bnb

This looks like what we need to stop spamming orders. Is there a plan to include this in WHMCS itself witho it being just a hook? thank you

I installed the patch and tried recaptcha V3 and that didn’t stop spammers. My last attempt was using the unofficial Cloudflare Turnstile mentioned above and that worked perfectly. @WHMCS John is there a reason why hcaptcha is taking priority over cloudlfare? Why not implementing both at the same time for the next release due to this problem being so common now?

I was told by WHMCS official support that it is not recommended deleting users through in batches as there are too many relational tables. I did it manually almost every day and it’s now all clear. And yes, turnstile hack works.

This is working for me too, and overall, I trust Cloudflare quite a lot for these captcha and other firewall concerns. I turned off the custom field question and activated turnstile and so far no spammy registrations (more than 12 hours). However, this configuration was not straightforward. The hook file is not 100% ready. You need to add the code in a specific location, otherwise, it will give you a page error. Here's how to get it done easily. I hope WHMCS team takes this seriously and includes Cloudflare turnstile in their roadmap very soon, instead of waiting for votes on feature requests.

Ok… The custom field “solution” is no longer working. We are getting new registrations again even with a mandatory custom field in the order form. My guess is that these spammers are looking on this page since it’s public and bypass all solutions here. Is there a way to turn this post private or something similar? @WHMCS John is there any eta for hcaptcha or turnstile even as a patch to see if we can solve this permanently?

Did you consider an alternative to reCaptcha such as Cloudflare Turnstile? Since reCaptcha is so widely used, I guess trying to bypass it is a great challenge for many spammers/hackers and alike. It would be interesting to see how turnstile behaves with this problem.

Unfortunately, reCaptcha v3 didn’t solve anything. It is no better than v2 or invisible alternative. The only fix that worked for us was the custom field. That still works for now.

Let me remain naive until I am proven wrong 😉 Wishful thinking is part of my lifestyle. "Fear"... not so much.

Thankfully, the words "competent" and "hacker" do not always go together.

If they find we are all using the same answer in the custom field, then it might be easy to go through this protection. So far... so good... but I am sure WHMCS is working on this matter. At least that's what one support representative told me.

An easier solution is to add a custom field in the registration form by following these instructions: https://docs.whmcs.com/orders/spam-orders/#custom-client-fields About 48h now with zero fake registrations. I believe this is all automated from a bot using some sort of script targeting WHMCS websites.

This also worked for us. Zero spam orders after implementing this custom field on the registration page. It has been 24h so far. We were getting around 20-30 registrations per day. captcha was on all the time, and strong WAF in place. These registrations are made by bots, somehow…

I am also looking to export all products, product groups and prices. How can we do this?

I used the WHMCS bridge in the past and stopped because of these nuisances. It was too time-consuming to keep everything working flawlessly. There are other alternatives though.

Check the error logs. I had a very low PHP memory limit when I moved servers and got these errors often until it was increased. But it can be something totally different. The logs will point you to the right direction.