Unusual order activity

[Vander Host]

9 hours ago, slim said:

This isnt a great idea - It doesn't stop the problem of automated signups.

I noticed this in my Google Recaptcha today:

The yellow message is interesting, never seen that before!

The yellow message is relative to the WHMCS score setting. What is your score setting? WHMCS doesn't recommend any specific setting but the default is 0, no blocking, and 1, high blocking. Their example is 0.5. Who know if this is a good value or not. 

[wintech2003]

1 hour ago, Richman said:

Someone proposed this https://www.cloudflare.com/products/turnstile/

https://github.com/hybula/whmcs-turnstile

 

But you have to be on Cloudflare nameservers  I have tried all other options, and now I am switching to Cloudflare one,  for now the accounts have stopped, it's been an hour after switching 

You don't need to be on Cloudflare to use Turnstile, you just need a Cloudflare account. Cloudflare Turnstile can be used with domains that are not behind Cloudflare without an issue.

We used the hook you suggested and the fake orders stopped.

[bnb]

19 hours ago, Richman said:

Someone proposed this https://www.cloudflare.com/products/turnstile/

https://github.com/hybula/whmcs-turnstile

 

But you have to be on Cloudflare nameservers  I have tried all other options, and now I am switching to Cloudflare one,  for now the accounts have stopped, it's been an hour after switching 

This is working for me too, and overall, I trust Cloudflare quite a lot for these captcha and other firewall concerns.

I turned off the custom field question and activated turnstile and so far no spammy registrations (more than 12 hours).
However, this configuration was not straightforward. The hook file is not 100% ready. You need to add the code in a specific location, otherwise, it will give you a page error. Here's how to get it done easily.

I hope WHMCS team takes this seriously and includes Cloudflare turnstile in their roadmap very soon, instead of waiting for votes on feature requests.

[Richman]

18 hours ago, wintech2003 said:

You don't need to be on Cloudflare to use Turnstile, you just need a Cloudflare account. Cloudflare Turnstile can be used with domains that are not behind Cloudflare without an issue.

We used the hook you suggested and the fake orders stopped.

Thanks for the heads-up. mine now sorted, is have also added to all other whmcs installations. 

[slim]

I installed the beta, put v3 keys in and so far so good.

 

[UXmedia]

Thanks @Richman!  Ill get the Cloudflare / Turnstile setup working asap.

in the mean time.

can we "efficiently" bulk delete?  Anybody???

[bnb]

10 hours ago, UXmedia said:

can we "efficiently" bulk delete?  Anybody???

I was told by WHMCS official support that it is not recommended deleting users through in batches as there are too many relational tables. I did it manually almost every day and it’s now all clear.

And yes, turnstile hack works.

[UXmedia]

UGH. Manually. Really?

OK, now another issue, which I assume is related to one of the suggested security settings in this thread as nothing else has changed.

• First of all, please make sure that "Allow Client Registration" is disabled at System Settings > General Settings > Other (tab) , as this provides an easy way for spammers to create accounts without needing to place an order.
• Secondly, please make sure that you have enabled "Invisible reCAPTCHA" under "Captcha Type" at System Settings > General Settings > Security (tab) . This is the most secure captcha that is currently integrated with WHMCS.
• Next, please make sure that you follow and implement all of the solutions provided in our documentation:
• https://docs.whmcs.com/orders/spam-orders/

I cant login now:

I enter username/pass, click Login, and literally nothing happens.  Tried a few different browsers with the same result. Any ideas???

[Remitur]

My (temporary) fix: I just prevented any new user from registering from the USA.

Since then, no new fake registrations at all (it seems that for whatever reason, all of the fake users have USA addresses).

Luckily, that obscure and derelict nation represents an insignificant fraction of our business, so we can give it up without too much trouble... 🤣

[WHMCS John]

Hi all,

The v8.11 beta has been released, which adds support for Google reCAPTCHA v3.

Test it out and share your experiences here: https://whmcs.community/forum/635-whmcs-811-beta-discussion/

We've also created a patch to add reCAPTCHA v3 to WHMCS v8.10: https://docs.whmcs.com/orders/spam-orders/#captchas

Make sure to generate new reCAPTCHA v3 keys on the Google reCAPTCHA site, and set the new threshold setting. Google suggest a starting score of 0.5.

 

As we proceed through the pre-release process, we'll also be be adding hCAPTCHA.

 

Finally, if you'd like to enforce Email Verification prior to order placement, we've prepared a guide here:

 

[wintech2003]

20 minutes ago, WHMCS John said:

Hi all,

[...]

As we proceed through the pre-release process, we'll also be be adding hCAPTCHA.

Hi John,

Implementing Cloudflare's Turnstile should also be fairly easy, it's just a matter of replacing the siteverify URL and adding the Turnstile script snippet: https://developers.cloudflare.com/turnstile/migration/migrating-from-recaptcha/

[bnb]

16 hours ago, WHMCS John said:

Hi all,

The v8.11 beta has been released, which adds support for Google reCAPTCHA v3.

Test it out and share your experiences here: https://whmcs.community/community/635-whmcs-811-beta-discussion/

We've also created a patch to add reCAPTCHA v3 to WHMCS v8.10: https://docs.whmcs.com/orders/spam-orders/#captchas

Make sure to generate new reCAPTCHA v3 keys on the Google reCAPTCHA site, and set the new threshold setting. Google suggest a starting score of 0.5.

 

As we proceed through the pre-release process, we'll also be be adding hCAPTCHA.

