WHMCS stores sensitive customer data, so keeping it secure is crucial. Due to its ever-growing popularity, it has become more of a target to hackers than ever before. A security breach in your billing system can make or break your company.
Here’s a short guide to help secure your WHMCS installation:
Securing Writable Directories:
Writeable directories are normally targeted by hackers because they can run malicious code within those directories; we recommend you move them to a safe place outside your webroot.
- We recommend moving writable directories like
attachments
,downloads
, andtemplates_c
to a non-public location outside your web root. This prevents web-based access. You can use FTP or your control panel’s file manager to achieve this. - WHMCS documentation provides detailed instructions https://help.whmcs.com/m/installation/l/1650299-securing-writeable-directories.
For example, you would first move your directory outside the webroot and then point to it by adding this line to the configuration.php file:
$attachments_dir = “/home/username/attachments/”;
$downloads_dir = “/home/username/downloads/”;
$templates_compiledir = “/home/username/templates_c”;
After you have edited this file, you will need to navigate to System Settings > Storage Settings and add the new storage locations for these folders.
Securing the configuration.php File:
Make sure none other than the webroot user can read this file.
- This file contains sensitive WHMCS configuration details. Adjust its permissions to restrict access. Use your FTP client or file manager to set permissions to 400 (read-only for owner).
Securing the Crons Directory:
- The
crons
directory holds scripts for automated tasks. Move it to a non-public location above your web root for additional security. WHMCS documentation has specific instructions for this process as well https://help.whmcs.com/m/installation/l/1650299-securing-writeable-directories.
To move the crons directory is quite simple, first move the directory outside your web root and then add the following to your configuration file, making sure to change the directory to match that of your crons folder.
$crons_dir= ‘/home/username/whmcs_crons’;
If you have already configured your crons, reconfigure them to point to the new crons directory.
If you have not already done so, rename the config.php.new
file to config.php
, Open the config.php
file and locate the $whmcspath
line.
Delete the two /
characters at the beginning of the line and replace /path/to/whmcs/
with the full path to your installation. For example:
$whmcspath = '/home/username/public_html/whmcs/';
Restricting Access by IP Address:
- Implement IP restrictions to limit access to the WHMCS admin area to specific IP addresses. This can be done through your web server configuration using .htaccess or WHMCS security settings.
For example, create .htaccess file in the admin directory and add the following for Apache 2.2:
order deny, allow
allow from 12.34.5.67
allow from 91.23.123.22
deny from all
If using Apache 2.4, then use below:
Require ip 12.34.5.67
Require ip 91.23.123.22
This will allow access to those specific IP’s only.
Renaming the WHMCS Admin Directory:
- By default, the WHMCS admin area is accessible through
/admin
. Renaming this directory (e.g.,/secure-admin
) adds a layer of obscurity, making it harder for attackers to guess the login path. WHMCS documentation details how to update WHMCS to recognize the new directory location https://help.whmcs.com/m/installation/l/1650299-securing-writeable-directories.
It’s quite simple to do, just add the below line to the configuration.php to point to your new admin directory.
$customadminpath = "example";
Restricting Database Privileges:
- Grant only the necessary permissions to the WHMCS database user. This minimizes potential damage if an attacker gains access.
You only need to assign the following database privileges and the rest you can disable.
- Delete
- Insert
- Select
- Update
- Lock Tables
During the installation as well as upgrading, you need the following privileges
- Alter
- Create
- Drop
- Index
Enabling SSL/TLS:
- This encrypts data transmission between your server and users’ browsers, safeguarding sensitive information. Obtain an SSL certificate from a reputable provider and configure your server accordingly.
Additional Security Settings to Consider:
Additional security settings can be enabled under System Settings –> General Settings –> Security. We list the recommended settings below.
- Captcha Form Protection: Always On would be the preferred setting to prevent bruteforce attempts on forms.
- Captcha Type: We recommend reCAPTCHA v2 (Google’s reCAPTCHA system). The first option is rather simplistic, and the invisible captcha option often causes issues. Be sure to enter your reCAPTCHA public and private keys. You can get those from here: https://www.google.com/recaptcha/admin/create
- Captcha for Select Forms: Check the forms where you want the captcha to be displayed. We recommend checking all of them.
- Auto-Generated Password Format: We recommend the first option that contains special characters unless there is a reason that might make your authentication backend problematic.
- Disable Admin Password Reset: Disable this functionality even if you have restricted access to your admin login.
- Disable Session IP Check: We recommend leaving this unchecked to protect against session hijacking. If your IP changes often, it may ask you to log back in each time. If you consistently have issues with this setting and you have already followed all security procedures, it may be safe enough to disable.
- Allow Smarty PHP Tags: Disable completely.
- API IP Access Restriction: If using the API, we recommend restricting access to it.
- CSRF Tokens: General: Enabled.
- CSRF Tokens: Domain Checker: If using, Enabled.
Additional Security Measures:
- Update WHMCS Regularly: Keep WHMCS updated with the latest security patches to address vulnerabilities.
- Strong Passwords: Enforce strong passwords for all WHMCS accounts, including admin and client logins. Consider two-factor authentication (2FA) for added protection.
- Server Hardening: Implement general server security measures like disabling unused services and keeping server software updated. Resources like cPanel’s best practices or OWASP guidelines can be helpful here.
- Regular Backups: Regularly back up your WHMCS data and server to ensure a recovery point in case of a security breach.
Remember: Security is an ongoing process. Stay informed about WHMCS security updates and best practices to maintain a secure environment for your billing system.