Prevent orders from clients with an unverified e-mail address

[WHMCS JoshQ]

Introduction

There may be use-cases where a business needs clients to verify their email address prior to permitting them to place orders.

This could be part of meeting Know-Your-Customer regulations, helping combat automated bot orders, spam or fraudulent orders.

By utilising action hooks, we can require that they have verified ownership of their e-mail address prior to being able to place an order.

This measure can form part of your multi-layered approach to combatting the risks of conducting business online.

Enable Email Verification

The first thing that we need to do is enable email verification in WHMCS - without this, adding this hook won't really achieve anything.

To do this, navigate to Configuration > System Settings > General Settings > Security (tab) in the admin area. Then, enable the Email Verification option and click Save Changes.

More information can be found in our documentation here.

Now that we've got email verification enabled, let's proceed to making our hook!

Creating the hook file

Navigate to /includes/hooks  in your WHMCS installation, and create a new file called restrictorders.php  (or something similar).

Open the file, and start by adding the opening <?php  tag, a header comment and the standard if  statement to prevent the file from being accessed directly.

<?php /* * Prevent orders from clients with an unverified e-mail * * @author WHMCS Josh Q <support@whmcs.com> * @copyright Copyright (c) WHMCS Ltd. All Rights Reserved. * @link https://www.whmcs.com/ * */ if (!defined("WHMCS")) die("This file cannot be accessed directly");

Next, we'll define a new variable, ALLOW_UNVERIFIED_EMAILS , which allows us to quickly toggle whether we'd like to enable this restriction.

# Allow clients with unverified e-mails to place orders? define("ALLOW_UNVERIFIED_EMAILS", false);

Lastly, we'll define the logic for the hook itself.

In this case, we're using the ShoppingCartValidateCheckout hook, which allows us to block orders based on our own defined logic.

We'll first check whether we're allowing accounts with unverified e-mail addresses to create orders. Where we're not (i.e. when the variable has a value of false ), we'll check whether the client a) exists and b) whether they have a verified e-mail.

The only instance in which the order can be placed is where the client exists and has verified their e-mail address.

add_hook("ShoppingCartValidateCheckout", 1, function($vars){ if (ALLOW_UNVERIFIED_EMAILS!==true){ $client = Menu::context("client"); # If they are either not a client or they don't have a verified e-mail, prevent checkout if (!is_null($client) || $client->email_verified_at!==true){ return array("You must have verified your e-mail address to checkout."); } } });

End Result

If the client has not verified their e-mail address, they'll be presented an error like the one below, and they will not be able to checkout.

The full hook script is as follows:

<?php /* * Prevent orders from clients with an unverified e-mail * * @author WHMCS Josh Q <support@whmcs.com> * @copyright Copyright (c) WHMCS Ltd. All Rights Reserved. * @link https://www.whmcs.com/ * */ if (!defined("WHMCS")) die("This file cannot be accessed directly"); # Allow clients with unverified e-mails to place orders? define("ALLOW_UNVERIFIED_EMAILS", false); add_hook("ShoppingCartValidateCheckout", 1, function($vars){ if (ALLOW_UNVERIFIED_EMAILS!==true){ $client = Menu::context("client"); # If they are either not a client or they don't have a verified e-mail, prevent checkout if (!is_null($client) || $client->email_verified_at!==true){ return array("You must have verified your e-mail address to checkout."); } } });

Disclaimer

Please note that this hook has not been extensively tested and is provided as-is without any obligation for support/further troubleshooting.

Use this at your discretion.

[bnb]

This looks like what we need to stop spamming orders.

Is there a plan to include this in WHMCS itself witho it being just a hook?

thank you

[WHMCS JoshQ]

1 hour ago, bnb said:

This looks like what we need to stop spamming orders.

Is there a plan to include this in WHMCS itself witho it being just a hook?

thank you

I'm pleased that you've found this hook helpful!

There are no plans to include this in WHMCS natively at this time.

Our hook system exists to enable you to add features like this easily, and keeping this as a hook means that you are able to customise the logic behind it.

[sahostking]

Please add this feature to WHMCS itself. Strange its not being done yet. Security/Stopping spam/Fake orders should be one of the main things WHMCS focuses on for users at this time. 

[WHMCS John]

Hi @sahostking,

We are currently tracking demand for such an option in this feature request: https://requests.whmcs.com/idea/force-email-verification-before-account-provisioning

I invite you to add your vote and comment in support, for potential consideration in future.

[ZeroMB]

Hi Josh,

 

f you're considering adding a similar feature for tickets, you could add a few lines where tickets can only be opened from unknown email addresses if they verify their email.

 

After a client creates a ticket, a verification email would be sent to their email address. Once they click on the verification link, the ticket would open. If not verified, the ticket would not open.

 

This would significantly reduce spam tickets and prevent email loops.

 

Josh! Josh! 🤗

 

Thanks.

 

[Tremfer]

Hello,

This does not work if this option is not selected : "Check to allow registration without ordering any products/services",  we have implemented the hook and still client can place an order and open an account.

we have dealing with bots for the last months and its driving us nuts, we have 30-50 fake accounts/orders per day.

[WHMCS JoshQ]

On 03/09/2024 at 20:23, Tremfer said:

Hello,

This does not work if this option is not selected : "Check to allow registration without ordering any products/services",  we have implemented the hook and still client can place an order and open an account.

we have dealing with bots for the last months and its driving us nuts, we have 30-50 fake accounts/orders per day.

Try now. I've updated the logic used by the hook very slightly.

[Tremfer]

On 9/9/2024 at 3:29 PM, WHMCS JoshQ said:

Try now. I've updated the logic used by the hook very slightly.

Thank you we have tested and there is an issue, client cannot register now since on the registration page its displaying message you need to have verified email to place an order and cannot continue.

So if the client tries to submit an order cannot pass the registration page.