Unusual order activity

[Vander Host]

9 hours ago, slim said:

This isnt a great idea - It doesn't stop the problem of automated signups.

I noticed this in my Google Recaptcha today:

The yellow message is interesting, never seen that before!

The yellow message is relative to the WHMCS score setting. What is your score setting? WHMCS doesn't recommend any specific setting but the default is 0, no blocking, and 1, high blocking. Their example is 0.5. Who know if this is a good value or not. 

[wintech2003]

1 hour ago, Richman said:

Someone proposed this https://www.cloudflare.com/products/turnstile/

https://github.com/hybula/whmcs-turnstile

 

But you have to be on Cloudflare nameservers  I have tried all other options, and now I am switching to Cloudflare one,  for now the accounts have stopped, it's been an hour after switching 

You don't need to be on Cloudflare to use Turnstile, you just need a Cloudflare account. Cloudflare Turnstile can be used with domains that are not behind Cloudflare without an issue.

We used the hook you suggested and the fake orders stopped.

[bnb]

19 hours ago, Richman said:

Someone proposed this https://www.cloudflare.com/products/turnstile/

https://github.com/hybula/whmcs-turnstile

 

But you have to be on Cloudflare nameservers  I have tried all other options, and now I am switching to Cloudflare one,  for now the accounts have stopped, it's been an hour after switching 

This is working for me too, and overall, I trust Cloudflare quite a lot for these captcha and other firewall concerns.

I turned off the custom field question and activated turnstile and so far no spammy registrations (more than 12 hours).
However, this configuration was not straightforward. The hook file is not 100% ready. You need to add the code in a specific location, otherwise, it will give you a page error. Here's how to get it done easily.

I hope WHMCS team takes this seriously and includes Cloudflare turnstile in their roadmap very soon, instead of waiting for votes on feature requests.

[Richman]

18 hours ago, wintech2003 said:

You don't need to be on Cloudflare to use Turnstile, you just need a Cloudflare account. Cloudflare Turnstile can be used with domains that are not behind Cloudflare without an issue.

We used the hook you suggested and the fake orders stopped.

Thanks for the heads-up. mine now sorted, is have also added to all other whmcs installations. 

[slim]

I installed the beta, put v3 keys in and so far so good.

 

[UXmedia]

Thanks @Richman!  Ill get the Cloudflare / Turnstile setup working asap.

in the mean time.

can we "efficiently" bulk delete?  Anybody???

[bnb]

10 hours ago, UXmedia said:

can we "efficiently" bulk delete?  Anybody???

I was told by WHMCS official support that it is not recommended deleting users through in batches as there are too many relational tables. I did it manually almost every day and it’s now all clear.

And yes, turnstile hack works.

[UXmedia]

UGH. Manually. Really?

OK, now another issue, which I assume is related to one of the suggested security settings in this thread as nothing else has changed.

• First of all, please make sure that "Allow Client Registration" is disabled at System Settings > General Settings > Other (tab) , as this provides an easy way for spammers to create accounts without needing to place an order.
• Secondly, please make sure that you have enabled "Invisible reCAPTCHA" under "Captcha Type" at System Settings > General Settings > Security (tab) . This is the most secure captcha that is currently integrated with WHMCS.
• Next, please make sure that you follow and implement all of the solutions provided in our documentation:
• https://docs.whmcs.com/orders/spam-orders/

I cant login now:

I enter username/pass, click Login, and literally nothing happens.  Tried a few different browsers with the same result. Any ideas???

[Remitur]

My (temporary) fix: I just prevented any new user from registering from the USA.

Since then, no new fake registrations at all (it seems that for whatever reason, all of the fake users have USA addresses).

Luckily, that obscure and derelict nation represents an insignificant fraction of our business, so we can give it up without too much trouble... 🤣

[WHMCS John]

Hi all,

The v8.11 beta has been released, which adds support for Google reCAPTCHA v3.

Test it out and share your experiences here: https://whmcs.community/forum/635-whmcs-811-beta-discussion/

We've also created a patch to add reCAPTCHA v3 to WHMCS v8.10: https://docs.whmcs.com/orders/spam-orders/#captchas

Make sure to generate new reCAPTCHA v3 keys on the Google reCAPTCHA site, and set the new threshold setting. Google suggest a starting score of 0.5.

 

As we proceed through the pre-release process, we'll also be be adding hCAPTCHA.

 

Finally, if you'd like to enforce Email Verification prior to order placement, we've prepared a guide here:

 

[wintech2003]

20 minutes ago, WHMCS John said:

Hi all,

[...]

As we proceed through the pre-release process, we'll also be be adding hCAPTCHA.

Hi John,

Implementing Cloudflare's Turnstile should also be fairly easy, it's just a matter of replacing the siteverify URL and adding the Turnstile script snippet: https://developers.cloudflare.com/turnstile/migration/migrating-from-recaptcha/

[bnb]

16 hours ago, WHMCS John said:

Hi all,

The v8.11 beta has been released, which adds support for Google reCAPTCHA v3.

