Prevent orders from clients with an unverified e-mail address

[WHMCS JoshQ]

Introduction

There may be use-cases where a business needs clients to verify their email address prior to permitting them to place orders.

This could be part of meeting Know-Your-Customer regulations, helping combat automated bot orders, spam or fraudulent orders.

By utilising action hooks, we can require that they have verified ownership of their e-mail address prior to being able to place an order.

This measure can form part of your multi-layered approach to combatting the risks of conducting business online.

Enable Email Verification & Client Registration

The first thing that we need to do is enable email verification in WHMCS - without this, adding this hook won't really achieve anything.

To do this, navigate to Configuration > System Settings > General Settings > Security (tab) in the admin area. Then, enable the Email Verification option and click Save Changes.

More information can be found in our documentation here.

Furthermore, we will also need to permit clients to register for an account without first placing an order. That's because we need to make it so that clients can only place an order if they have a valid account with a verified e-mail address, and we can't do that through the regular buy flow.

To dot his, navigate to Configuration > System Settings > General Settings > Other (tab) in the admin area. Then, enable the Allow Client Registration option and click Save Changes.

It is really important that you also make sure that you have either hCaptcha or reCAPTCHA v3 enabled in System Settings > General Settings > Security (tab) before doing this, and have a Web Application Firewall (WAF) setup in front of your installation, as per our documentation on preventing Spam Orders, to ensure that bots are unable to register for an account. Without taking this precautions, you may see an influx of spam account registrations, though it is important to note that they will still be unable to place an order without verifying their e-mail. We'd also recommend enabling a Fraud Module!

Once you've implemented all of the above, we can start writing our script.

Creating the hook file

Navigate to /includes/hooks  in your WHMCS installation, and create a new file called restrictorders.php  (or something similar).

Open the file, and start by adding the opening <?php  tag, a header comment and the standard if  statement to prevent the file from being accessed directly.

<?php /* * Prevent orders from clients with an unverified e-mail * * @author WHMCS Josh Q <support@whmcs.com> * @copyright Copyright (c) WHMCS Ltd. All Rights Reserved. * @link https://www.whmcs.com/ * */ if (!defined("WHMCS")) die("This file cannot be accessed directly");

Next, we'll define a new variable, ALLOW_UNVERIFIED_EMAILS , which allows us to quickly toggle whether we'd like to enable this restriction.

# Allow clients with unverified e-mails to place orders? define("ALLOW_UNVERIFIED_EMAILS", false);

Lastly, we'll define the logic for the hook itself.

In this case, we're using the ShoppingCartValidateCheckout hook, which allows us to block orders based on our own defined logic.

We'll first check whether we're allowing accounts with unverified e-mail addresses to create orders. Where we're not (i.e. when the variable has a value of false ), we'll check whether the client a) exists and b) whether they have a verified e-mail.

The only instance in which the order can be placed is where the client exists (i.e. is logged in) and has verified their e-mail address.

add_hook("ShoppingCartValidateCheckout", 1, function($vars){ if (ALLOW_UNVERIFIED_EMAILS==false){ $client = Menu::context("client"); if (is_null($client)) { return array("You must <a href='/register.php'>register an account</a> and verify your e-mail before you can place an order."); } if ($client->isEmailAddressVerified()==false) { return array("You must verify your e-mail address before you can checkout."); } } });

End Result

If the client is not logged in, they will be prompted to register for an account:

If the client is logged in but has not verified their e-mail address, they'll be prompted to verify their e-mail address:

The full hook script is as follows:

<?php /* * Prevent orders from clients with an unverified e-mail * * @author WHMCS Josh Q <support@whmcs.com> * @copyright Copyright (c) WHMCS Ltd. All Rights Reserved. * @link https://www.whmcs.com/ * */ if (!defined("WHMCS")) die("This file cannot be accessed directly"); # Allow clients with unverified e-mails to place orders? define("ALLOW_UNVERIFIED_EMAILS", false); add_hook("ShoppingCartValidateCheckout", 1, function($vars){ if (ALLOW_UNVERIFIED_EMAILS==false){ $client = Menu::context("client"); if (is_null($client)) { return array("You must <a href='/register.php'>register an account</a> and verify your e-mail before you can place an order."); } if ($client->isEmailAddressVerified()==false) { return array("You must verify your e-mail address before you can checkout."); } } });

Disclaimer

Please note that this hook has not been extensively tested and is provided as-is without any obligation for support/further troubleshooting.

Use this at your discretion.

Edited April 4 by WHMCS JoshQ
Ensure that clients are able to register for an account so they can verify their e-mail.

[bnb]

This looks like what we need to stop spamming orders.

Is there a plan to include this in WHMCS itself witho it being just a hook?

thank you

[WHMCS JoshQ]

1 hour ago, bnb said:

This looks like what we need to stop spamming orders.

Is there a plan to include this in WHMCS itself witho it being just a hook?

thank you

I'm pleased that you've found this hook helpful!

There are no plans to include this in WHMCS natively at this time.

Our hook system exists to enable you to add features like this easily, and keeping this as a hook means that you are able to customise the logic behind it.

[sahostking]

Please add this feature to WHMCS itself. Strange its not being done yet. Security/Stopping spam/Fake orders should be one of the main things WHMCS focuses on for users at this time. 

[WHMCS John]

Hi @sahostking,

We are currently tracking demand for such an option in this feature request: https://requests.whmcs.com/idea/force-email-verification-before-account-provisioning

I invite you to add your vote and comment in support, for potential consideration in future.

[ZeroMB]

Hi Josh,

 

f you're considering adding a similar feature for tickets, you could add a few lines where tickets can only be opened from unknown email addresses if they verify their email.

 

After a client creates a ticket, a verification email would be sent to their email address. Once they click on the verification link, the ticket would open. If not verified, the ticket would not open.

 

This would significantly reduce spam tickets and prevent email loops.

 

Josh! Josh! 🤗

 

Thanks.

 

[WHMCS JoshQ]

Hi all,

The script has been updated to account for situations where a client is not already logged in.

It will now prompt the user to register for an account. Once they have an account and have verified their e-mail, they will be able to place an order.

Please be sure to review the updated post thoroughly if you are planning to use this in production, and particularly ensure that you have a Captcha and Web Application Firewall setup before proceeding.

You might all be interested in voting on this feature request if you'd like forced e-mail verification to be implemented natively:
https://requests.whmcs.com/idea/force-email-verification-before-account-provisioning

As noted in the post, please keep in mind that this is not an officially supported script, and does not come with any guarantee from us. We'll do our best to help you out via WHMCS.Community and have done our best to test it in multiple situations, but any usage of this is fully at your discretion.