Blocking Spam Orders

An unfortunate trait of the internet is spam and automated bots disseminating that spam. Most of us are used to receiving spam emails, but as a business operator on the internet, you may also receive support requests and orders submitted in bulk by automated bots.

This guide looks at some of the ways you can help mitigate the impacts.

Block them from your website

The most effective mitigation method is to use a smart and responsive Web Application Firewall service, which can quickly identify undesirable traffic and block it from your website entirely.

If the bots never reach your website, they can't place orders, so the problem is solved! This should not have any impact on your genuine customers.

Some potential services (in no particular order and with no implied endorsement are)

Add Invisible reCAPTCHA to Checkout

WHMCS version 7.6 and above includes an additional transparent  human verification check to the checkout page of the order form.

Powered by Google Invisible reCAPTCHA technology, this will help block orders from automated bots whilst allowing the majority of customers to place orders without any interruption. If there is any confusion, users may be required to complete an image identification pattern before their order is entered into WHMCS.


  1. Navigate to Configuration > System Settings > General Settings > Security.
  2. Configure the captcha settings as follows:
  • Captcha Form Protection: "Always On" or "Off when logged in"
  • Captcha Type: Invisible reCAPTCHA (Google's reCAPTCHA system)
  • reCAPTCHA Site Key & Secret Key: Provided
  • reCAPTCHA for Select Forms: Shopping Cart Checkout checked

3. Click Save Changes


V 7.6 Configuration:

v7.6 captcha configuration

v7.7+ Configuration:

v7.7+ captcha configuration

NOTE: When registering your site on the reCAPTCHA site, be sure to select the Invisible type option:

More detailed instructions for configuring reCAPTCHA are located in our documentation.

Select Invisible reCaptcha

Block Problematic Domains

If you are receiving multiple orders from different email addresses on the same domain, that domain can be blocked form placing any more orders:

  1. Navigate to Configuration > System Settings > Banned Emails
  2. Enter the domain you wish to block
  3. Click Add Banned Email
Email Domain to be Blocked

Orders from the blocked domain will no longer be permitted.

Remove Unnecessary Forms

Any point a spam bot can complete an automated form is a potential vector for them to make some more automated submissions.

You might not require some of the forms in WHMCS, which could be switched off without any loss to you.

  1. UNtick Configuration > System Settings > General  Settings > Other tab > Allow Client Registration
  2. Use a support department for sales, rather than email. Select a department from the Configuration > System Settings > Mail tab > Presales Form Destination dropdown.
  3. Review your Configuration > System Settings > Support Departments to make sure they are marked Clients Only, except the ones which truly need to be client-facing (such as Sales)
Support Department Configuration

Thwart them with human verification

Whilst no human verification captcha is 100% bullet proof, Google reCaptcha v2 is effective. This can be enabled in WHMCS on the Setup > General Settings > Other tab.

Once configured; this will help protect the client registration page, the ticket submission pages and contact form, as well as the homepage domain checker. Configuration settings are located under Configuration > System Settings > General Settings > Security tab.


You could even go one step further and add a manual question on the order form which a real human can easily understand and answer, using a custom client field. This can be configured under Configuration > System Settings > Custom Client Fields

Custom Field Configuration

Field Name: Are You Human?

Field Type: Text Box

Description: To help prevent automated submissions, please answer "YES" if you are a real human

Validation: /[Y]+[E]+[S]/

Required Field = Yes

Show on Order Form = Yes

Automatically detect fraudulent orders

If an order does get through, the Maxmind module within WHMCS can automatically cancel orders from spam bots before payment. This will ensure they aren't able to make a fraudulent payment.

Setup is quick and easy via Configuration > System Settings > Fraud Protection.

You will need an account, and you can sign up for one here.

Share knowledge with your peers

Sharing experience and knowledge about what combination of techniques effectively combated a problem, is an excellent tool to defeat those trying to cause trouble on the internet.

Join this discussion in the WHMCS Community.