How to secure WHMCS?
WHMCS Secure WHMCS is a hosting and billing management software that automates your hosting and domain business. There are many hackers as well as intruders who are trying their best to …
WHMCS is a hosting and billing management software that automates your hosting and domain business. There are many hackers as well as intruders who are trying their best to hack and exploit the WHMCS system.
WHMCS stores very sensitive data of your client like server login, clients name, card details You have a lot of data from your customers whose hosting plans are running. All of your registered domains, in addition to server access, provide a large amount of confidential data. There is a great need to protect your WHMCS system. We continuously monitor various security channels in relation to our customers’ complaints. Therefore, to avoid hackers, malware infections, and vulnerability exploits, it is necessary to follow some security measures.
Six Steps To Secure Your WHMCS
1. Securee Writable Directories
Old $attachments_dir = “/home/username/public_html/attachments/”; $downloads_dir = “/home/username/public_html/downloads/”; $templates_compiledir = “/home/username/public_html/templates_c”;
After Moving to Pricate $attachments_dir = “/home/username/whmcsdata/attachments/”; $downloads_dir = “/home/username/whmcsdata/downloads/”; $templates_compiledir = “/home/whmcsdate/username/templates_c”;
2. Secure the “configuration.php” file
Securing the configuration.php is very important because it contains database username, password and Hash Encrypt and Decrypts Key, you need to change the permissions for the “configuration.php” file which is in your WHMCS root directory. This is one of the files you cannot recover without backing up the file. adjusting the permissions for the “configuration.php” file in your WHMCS root directory. Change permission set to 400, which will help prevent accidental editing, overwriting, and deleting. Eventually, it will provide read-only access to the file and prevent anyone else from spoofing.
3. Move the Crons directory
Here, we recommend you move the crons folder to a non-public directory which is located above your web root to stop the web-based access. For the relocation, firstly, you need to choose a new location for your crons folder and secondly, uncomment the WHMCS path as well as provide the full path to your WHMCS installation. You need to add the following line to the configuration.php:
4. Restricting access by IP
To add more privacy to your admin area, you can restrict access to a particular set of IPs. This can only be done by creating a file namely, .htaccess within your admin directory of WHMCS along with the following:
order deny, allow allow from 18.104.22.168 allow from 22.214.171.124
deny from all
5. Changing WHMCS Admin Folder Name
changing whmcs admin location is very important in whmcs to secure your whmcs admin login area, to customize whmcs admin folder will help your whmcs to get more secured.
- Open the configuration.php file within your WHMCS installation’s root directory
- At the bottom of the file (before the closing PHP tag ?> if one exists), add the following line:$customadminpath = “myadminfoldername”;
- Replacing myadminfoldername with the name you wish to use for your admin directory. This should just be the directory name, not a full path.
- If your configuration.php file already contains a custom admin path definition, you can simply update the existing line
- Rename the admin directory to the name you specified in step 2 above
6. Enable SSL
the owner of whmcs, which handles all customer data through the billing application, it needs to handle the passage of more sensitive data between it and end-users. Therefore, it is important to have a valid SSL certificate that will allow you to use HTTPS as well as encrypted communication.
- Install Mod Security in Easy Apache: You can take additional steps and one of them is installing Mod security in Apache which will help in blocking SQL injection attacks.
- install imunify365 on your server
- You need to secure your physical server. For this, you need access to the files via SSH/SFTP and relocate the SSH port.
- Block all unwanted Ports on your server.
- Choose Storgae Password of your whmcs when you setup and make sure there is no other CMS platform hosted in same hosting account or sub folder like wordpress.
- One more step is to backup your server and the database files of the server.
- Install WHMCS alone on a server.