Test it out and share your experiences here: https://whmcs.community/community/635-whmcs-811-beta-discussion/

We've also created a patch to add reCAPTCHA v3 to WHMCS v8.10: https://docs.whmcs.com/orders/spam-orders/#captchas

Make sure to generate new reCAPTCHA v3 keys on the Google reCAPTCHA site, and set the new threshold setting. Google suggest a starting score of 0.5.

 

As we proceed through the pre-release process, we'll also be be adding hCAPTCHA.

 

Finally, if you'd like to enforce Email Verification prior to order placement, we've prepared a guide here:

 

I installed the patch and tried recaptcha V3 and that didn’t stop spammers. 
 

My last attempt was using the unofficial Cloudflare Turnstile mentioned above and that worked perfectly.

 

@WHMCS John is there a reason why hcaptcha is taking priority over cloudlfare? Why not implementing both at the same time for the next release due to this problem being so common now?

[Collin]

Confirming that after installing the Cloudflare Turnstile patch 3 days ago, the account creation and order issue has entirely stopped. I would really like to see WHMCS supporting this option. 

[nmdpa3]

A little off topic but an area for improvement.....we do not allow any order from a new customer to process automatically, and require it be reviewed first by humans. 

That said, the WHMCS process of how those orders are held is flawed. 

WHMCS will process the payment first then hold the order, regardless of the fact that we want the order held for human review (BEFORE payment is processed).   We have bemoaned this for years and have always been told "that's just the way it is when using payment gateways". 

I never understood this response, as it should be easy to take an order, HOLD the order BEFORE payment processing, allow a human review, and then allow the operator to release the order for payment processing AFTER the review.

Edited August 14 by nmdpa3

[Remitur]

34 minutes ago, nmdpa3 said:

it should be easy to take an order, HOLD the order BEFORE payment processing, allow a human review, and then allow the operator to release the order for payment processing AFTER the review.

Even more: with almost any payment gateway it's possible to get a pre-authorization (without any real charge), then, after the order approval (even hours later) process the payment using the former authorization...

[WHMCS John]

On 8/13/2024 at 8:36 AM, bnb said:

I installed the patch and tried recaptcha V3 and that didn’t stop spammers. 
 

My last attempt was using the unofficial Cloudflare Turnstile mentioned above and that worked perfectly.

 

@WHMCS John is there a reason why hcaptcha is taking priority over cloudlfare? Why not implementing both at the same time for the next release due to this problem being so common now?

 

On 8/12/2024 at 4:00 PM, wintech2003 said:

Hi John,

Implementing Cloudflare's Turnstile should also be fairly easy, it's just a matter of replacing the siteverify URL and adding the Turnstile script snippet: https://developers.cloudflare.com/turnstile/migration/migrating-from-recaptcha/

 

We're tracking Turnstile in a separate feature request here: https://requests.whmcs.com/idea/are-you-interested-in-integrating-cloudflares-turnstile

The hcaptcha suggestion came first and has more votes. It should also solve a problem with reCAPTCHA not being available in certain territories which block Google services (China). Therefore hcaptcha potentially solves two problems in one.

[snake]

13 hours ago, WHMCS John said:

 

 

We're tracking Turnstile in a separate feature request here: https://requests.whmcs.com/idea/are-you-interested-in-integrating-cloudflares-turnstile

The hcaptcha suggestion came first and has more votes. It should also solve a problem with reCAPTCHA not being available in certain territories which block Google services (China). Therefore hcaptcha potentially solves two problems in one.

That really means nothing John. That feature request has been there over 1 year, and as everyone here knows, you guys only add features you want to add, not features the users want or need.

There are many popular feature requests which still have not been implemented after 10 years.

[teklan]

Signed up to say there's a 3rd party one from Hybula -  https://github.com/hybula/whmcs-turnstile

[wintech2003]

The hook works fine, so for me it doesn't make any difference - the issue with fake registrations has been solved.

I'm just saying that since you can see that so many people solved the issue not with reCAPTCHA v3, but with Turnstile, and since you're doing hCAPTCHA anyway (hCAPTHCA vs Turnstile should also be a matter of a couple code changes), you could deliver both.

Which feature request came first / second, has more votes etc doesn't make any difference to us users - we're looking for solutions, and the current solution is a hook. Do you want people keep using the hook, or integrate the solution into WHMCS and have everyone happy.

[sahostking]

Hi guys,

 

Randomly getting this error on checkout page when using Turnstile:

Missing captcha response in POST data!

Any ideas?

[ZeroMB]

On 7/4/2024 at 9:40 PM, WHMCS Areeb said:

HI @Remitur

We are aware of reports of unusual orders being placed, potentially in an automated way and are tracking this internally.

There are some immediate steps which you can take to help minimise the impact of automated orders :

First of all, please make sure that "Allow Client Registration" is disabled at System Settings > General Settings > Other (tab) , as this provides an easy way for spammers to create accounts without needing to place an order.

