Jump to content

Hook to block subdomains from being used as existing domains

Recommended Posts

When it comes time to order a hosting plan, sometimes you don't want your users to be able to enter in a subdomain when using an existing domain for their order.

In this post I am going to walk you through a basic hook that prevents entering a subdomain by using some client-side JavaScript.

Our first order of business will be to check out the WHMCS hooks index to see if there is a hook point that will fit our needs: https://developers.whmcs.com/hooks/hook-index/

It turns out, the ClientAreaFooterOutput hook will do nicely: https://developers.whmcs.com/hooks-reference/output/#clientareafooteroutput

The reason for this is because that hook point will allow you to inject HTML code, which also can contain JavaScript, into the client-side template so you can make the magic happen.

Before getting into more detail, let's go ahead and dive right into the code. You can also download it from this link block_subdomains.txt (then rename the extension to .php). Here is the entire snippet:

add_hook('ClientAreaFooterOutput', 1, function($vars) {
    $jqueryCode = '<script>
    $("#owndomainsld").on("keyup", function(e) {
        var str = $("#owndomainsld").val();
        if ( str.indexOf(".") != -1 ) {
            alert("Subdomains are not allowed!");
    if (strpos($_SERVER['REQUEST_URI'], 'cart.php') !== false ) {
        return $jqueryCode;

The first thing to notice is the add_hook function is being called with the ClientAreaFooterOutput hook point as the first argument and an anonymous function as the second argument. The anonymous function also has a $vars variable being passed into it. For this example the $vars variable is not actually being used in the body of the function, but it does contain some useful parameters should you need to access them. Those parameters can be found in the documentation for the hook point linked above.

The next thing to notice is the $jqueryCode variable. which is actually a PHP string that contains the JavaScript code we will be injecting into our client-side page. Since WHMCS uses the jQuery JavaScript library and loads it on the page, we can use it in our code.

First, we need to bind an event listener to the keyup event on the domain text box and provide it a callback function to execute when that event occurs. This can be easily done by targeting the element's HTML ID attribute. That is what is happening here:

$("#owndomainsld").on("keyup", function(e) {...

After that, the value of the domain text field is stored in a JavaScript variable called str. Since this code is inside our callback function, it will be executed every time the user presses a key on the keyboard and then releases it:

var str = $("#owndomainsld").val();

Once we have that text stored in our str variable, we need to check it for a dot or period '.' character to see if it is a subdomain.

This can be done with indexOf string function in JavaScript. If the text appears to be a subdomain, we'll go ahead and empty out the text field and then show an alert to the user to let them know that subdomains are not allowed:

if ( str.indexOf(".") != -1 ) {
    alert("Subdomains are not allowed!");

Finally, the last part of the hook does a case-insensitive string search on the $_SERVER['REQUEST_URI'] (the URL of the page you're visiting), to check and see if a cart page is being rendered. If a cart page is detected, the JavaScript code is injected into that page so it can run.

if (strpos($_SERVER['REQUEST_URI'], 'cart.php') !== false ) {
    return $jqueryCode;

Putting it all together, we get the final results in WHMCS which look like the picture here:

subdomain not allowed.png

I hope this post proved helpful and gives some insight on some of the ways that WHMCS can be extended to do many different things outside the box! 

At the time of writing this post, this hook was tested on the latest stable release of WHMCS 7.4.2 and should work with any that fall under Active Support as per the LTS schedule here: https://docs.whmcs.com/Long_Term_Support#WHMCS_Version_.26_LTS_Schedule

If you have any feedback, questions, or concerns that I did not cover in this post, please feel free to reach out!

  • Party/Celebrate 1

Share this post

Link to post
Share on other sites

I didn't tried your script, but it seems to block also full legit third-level domains: i.e., .co.uk ...

I guess the only way to be sure if it's a sub-domain or if it's a legit third-level would be a whois query...


Share this post

Link to post
Share on other sites

Hello Remitur,

I can confirm that this hook does not block the use of TLDs such as .co.uk because the hook only affects the SLD field on the shopping cart.

The TLD field will remain unaffected and allow the user to proceed through the checkout process.

