Make WHMCS Secure: WHMCS is a hosting and billing management software that automates your hosting and domain business. To protect your WHMCS, over the last few years, we’ve received a lot of complaints against WHMCS security vulnerabilities and adapters. There are many hackers as well as intruders who are trying their best to hack and exploit the WHMCS system.
WHMCS stores very sensitive data of your client like server login, clients name, card details You have a lot of data from your customers whose hosting plans are running. All of your registered domains, in addition to server access, provide a large amount of confidential data. There is a great need to protect your WHMCS system. We continuously monitor various security channels in relation to our customers’ complaints. Therefore, to avoid hackers, malware infections, and vulnerability exploits, it is necessary to follow some security measures.
Six Steps To Secure Your WHMCS
1. Securing the Writable Directories
To prevent web-based access, You must need to move all writable directories to a private directory from the public folder. The three directories that can be written are attachments, downloads as well as templates_c. Therefore, you need to add new paths to these directories by updating the following lines in the configuration.php file.
Old $attachments_dir = “/home/username/public_html/attachments/”; $downloads_dir = “/home/username/public_html/downloads/”; $templates_compiledir = “/home/username/public_html/templates_c”;
After Moving to Pricate $attachments_dir = “/home/username/whmcsdata/attachments/”; $downloads_dir = “/home/username/whmcsdata/downloads/”; $templates_compiledir = “/home/whmcsdate/username/templates_c”;
2. Securing the “configuration.php” file
Securing the configuration.php is very important because it contains the database username, password, and Hash Encrypt, and Decrypts Key, you need to change the permissions for the “configuration.php” file which is in your WHMCS root directory. This is one of the files you cannot recover without backing up the file. adjusting the permissions for the “configuration.php” file in your WHMCS root directory. Change permission set to 400, which will help prevent accidental editing, overwriting, and deleting. Eventually, it will provide read-only access to the file and prevent anyone else from spoofing.
3. Move the Crons directory
Here, we recommend you move the crons folder to a non-public directory which is located above your web root to stop the web-based access. For the relocation, firstly, you need to choose a new location for your crons folder and secondly, uncomment the WHMCS path as well as provide the full path to your WHMCS installation. You need to add the following line to the configuration.php:
4. Restricting access by IP
To add more privacy to your admin area, you can restrict access to a particular set of IPs. This can only be done by creating a file namely, .htaccess within your admin directory of WHMCS along with the following:
order deny, allow allow from 22.214.171.124 allow from 126.96.36.199
deny from all
5. Changing WHMCS Admin Folder Name
changing WHMCS admin location is very important in whmcs to secure your whmcs admin login area, to customize whmcs admin folder will help your whmcs to get more secured.
- Open the configuration.php file within your WHMCS installation’s root directory
- At the bottom of the file (before the closing PHP tag ?> if one exists), add the following line:$customadminpath = “myadminfoldername”;
- Replacing myadminfoldername with the name you wish to use for your admin directory. This should just be the directory name, not a full path.
- If your configuration.php file already contains a custom admin path definition, you can simply update the existing line
- Rename the admin directory to the name you specified in step 2 above
6. Enable SSL
the owner of whmcs, which handles all customer data through the billing application, needs to handle the passage of more sensitive data between it and end-users. Therefore, it is important to have a valid SSL certificate that will allow you to use HTTPS as well as encrypted communication.