Vander Host Posted August 9 Share Posted August 9 9 hours ago, slim said: This isnt a great idea - It doesn't stop the problem of automated signups. I noticed this in my Google Recaptcha today: The yellow message is interesting, never seen that before! The yellow message is relative to the WHMCS score setting. What is your score setting? WHMCS doesn't recommend any specific setting but the default is 0, no blocking, and 1, high blocking. Their example is 0.5. Who know if this is a good value or not. 0 Quote Link to comment Share on other sites More sharing options...
wintech2003 Posted August 9 Share Posted August 9 1 hour ago, Richman said: Someone proposed this https://www.cloudflare.com/products/turnstile/ https://github.com/hybula/whmcs-turnstile But you have to be on Cloudflare nameservers I have tried all other options, and now I am switching to Cloudflare one, for now the accounts have stopped, it's been an hour after switching You don't need to be on Cloudflare to use Turnstile, you just need a Cloudflare account. Cloudflare Turnstile can be used with domains that are not behind Cloudflare without an issue. We used the hook you suggested and the fake orders stopped. 0 Quote Link to comment Share on other sites More sharing options...
bnb Posted August 10 Share Posted August 10 19 hours ago, Richman said: Someone proposed this https://www.cloudflare.com/products/turnstile/ https://github.com/hybula/whmcs-turnstile But you have to be on Cloudflare nameservers I have tried all other options, and now I am switching to Cloudflare one, for now the accounts have stopped, it's been an hour after switching This is working for me too, and overall, I trust Cloudflare quite a lot for these captcha and other firewall concerns. I turned off the custom field question and activated turnstile and so far no spammy registrations (more than 12 hours). However, this configuration was not straightforward. The hook file is not 100% ready. You need to add the code in a specific location, otherwise, it will give you a page error. Here's how to get it done easily. I hope WHMCS team takes this seriously and includes Cloudflare turnstile in their roadmap very soon, instead of waiting for votes on feature requests. 0 Quote Link to comment Share on other sites More sharing options...
Richman Posted August 10 Share Posted August 10 18 hours ago, wintech2003 said: You don't need to be on Cloudflare to use Turnstile, you just need a Cloudflare account. Cloudflare Turnstile can be used with domains that are not behind Cloudflare without an issue. We used the hook you suggested and the fake orders stopped. Thanks for the heads-up. mine now sorted, is have also added to all other whmcs installations. 0 Quote Link to comment Share on other sites More sharing options...
slim Posted August 10 Share Posted August 10 I installed the beta, put v3 keys in and so far so good. 0 Quote Link to comment Share on other sites More sharing options...
UXmedia Posted August 10 Share Posted August 10 Thanks @Richman! Ill get the Cloudflare / Turnstile setup working asap. in the mean time. can we "efficiently" bulk delete? Anybody??? 0 Quote Link to comment Share on other sites More sharing options...
bnb Posted August 11 Share Posted August 11 10 hours ago, UXmedia said: can we "efficiently" bulk delete? Anybody??? I was told by WHMCS official support that it is not recommended deleting users through in batches as there are too many relational tables. I did it manually almost every day and it’s now all clear. And yes, turnstile hack works. 0 Quote Link to comment Share on other sites More sharing options...
UXmedia Posted August 11 Share Posted August 11 UGH. Manually. Really? OK, now another issue, which I assume is related to one of the suggested security settings in this thread as nothing else has changed. First of all, please make sure that "Allow Client Registration" is disabled at System Settings > General Settings > Other (tab) , as this provides an easy way for spammers to create accounts without needing to place an order. Secondly, please make sure that you have enabled "Invisible reCAPTCHA" under "Captcha Type" at System Settings > General Settings > Security (tab) . This is the most secure captcha that is currently integrated with WHMCS. Next, please make sure that you follow and implement all of the solutions provided in our documentation: https://docs.whmcs.com/orders/spam-orders/ I cant login now: I enter username/pass, click Login, and literally nothing happens. Tried a few different browsers with the same result. Any ideas??? 0 Quote Link to comment Share on other sites More sharing options...
