Stop WHMCS Bot Registrations with Custom Security Hooks

Are you finding your WHMCS installation bombarded with fake accounts? Bot registrations have become a serious problem for many WHMCS users, especially those running smaller hosting operations where legitimate new registrations are infrequent.

This tutorial shows you how to implement a powerful multi-layered defence using custom hooks that block bots at every entry point. Unlike standard protection methods, this solution secures all possible registration pathways that bots commonly exploit.

Understanding the Problem of WHMCS Bot Registrations

Bot registrations in WHMCS cause several significant issues:

• Server resources become drained by unnecessary processing
• Database size increases with useless accounts
• Security risks emerge from unknown entities in your system
• Administrative time is wasted cleaning up fake accounts
• Potential credit card testing by fraudsters

Standard protection methods often fall short because bots are increasingly sophisticated. They're programmed to bypass typical security measures and exploit multiple pathways into your system.

Why Bots Can Register Even When You've "Disabled Registration"

Many WHMCS administrators are surprised to discover that disabling registration in the admin panel doesn't fully protect their system. This happens because WHMCS offers multiple entry points for new accounts:

1. The standard registration page (register.php)
2. The order/checkout process (cart.php)
3. API endpoints
4. Client creation forms

When you block one pathway, bots simply switch to another. That's why a comprehensive approach using multiple hooks is necessary.

The Multi-Hook Solution

This solution uses several hooks to block all possible registration pathways. It's particularly suitable for WHMCS installations where new legitimate registrations are infrequent or handled manually.

Complete Hook Code

Create a file called blockregistrations.php and save it in your /includes/hooks/ directory:

<?php
use WHMCS\Database\Capsule;

// ========== CONFIGURATION SECTION ==========
// Set the date when registrations should become available again
$enableRegistrationsAfter = "2025-06-30";

// Set to true if you want to receive email notifications of blocked attempts
$sendEmailNotifications = true;

// Email where notifications should be sent
$notificationEmail = "your-email@example.com";

// ========== NO NEED TO EDIT BELOW THIS LINE ==========

// Helper function to send notification emails
function sendBlockNotification($entryPoint, $email = "unknown", $ip = "unknown") {
    global $sendEmailNotifications, $notificationEmail;
    
    if (!$sendEmailNotifications || empty($notificationEmail)) return;
    
    $subject = "WHMCS - Registration Attempt Blocked";
    $message = "A registration attempt was blocked.\n\n";
    $message .= "Entry Point: " . $entryPoint . "\n";
    $message .= "IP Address: " . $ip . "\n";
    $message .= "Email: " . $email . "\n";
    $message .= "Date/Time: " . date("Y-m-d H:i:s") . "\n";
    $message .= "User Agent: " . ($_SERVER['HTTP_USER_AGENT'] ?? "unknown") . "\n";
    
    mail($notificationEmail, $subject, $message);
}

// Check if registration should be allowed based on date
function shouldBlockRegistrations() {
    global $enableRegistrationsAfter;
    return strtotime($enableRegistrationsAfter) > time();
}

// 1. Block access to the registration page
add_hook('ClientAreaPageRegister', 1, function($vars) {
    if (shouldBlockRegistrations()) {
        // Log the attempt
        logActivity("BLOCKED - Registration page access from IP: " . $_SERVER['REMOTE_ADDR']);
        
        // Send notification
        sendBlockNotification("Registration Page", "unknown", $_SERVER['REMOTE_ADDR']);
        
        // Redirect to homepage
        header("Location: index.php");
        exit;
    }
});

// 2. Block the registration form submission
add_hook('ClientRegister', 1, function($vars) {
    if (shouldBlockRegistrations()) {
        // Log the attempt
        logActivity("BLOCKED - Registration form submission - Email: " . ($vars['email'] ?? 'unknown') . " - IP: " . $_SERVER['REMOTE_ADDR']);
        
        // Send notification
        sendBlockNotification("Registration Form", $vars['email'] ?? "unknown", $_SERVER['REMOTE_ADDR']);
        
        return ['stop' => true];
    }
});

// 3. Block client creation
add_hook('ClientAdd', 1, function($vars) {
    if (shouldBlockRegistrations()) {
        // Log the attempt
        logActivity("BLOCKED - Client creation - Email: " . ($vars['email'] ?? 'unknown') . " - IP: " . $_SERVER['REMOTE_ADDR']);
        
        // Send notification
        sendBlockNotification("Client Creation", $vars['email'] ?? "unknown", $_SERVER['REMOTE_ADDR']);
        
        return ['abortWithError' => 'Registration is currently disabled.'];
    }
});

// 4. Block cart checkout for new users
add_hook('ShoppingCartValidateCheckout', 1, function($vars) {
    if (shouldBlockRegistrations()) {
        // Only block if this is a new registration
        if (empty($vars['custtype']) || $vars['custtype'] == 'new') {
            // Log the attempt
            logActivity("BLOCKED - Cart checkout registration - IP: " . $_SERVER['REMOTE_ADDR']);
            
