Easy Green Hosting Posted Friday at 06:17 PM Share Posted Friday at 06:17 PM 3 hours ago, rockhost said: Hi again, I just wanted to follow up on my previous response, just in case anyone else experiences the same issue. I found the WHMCS help article regarding custom client fields. Unfortunately, implementing this did NOT work => https://help.whmcs.com/m/64764/l/878335 I have recaptcha and the required custom client field in place. I have also disabled "Allow Client Registration". Yet still, the spammy client registrations continue... I tried custom field too with no results. hcaptcha is the only (easy and free) way I solved. recaptcha v3 might also be a good option, but I can't use it as it block some inbound links to domain registration page. If you try hcaptcha let us know if it solved. Probably email account activation before purchase submission would also be a good option, but it's not there yet... https://requests.whmcs.com/idea/force-email-verification-before-account-provisioning 0 Quote Link to comment Share on other sites More sharing options...
rockhost Posted Friday at 07:24 PM Share Posted Friday at 07:24 PM Update! I am not sure why I didn't try this first, but switching from reCaptcha v2 to the Invisible Captcha has fixed the issue. I was about to try the CloudFlare Turnstile... Anyway, thanks for your comments and help! I bought myself a little time to prepare for the upgrade to 8.13. Cheers! 0 Quote Link to comment Share on other sites More sharing options...
rockhost Posted Friday at 10:55 PM Share Posted Friday at 10:55 PM Well crap, I spoke too soon. I was still using the reCaptcha v2 secret key after switching to the Invisible reCaptcha option in WHMCS's General Settings. I.e. No client registrations were going through. Period. Bots or human beings. Everything broke. Once I updated the secret key to match the Invisible reCaptcha option, the spamming returned, as did regular functionality for real clients. Sigh...I will report back tomorrow with my CloudFlare Turnstile testing results...Just in case anybody is following along now or in the future. Thanks! 0 Quote Link to comment Share on other sites More sharing options...
rockhost Posted Friday at 11:07 PM Share Posted Friday at 11:07 PM 4 hours ago, Easy Green Hosting said: I tried custom field too with no results. hcaptcha is the only (easy and free) way I solved. recaptcha v3 might also be a good option, but I can't use it as it block some inbound links to domain registration page. If you try hcaptcha let us know if it solved. Probably email account activation before purchase submission would also be a good option, but it's not there yet... https://requests.whmcs.com/idea/force-email-verification-before-account-provisioning I am stubborn and am still using my owned license. So, I don't have the hCaptcha option in my General Settings yet. Although I will have to upgrade soon, one way or another. I will keep you posted. Thanks for the reply! 0 Quote Link to comment Share on other sites More sharing options...
Tman1816c Posted Friday at 11:07 PM Share Posted Friday at 11:07 PM You can fix this only with Cloudflare Turnstile - I thought this was clear months ago, so many of us here have had this issue, and all that worked is Cloudflare. Use hCAPTCHA and Cloudflare, and you will have no more issues 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Technical Analyst II WHMCS Stephen Posted Monday at 07:24 PM WHMCS Technical Analyst II Share Posted Monday at 07:24 PM I understand how frustrating this is. However, this indicates the level of sophistication of bots and is not specific to our software. There are some immediate steps you can take to help minimise the impact of automated orders or spam registrations: Firstly, the best way to prevent automated submissions is to customise your order form with a custom question that the bot is not programmed to complete, for example, adding a mandatory question that only a human can answer and has validation. For more information, please see: https://docs.whmcs.com/orders/spam-orders/#custom-client-fields Secondly, please make sure that you have enabled at least "Invisible reCAPTCHA" under "Captcha Type" at System Settings > General Settings > Security I'd recommend working with Google reCAPTCHA v3 The reCAPTCHA Score Threshold also needs to be set. The minimum score for successful verification, with a value of 0 being the least restrictive and one being the most restrictive. Google recommends starting at 0.5 and adjusting it as needed to suit your requirements. When v3 is selected, the option to provide the score threshold is displayed under the reCAPTCHA settings (Configuration > System Settings > General Settings > Security When using Google reCAPTCHA v3, you will start capturing the scores of these automated orders in the Google reCAPTCHA dashboard. This dashboard will display the scores assigned to each submission attempt and help you adjust the reCAPTCHA Score Threshold setting to block submissions that correlate with automated submissions. This will require a fresh set of keys for reCAPTCHA v3. This has been well received in such cases. https://docs.whmcs.com/clients/the-client-area/google-recaptcha/#enabling-recaptcha-v3 Thirdly, consider preventing users from registering without placing an order by deactivating the "Allow Client Registration" option in **System Settings > General Settings > Otheras this allows spammers to easily create accounts. Next, please make sure that you follow and implement all of the solutions provided in our documentation: https://docs.whmcs.com/orders/spam-orders/ We also suggest selecting the "Automatically set up the product as soon as the first payment is received" or " Automatically set up the product when you manually accept a pending order" provisioning options in your product configuration, so that provisioning won't occur until a payment is completed. This is specified per-product in Configuration > System Settings > Products/Services > Edit > Module Settings tab. Importantly, please ensure you have implemented a Web Application Firewall. Whilst we don't recommend any particular provider, the following are some of the most popular: - CloudFlare: https://www.cloudflare.com/ - Amazon CloudFront: https://aws.amazon.com/cloudfront/ - Incapulsa: https://www.incapsula.com/ - KeyCDN: https://www.keycdn.com/ The system will automatically mark Inactive any Client Accounts with no active services, addons or domains, based on your Automation Settings. Please review the Client Status Update documentation for more information: https://docs.whmcs.com/system/automation/automation-settings/#miscellaneous https://help.whmcs.com/m/troubleshooting/l/878335-blocking-spam-orders 0 Quote Link to comment Share on other sites More sharing options...
rockhost Posted Tuesday at 04:10 PM Share Posted Tuesday at 04:10 PM (edited) Greetings! Thanks to all for their input. I have implemented the CloudFlare Turnstile. Fingers crossed. Assuming time passes without any new spam registrations, is it safe to disable Invisible Captcha? I currently have both Turnstile and Invisible Captcha enabled. I successfully tested client registration and an order. I will keep you posted. Edited Tuesday at 04:11 PM by rockhost 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.