I have attached a couple screenshots to show how this looked on my test installation.

co uk domain test.png


Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Similar Content

    • By wp4all
      Hi @ all,
      got some problems with modifying the configuredomains.tpl
      This is what I have at the moment :

      This is what I would like to have :

      That's the part that drives me to despair :
      {foreach key=domainfieldname item=domainfield from=$domain.fields} <div class="form-group"> <label class="{$responsio.classes.col}-3 {$responsio.classes.label} control-label">{$domainfieldname}</label> <div class="{$responsio.classes.col}-8"> {if $domainfield.type == "tickbox"}<div class="checkbox {$responsio.classes.checkbox}">{$domainfield}</div>{else}{$domainfield|replace:"type=\"text\"":"type=\"text\" class=\"form-control `$responsio.classes.input`\""|replace:"type=\"password\"":"type=\"password\" class=\"form-control `$responsio.classes.input`\""|replace:"<select":"<select class=\"form-control `$responsio.classes.input`\""|replace:"<textarea":"<textarea class=\"form-control `$responsio.classes.input`\""|replace:"style=\"width:90%;\"":""}{/if} </div> </div>{/foreach} Maybe someone has an idea how I could solve it .
      Thanks and best regards
    • By jamshed_11946
      Hello Guys,
      I changed my whmcs installation location and moved outside public_html folder and now domain pricing feeds have stopped working.
      Check this link for feeds https://hostinpk.com/domains-pricing/
      I contacted WHMCS team and they are not helping further. Is there any chance to get the pricing populated on this page by keeping the whmcs installation folder outside public_html folder.
      I am using this code snippet https://docs.whmcs.com/Data_Feeds#Domain_Pricing_Table
    • By Cubeboy
      I need to get rid of the date when I add files on the admin side.
      when I upload a file the a clients account in the admin section, it displays in the client area and it time stamps it. how can I remove the time stamp? OR remove the whole hook and add it back with my own var?
      use WHMCS\View\Menu\Item;
      add_hook('ClientAreaHomepagePanels', 1, function (Item $homePagePanels)
      $homePagePanels->removeChild('your files:dateadded');
    • By sitesme
      I need to add a code from a similar tool like Google Analytics into my WHMCS installation.
      I know how to add it in the header files but I was wondering if I could use a hook file to avoid the theme files to be overwritten. If so, could someone give me the exact hook code file syntax so I just add my code there?
      Thank you
    • By robetus
      I found an older post regarding this but I wanted to post a working hook that adds recaptcha to the checkout page. I think this a great thing especially if you're being bombarded with fake accounts and orders.
      <?php if (!defined("WHMCS")) die("This file cannot be accessed directly"); function limitOrders($vars) { $url = 'https://www.google.com/recaptcha/api/siteverify'; $privatekey = "YOUR_RECAPTCHA_SECRET_KEY_HERE"; $response = file_get_contents($url . "?secret=" . $privatekey . "&response=" . $_POST['g-recaptcha-response'] . "&remoteip=" . $_SERVER['REMOTE_ADDR']); $data = json_decode($response); if (isset($data->success) AND $data->success == true) { // everything is ok! } else { $pm = $vars['paymentmethod']; if ($pm == "paypalpaymentspro") { global $errormessage; $errormessage.= "<li> Please, confirm that you are not a robot! <br/></li>"; } //if CC } } //function add_hook("ShoppingCartValidateCheckout", 1, "limitOrders"); Change YOUR_RECAPTCHA_SECRET_KEY_HERE to your the recaptcha private/secret key Google gives you. I'm using for my credit card checkout which is "paypalpaymentspro" but you can use it for any payment method. I think you really only need if you accept credits though. To get your payment method view source on the checkout page and search for "paymentmethod" your payment method will be near this.
      In your checkout.tpl file you also need to add somewhere under the "Complete Payment" button:
      <div class="g-recaptcha" data-sitekey="YOUR_RECAPTCHA_PUBLIC_KEY_HERE"></div> Replace YOUR_RECAPTCHA_PUBLIC_KEY_HERE with your public recaptcha key provided by Google.
      This is tested working on WHMCS v7.5.1.
  • Recently Browsing   0 members

    No registered users viewing this page.


Important Information

By using this site, you agree to our Terms of Use & Guidelines