Remitur Posted August 12 Author Share Posted August 12 My (temporary) fix: I just prevented any new user from registering from the USA. Since then, no new fake registrations at all (it seems that for whatever reason, all of the fake users have USA addresses). Luckily, that obscure and derelict nation represents an insignificant fraction of our business, so we can give it up without too much trouble... 🤣 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Support Manager WHMCS John Posted August 12 WHMCS Support Manager Share Posted August 12 Hi all, The v8.11 beta has been released, which adds support for Google reCAPTCHA v3. Test it out and share your experiences here: https://whmcs.community/forum/635-whmcs-811-beta-discussion/ We've also created a patch to add reCAPTCHA v3 to WHMCS v8.10: https://docs.whmcs.com/orders/spam-orders/#captchas Make sure to generate new reCAPTCHA v3 keys on the Google reCAPTCHA site, and set the new threshold setting. Google suggest a starting score of 0.5. As we proceed through the pre-release process, we'll also be be adding hCAPTCHA. Finally, if you'd like to enforce Email Verification prior to order placement, we've prepared a guide here: 0 Quote Link to comment Share on other sites More sharing options...
wintech2003 Posted August 12 Share Posted August 12 20 minutes ago, WHMCS John said: Hi all, [...] As we proceed through the pre-release process, we'll also be be adding hCAPTCHA. Hi John, Implementing Cloudflare's Turnstile should also be fairly easy, it's just a matter of replacing the siteverify URL and adding the Turnstile script snippet: https://developers.cloudflare.com/turnstile/migration/migrating-from-recaptcha/ 1 Quote Link to comment Share on other sites More sharing options...
bnb Posted August 13 Share Posted August 13 16 hours ago, WHMCS John said: Hi all, The v8.11 beta has been released, which adds support for Google reCAPTCHA v3. Test it out and share your experiences here: https://whmcs.community/community/635-whmcs-811-beta-discussion/ We've also created a patch to add reCAPTCHA v3 to WHMCS v8.10: https://docs.whmcs.com/orders/spam-orders/#captchas Make sure to generate new reCAPTCHA v3 keys on the Google reCAPTCHA site, and set the new threshold setting. Google suggest a starting score of 0.5. As we proceed through the pre-release process, we'll also be be adding hCAPTCHA. Finally, if you'd like to enforce Email Verification prior to order placement, we've prepared a guide here: I installed the patch and tried recaptcha V3 and that didn’t stop spammers. My last attempt was using the unofficial Cloudflare Turnstile mentioned above and that worked perfectly. @WHMCS John is there a reason why hcaptcha is taking priority over cloudlfare? Why not implementing both at the same time for the next release due to this problem being so common now? 0 Quote Link to comment Share on other sites More sharing options...
Collin Posted August 13 Share Posted August 13 Confirming that after installing the Cloudflare Turnstile patch 3 days ago, the account creation and order issue has entirely stopped. I would really like to see WHMCS supporting this option. 0 Quote Link to comment Share on other sites More sharing options...
nmdpa3 Posted August 14 Share Posted August 14 (edited) A little off topic but an area for improvement.....we do not allow any order from a new customer to process automatically, and require it be reviewed first by humans. That said, the WHMCS process of how those orders are held is flawed. WHMCS will process the payment first then hold the order, regardless of the fact that we want the order held for human review (BEFORE payment is processed). We have bemoaned this for years and have always been told "that's just the way it is when using payment gateways". I never understood this response, as it should be easy to take an order, HOLD the order BEFORE payment processing, allow a human review, and then allow the operator to release the order for payment processing AFTER the review. Edited August 14 by nmdpa3 1 Quote Link to comment Share on other sites More sharing options...
Remitur Posted August 14 Author Share Posted August 14 34 minutes ago, nmdpa3 said: it should be easy to take an order, HOLD the order BEFORE payment processing, allow a human review, and then allow the operator to release the order for payment processing AFTER the review. Even more: with almost any payment gateway it's possible to get a pre-authorization (without any real charge), then, after the order approval (even hours later) process the payment using the former authorization... 1 Quote Link to comment Share on other sites More sharing options...
