisible reCAPTCHA

Invisible reCAPTCHA helps block orders from automated bots while allowing the majority of customers to place orders without any interruption. If reCAPTCHA detects a potential issue, it may require the user to complete an image identification pattern before placing the order.

To use this, enable Invisible reCAPTCHA in the Security tab at Configuration > System Settings > General Settings (Setup > General Settings prior to WHMCS 8.0).

Make certain that you check Shopping Card Checkout under reCAPTCHA for Select Forms.

For more information, see Security Tab and Google reCAPTCHA.

Banned Email Domains

If you are receiving multiple orders from different email addresses on the same domain, you can block it at Configuration > System Settings > Banned Emails.

For more information, see Banned Emails.

Unnecessary Forms

Spam bots often target automated forms in order to create more spam.

To help with this, disable any WHMCS forms that you don't need:

  1. Disable Allow Client Registration in the Other tab at Configuration > System Settings > General  Settings.
  2. Use a support department for sales by selecting it for Presales Form Destination in the Mail tab at Configuration > System Settings > General Settings.
  3. Ensure that you have checked Clients Only for any support departments at Configuration > System Settings > Support Departments that do not need to be client-facing.

Google reCAPTCHA v2

You can enable Google reCaptcha v2 in the Security tab at Configuration > System Settings > General Settings.

It helps to protect the client registration page, ticket submission pages, contact form, and homepage domain checker.

Custom Client Field

You can add a manual question that a human can easily understand and answer using a custom client field at Configuration > System Settings > Custom Client Fields.

Use the following configuration:

Field Name Are you human?
Field Type Text Box
Description To help prevent automated submissions, answer “YES”.


Required Field Yes
Show on Order Form Yes

Automatically detect fraudulent orders

If an order does get through, the MaxMind module in WHMCS can automatically cancel orders from spam bots before payment. This will ensure they aren't able to make a fraudulent payment.

You can configure this at Configuration > System Settings > Fraud Protection.