            // Send notification
            sendBlockNotification("Cart Checkout", "unknown", $_SERVER['REMOTE_ADDR']);
            
            return ['errormessage' => 'New account registration is currently disabled.'];
        }
    }
});

// 5. Block direct access to cart for non-logged in users
add_hook('ClientAreaPageCart', 1, function($vars) {
    if (shouldBlockRegistrations()) {
        // Only redirect if they're not logged in
        if (!isset($_SESSION['uid']) || empty($_SESSION['uid'])) {
            // Log the attempt
            logActivity("BLOCKED - Cart access by non-logged in user - IP: " . $_SERVER['REMOTE_ADDR']);
            
            // Send notification
            sendBlockNotification("Cart Access", "unknown", $_SERVER['REMOTE_ADDR']);
            
            header("Location: index.php");
            exit;
        }
    }
});

// 6. Block API client creation
add_hook('APIRequest', 1, function($vars) {
    if (shouldBlockRegistrations()) {
        // Check if this is a client creation API call
        if ($vars['action'] == 'AddClient' || $vars['action'] == 'CreateClient') {
            // Log the attempt
            logActivity("BLOCKED - API client creation attempt - Action: " . $vars['action'] . " - IP: " . $_SERVER['REMOTE_ADDR']);
            
            // Send notification
            sendBlockNotification("API Client Creation", "unknown", $_SERVER['REMOTE_ADDR']);
            
            return ['abortWithError' => 'Registration via API is currently disabled.'];
        }
    }
});
?>

Implementation Guide

1. Create the hook file:
   • Copy the code above and save it as blockregistrations.php
   • Place it in your /includes/hooks/ directory
2. Configure the settings:
   • Set the date when registrations should be enabled again
   • Decide if you want email notifications
   • Enter your email address for notifications
3. Set file permissions:
   • Ensure the file has the correct permissions (typically 644)
   • The owner should be the same as your other WHMCS files
4. Test the solution:
   • Try accessing the registration page as a visitor
   • Attempt to place an order as a new customer
   • Check your activity logs to confirm blocks are working

Monitoring the Solution

After implementing the hooks, you'll want to monitor their effectiveness. Here's how to check your activity logs, even if the menu item is missing:

Accessing WHMCS Activity Logs

WHMCS 7 (and newer versions) sometimes have different menu structures. Here are several ways to access your activity logs:

1. Standard menu path: Go to "Utilities" > "Logs" > "Activity Log"
2. Alternative paths:
   • "Reports" > "Logs" > "Activity Log"
   • "Setup" > "Logs" > "Activity Log"
   • "Utilities" > "System" > "Activity Log"
3. Direct URL access:
   • Add /admin/systemactivitylog.php to your WHMCS admin URL
   • Example: https://yourdomain.com/whmcs/admin/systemactivitylog.php
4. Database access:
   • If all else fails, view the tblactivitylog table through phpMyAdmin

Look for entries beginning with "BLOCKED" to see which registration attempts have been stopped.

How This Affects Different WHMCS Installations

This solution is ideal for specific use cases:

Perfect for:

• Smaller hosting providers with few new signups
• WHMCS installations where registrations are handled manually
• Systems experiencing high volumes of bot attacks
• Temporarily blocking registrations during maintenance

Not ideal for:

• High-volume hosting providers with regular legitimate signups
• Self-service platforms where users need to register frequently
• Public marketplaces built on WHMCS

Adapting for High-Volume Signup Environments

If you run a high-volume WHMCS installation but still want protection, consider these modifications:

1. Replace the complete block with additional verification:
   • Modify the hooks to add CAPTCHA verification instead of blocking
   • Implement email verification requirements
   • Add custom verification questions
2. Use IP-based rate limiting:
   • Allow a certain number of registrations per IP address
   • Block IPs that exceed reasonable thresholds
3. Time-based restrictions:
   • Allow registrations only during business hours
   • Block suspicious patterns like multiple signups in seconds

To implement these alternatives, modify the hook functions to check conditions rather than block completely.

Additional Security Measures

While these hooks provide strong protection against bot registrations, consider these complementary security approaches:

1. Implement IP blocking for repeat offenders
2. Enable CAPTCHA on all forms for logged-in users
3. Use fraud detection services to identify suspicious activity
4. Regularly clean your database to remove any spam that gets through
5. Keep WHMCS updated to benefit from security patches

When to Re-Enable Registrations

The hook code includes a time-based feature that automatically re-enables registrations after your specified date. When you're ready to accept registrations again:

1. Either wait until your specified date passes
2. Or modify the $enableRegistrationsAfter value in the hook file
3. Or remove the hook file entirely (but keep a backup!)

Final Thoughts on WHMCS Bot Protection

Bot registrations in WHMCS can create numerous headaches for administrators. The multi-hook approach outlined here provides a comprehensive solution by blocking all known entry points that bots can exploit.

This solution is particularly valuable for smaller WHMCS installations where legitimate registrations are infrequent. By implementing these custom security hooks, you can effectively shut down bot activity while maintaining a clean, efficient system.