 

Finally, if you'd like to enforce Email Verification prior to order placement, we've prepared a guide here:

 

I installed the patch and tried recaptcha V3 and that didn’t stop spammers. 
 

My last attempt was using the unofficial Cloudflare Turnstile mentioned above and that worked perfectly.

 

@WHMCS John is there a reason why hcaptcha is taking priority over cloudlfare? Why not implementing both at the same time for the next release due to this problem being so common now?

[Collin]

Confirming that after installing the Cloudflare Turnstile patch 3 days ago, the account creation and order issue has entirely stopped. I would really like to see WHMCS supporting this option. 

[nmdpa3]

A little off topic but an area for improvement.....we do not allow any order from a new customer to process automatically, and require it be reviewed first by humans. 

That said, the WHMCS process of how those orders are held is flawed. 

WHMCS will process the payment first then hold the order, regardless of the fact that we want the order held for human review (BEFORE payment is processed).   We have bemoaned this for years and have always been told "that's just the way it is when using payment gateways". 

I never understood this response, as it should be easy to take an order, HOLD the order BEFORE payment processing, allow a human review, and then allow the operator to release the order for payment processing AFTER the review.

Edited August 14 by nmdpa3

[Remitur]

34 minutes ago, nmdpa3 said:

it should be easy to take an order, HOLD the order BEFORE payment processing, allow a human review, and then allow the operator to release the order for payment processing AFTER the review.

Even more: with almost any payment gateway it's possible to get a pre-authorization (without any real charge), then, after the order approval (even hours later) process the payment using the former authorization...

[WHMCS John]

On 8/13/2024 at 8:36 AM, bnb said:

I installed the patch and tried recaptcha V3 and that didn’t stop spammers. 
 

My last attempt was using the unofficial Cloudflare Turnstile mentioned above and that worked perfectly.

 

@WHMCS John is there a reason why hcaptcha is taking priority over cloudlfare? Why not implementing both at the same time for the next release due to this problem being so common now?

 

On 8/12/2024 at 4:00 PM, wintech2003 said:

Hi John,

Implementing Cloudflare's Turnstile should also be fairly easy, it's just a matter of replacing the siteverify URL and adding the Turnstile script snippet: https://developers.cloudflare.com/turnstile/migration/migrating-from-recaptcha/

 

We're tracking Turnstile in a separate feature request here: https://requests.whmcs.com/idea/are-you-interested-in-integrating-cloudflares-turnstile

The hcaptcha suggestion came first and has more votes. It should also solve a problem with reCAPTCHA not being available in certain territories which block Google services (China). Therefore hcaptcha potentially solves two problems in one.

[snake]

13 hours ago, WHMCS John said:

 

 

We're tracking Turnstile in a separate feature request here: https://requests.whmcs.com/idea/are-you-interested-in-integrating-cloudflares-turnstile

The hcaptcha suggestion came first and has more votes. It should also solve a problem with reCAPTCHA not being available in certain territories which block Google services (China). Therefore hcaptcha potentially solves two problems in one.

That really means nothing John. That feature request has been there over 1 year, and as everyone here knows, you guys only add features you want to add, not features the users want or need.

There are many popular feature requests which still have not been implemented after 10 years.

[teklan]

Signed up to say there's a 3rd party one from Hybula -  https://github.com/hybula/whmcs-turnstile

[wintech2003]

The hook works fine, so for me it doesn't make any difference - the issue with fake registrations has been solved.

I'm just saying that since you can see that so many people solved the issue not with reCAPTCHA v3, but with Turnstile, and since you're doing hCAPTCHA anyway (hCAPTHCA vs Turnstile should also be a matter of a couple code changes), you could deliver both.

Which feature request came first / second, has more votes etc doesn't make any difference to us users - we're looking for solutions, and the current solution is a hook. Do you want people keep using the hook, or integrate the solution into WHMCS and have everyone happy.

[sahostking]

Hi guys,

 

Randomly getting this error on checkout page when using Turnstile:

Missing captcha response in POST data!

Any ideas?

[ZeroMB]

On 7/4/2024 at 9:40 PM, WHMCS Areeb said:

HI @Remitur

We are aware of reports of unusual orders being placed, potentially in an automated way and are tracking this internally.

There are some immediate steps which you can take to help minimise the impact of automated orders :

First of all, please make sure that "Allow Client Registration" is disabled at System Settings > General Settings > Other (tab) , as this provides an easy way for spammers to create accounts without needing to place an order.

Secondly, please make sure that you have enabled "Invisible reCAPTCHA" under "Captcha Type" at System Settings > General Settings > Security (tab) . This is the most secure captcha that is currently integrated with WHMCS.

 

Question for first answer, how will we allow Affiliate registration without "Allow Client Registration"?

 

Second, does invisible reCaptcha can disturb genuine visitor?

[teklan]

19 hours ago, ZeroMB said:

Question for first answer, how will we allow Affiliate registration without "Allow Client Registration"?

 

Second, does invisible reCaptcha can disturb genuine visitor?

No. It's "Invisible" except for the box in the corner lol

[snake]

as already stated, disabling allow registration without an order doesn't help with this problem.
However having this enabled does allow spam registrations as well, so its not a good idea to enable it.
To get around this I created a free "affiliates" product.

19 hours ago, ZeroMB said:

Question for first answer, how will we allow Affiliate registration without "Allow Client Registration"?

 

Second, does invisible reCaptcha can disturb genuine visitor?