WHMCS Support Manager WHMCS John Posted August 16 WHMCS Support Manager Share Posted August 16 On 8/13/2024 at 8:36 AM, bnb said: I installed the patch and tried recaptcha V3 and that didn’t stop spammers. My last attempt was using the unofficial Cloudflare Turnstile mentioned above and that worked perfectly. @WHMCS John is there a reason why hcaptcha is taking priority over cloudlfare? Why not implementing both at the same time for the next release due to this problem being so common now? On 8/12/2024 at 4:00 PM, wintech2003 said: Hi John, Implementing Cloudflare's Turnstile should also be fairly easy, it's just a matter of replacing the siteverify URL and adding the Turnstile script snippet: https://developers.cloudflare.com/turnstile/migration/migrating-from-recaptcha/ We're tracking Turnstile in a separate feature request here: https://requests.whmcs.com/idea/are-you-interested-in-integrating-cloudflares-turnstile The hcaptcha suggestion came first and has more votes. It should also solve a problem with reCAPTCHA not being available in certain territories which block Google services (China). Therefore hcaptcha potentially solves two problems in one. 0 Quote Link to comment Share on other sites More sharing options...
snake Posted August 17 Share Posted August 17 13 hours ago, WHMCS John said: We're tracking Turnstile in a separate feature request here: https://requests.whmcs.com/idea/are-you-interested-in-integrating-cloudflares-turnstile The hcaptcha suggestion came first and has more votes. It should also solve a problem with reCAPTCHA not being available in certain territories which block Google services (China). Therefore hcaptcha potentially solves two problems in one. That really means nothing John. That feature request has been there over 1 year, and as everyone here knows, you guys only add features you want to add, not features the users want or need. There are many popular feature requests which still have not been implemented after 10 years. 1 Quote Link to comment Share on other sites More sharing options...
teklan Posted August 17 Share Posted August 17 Signed up to say there's a 3rd party one from Hybula - https://github.com/hybula/whmcs-turnstile 0 Quote Link to comment Share on other sites More sharing options...
wintech2003 Posted August 17 Share Posted August 17 The hook works fine, so for me it doesn't make any difference - the issue with fake registrations has been solved. I'm just saying that since you can see that so many people solved the issue not with reCAPTCHA v3, but with Turnstile, and since you're doing hCAPTCHA anyway (hCAPTHCA vs Turnstile should also be a matter of a couple code changes), you could deliver both. Which feature request came first / second, has more votes etc doesn't make any difference to us users - we're looking for solutions, and the current solution is a hook. Do you want people keep using the hook, or integrate the solution into WHMCS and have everyone happy. 3 Quote Link to comment Share on other sites More sharing options...
sahostking Posted August 18 Share Posted August 18 Hi guys, Randomly getting this error on checkout page when using Turnstile: Missing captcha response in POST data! Any ideas? 0 Quote Link to comment Share on other sites More sharing options...
ZeroMB Posted August 19 Share Posted August 19 On 7/4/2024 at 9:40 PM, WHMCS Areeb said: HI @Remitur We are aware of reports of unusual orders being placed, potentially in an automated way and are tracking this internally. There are some immediate steps which you can take to help minimise the impact of automated orders : First of all, please make sure that "Allow Client Registration" is disabled at System Settings > General Settings > Other (tab) , as this provides an easy way for spammers to create accounts without needing to place an order. Secondly, please make sure that you have enabled "Invisible reCAPTCHA" under "Captcha Type" at System Settings > General Settings > Security (tab) . This is the most secure captcha that is currently integrated with WHMCS. Question for first answer, how will we allow Affiliate registration without "Allow Client Registration"? Second, does invisible reCaptcha can disturb genuine visitor? 0 Quote Link to comment Share on other sites More sharing options...
teklan Posted August 20 Share Posted August 20 19 hours ago, ZeroMB said: Question for first answer, how will we allow Affiliate registration without "Allow Client Registration"? Second, does invisible reCaptcha can disturb genuine visitor? No. It's "Invisible" except for the box in the corner lol 1 Quote Link to comment Share on other sites More sharing options...
snake Posted August 20 Share Posted August 20 as already stated, disabling allow registration without an order doesn't help with this problem. However having this enabled does allow spam registrations as well, so its not a good idea to enable it. To get around this I created a free "affiliates" product. 19 hours ago, ZeroMB said: Question for first answer, how will we allow Affiliate registration without "Allow Client Registration"? Second, does invisible reCaptcha can disturb genuine visitor? 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.