Preventing Fake Registrations in WHMCS: How to Address This Issue Without Third-Party Addons

[Tipu Sultan]

Hi WHMCS Community,

We’ve been facing an increasing number of fake registrations on our platform recently, and I’m looking for advice on how to prevent this issue without relying on third-party addons. While I understand there are many external solutions available, I’d prefer to explore options that are built directly into WHMCS or via custom configurations.

Here are the steps I’m considering and would like feedback on:

• Email Verification: Ensuring that users verify their email addresses before completing registration.

• Captcha Integration: Adding a CAPTCHA to the registration form to prevent automated sign-ups.

• Custom Validation: Using custom fields or validation logic to prevent suspicious or malformed registrations.

• Rate Limiting: Limiting the number of registrations from a single IP address within a specific time period.

• Blacklist Management: Adding known fake email addresses or domains to a blacklist.

Has anyone successfully implemented such measures in WHMCS? I’d appreciate any tips or recommendations to minimize fake sign-ups efficiently. Thanks in advance!

Best Regards,
Tipu Sultan

[websavers]

The email verification system in WHMCS doesn't have the option to prevent user registration prior to email verification - you would have to use either a 3rd party addon for this or some custom hook code (essentially the same thing) to make it happen. However doing it this way is likely to be fairly effective - have not actually implemented it in part because the custom hooks make for a less clear user-process to verify their email before ordering/registration. 

We're using hCaptcha on the registration form - works to get about 95% of the bot signups. We used the same thing on our website contact form with similar results, so then we thought maybe CloudFlare Turnstile would get the remaining 5% so we switched to that, and it did not catch any more than hCaptcha did.

Previously we used a custom field with a simple passcode - but then we needed to supply people with the passcode before registering which wasn't always easy to do and annoyed some users.

Rate Limiting seems like a great idea, though I'm pretty confident most of the bot registraitons we've had have all been from different IPs, so it's only going to be partially effective.

None of our bot registrations used the same email address or same pattern (whether mailname or domain), so blacklisting wasn't an effective solution.

[WHMCS John]

Hi @Tipu Sultan,

Our suggestions for helping protect your online forms from automated bot submissions are here: https://docs.whmcs.com/orders/spam-orders/

We have found that using the latest reCAPTCHA v3 or hCaptcha are the most effective options. You can then adjust the Threshold setting until the automated submissions are stopped.