Secondly, please make sure that you have enabled "Invisible reCAPTCHA" under "Captcha Type" at System Settings > General Settings > Security (tab) . This is the most secure captcha that is currently integrated with WHMCS.

 

Question for first answer, how will we allow Affiliate registration without "Allow Client Registration"?

 

Second, does invisible reCaptcha can disturb genuine visitor?

[teklan]

19 hours ago, ZeroMB said:

Question for first answer, how will we allow Affiliate registration without "Allow Client Registration"?

 

Second, does invisible reCaptcha can disturb genuine visitor?

No. It's "Invisible" except for the box in the corner lol

[snake]

as already stated, disabling allow registration without an order doesn't help with this problem.
However having this enabled does allow spam registrations as well, so its not a good idea to enable it.
To get around this I created a free "affiliates" product.

19 hours ago, ZeroMB said:

Question for first answer, how will we allow Affiliate registration without "Allow Client Registration"?

 

Second, does invisible reCaptcha can disturb genuine visitor?

 

[websavers]

On 7/8/2024 at 1:22 PM, snake said:

is there any way to bulk delete all these fake accounts and associated users?

Some users have indicated to do this via the DB, but then it leaves connected data behind, like Users. It would be handy if WHMCS could supply us with either a patch to bulk delete clients safely OR DB queries to do it properly. However because they haven't done that, here's what we did. It's still manual, but because it's sort-of like a macro, it's faster. We used Firefox on a Mac, so you'll need to adjust key commands for alternate browser and OS:

First: open a whole bunch of these empty client accounts in new tabs. Then copy this to your clipboard:

if ( jQuery('#affiliateLink a').attr('href').includes('activateaffiliate=true') ){
  jQuery('#btnDeleteClient').click();
  jQuery('#inputDeleteUsers').prop('checked', true).trigger('change');
  jQuery('#doDeleteClient-ok').click();
}

• CMD-OPT-I (open web inspector - first time you need to click on the console tab)
• CMD-V (paste into the javascript console)
• RETURN/ENTER (run it)
• CMD-W (close inspector)
• CMD-W (close tab)
• Move on to the next tab  (Firefox does this automatically for us) and run the very same key commands again

IMPORTANT: Make absolutely sure that each client profile you open in a tab does not have any products in them. You can then glance to see there's no open tickets prior to running the javascript. The code will not delete any of these clients with active affiliate accounts.

Hopefully this helps some of you delete bot registered accounts a bit faster. Also keep in mind this is only useful if you've already blocked further sign-ups, otherwise you're going to be wasting time playing whack-a-mole.

[websavers]

I also wanted to collect a bunch of the solutions discussed here about what has and hasn't worked for blocking these spam registrations:

1. Custom Field: while this does work, sometimes whomever is running the registrations script catches on and figures out the answer unless you make it something that will never be guessed. There are, however, two issues with this: A) nobody (including those who only want an affiliate account) can sign up without asking you for the answer to this question. B) existing clients can't change their profile info without asking for the answer to this question. B was the bigger annoyance for us.
2. Disabling Client Registration entirely: this stopped spam registrations, but then within 24 hours they turned into spam orders instead. I preferred the spam registrations over the spam orders as it creates far less data in the DB. Having said that, fraud modules can help with spam orders, where they cannot for spam registrations.
3. reCAPTCHA Changes: If WHMCS staff are right that the people doing this are simply using automated CAPTCHA solving solutions (which do exist) for older versions of reCAPTCHA, then both invisible and v2 checkbox aren't going to work to block these. We applied the patch to WHMCS (not the upgrade) to add reCAPTCHA v3 and set it all up, but all it did was block *all* registrations (worse than using a custom field). WHMCS staff are looking into this.
4. Referrer check .htaccess code: This only works until the people doing this catch on, then they can spoof the referrer, and comments here indicate that they have successfully done this.
5. Browser User-Agent Check: Similar to above, attackers can simply update the user agent to one that you haven't blocked, so it might work temporarily, but it's not likely to be a long-term solution. And people in the comments have indicated this has been the case for them.
6. Blocking IP Ranges: Given the large range of IPs used in this attack, it seems unlikely this would work as a long-term solution. We tried it, and it lasted 24 hours max.

Far as I can tell, the only actual working solutions that can't be easily bypassed AND don't create other usability issues for customers appear to be:

• Those using the CloudFlare Turnstile hook and/or module (we haven't tried this yet)
• Those who upgrade to WHMCS 8.11 and enable reCAPTCHA v3 (according to user reports it doesn't have the same issue we've had with the 8.10.1 reCAPTCHA v3 patch - though that might be something unique in our configuration - yet to be determined)

Let me know if I'm missing anything here.

Has anyone upgraded to 8.11 and used hCAPTCHA? I've used it for forms with WordPress and found it very effective. I'm curious if it's as effective as Turnstile and/or reCAPTCHA v3 (when it's working).

Edited October 1 by websavers