In this article we will discuss ways to help keep your WHMCS website secure.
Passwords are the keys to our everyday online life. We use them for email, banks, websites, servers, and much, much more. It is important that we use not only secure passwords, but passwords that other people don’t know. For more details about passwords, how to create secure passwords, and how to keep them away from their unintended users, please click here.
WHMCS releases updates all the time. A large majority of them have security fixes in addition to the standard feature upgrades. It is VERY important that you update your WHMCS application as soon as possible when a new version is available. Always be on the lookout for updates that may be available.
Make sure you have an active backup plan. If for some reason your site were to be breached, it is possible that your data could be lost. You can prevent this by backing up your site often and storing it off site, either in your home, or at an online backup provider.
WHMCS has a very active community that can be helpful in times of need. Use their community site to search any problems you may be having with a WHMCS feature. Also keep an eye out for community members posting security issues for the version of WHMCS you are using.
Some hosts (including us) allow you to use server based authentication to help reduce the possibility of breaching your password through cracking. This works by having 2 login prompts. One login uses htaccess, while the other is the standard WHMCS administrator login. You must enter your htaccess credentials before you even see the WHMCS login form. For information on how to password protect your administrator directory, please see the following two links.
- SiteAdmin: /control/siteadmin/siteadmin-how-to-password-protect-directories/
- cPanel: /control/cpanel/cpanel-password-protect-a-directory/
If your WHMCS site is an active site with lots of customers, it is a good idea to pick up a SSL certificate and require all users to use https. This provides added security when placing orders, logging in, or registering new accounts. It will also give your customers a feeling of better security because the site is using SSL.
Custom Admin Path
Normally you would access the admin panel by going to your-domain.com/admin, however this can make it easier for attackers to try and breach your site because they know the path to the admin login page. In addition to the secondary password we mentioned above, we recommend changing the default path for the admin section to make it even more difficult for would be attackers.
- SiteAdmin: /scripts/whmcs/whmcs-how-to-change-the-admin-folder-for-whmcs-using-siteadmin/
- cPanel: /scripts/whmcs/whmcs-how-to-change-the-admin-folder-for-whmcs-using-cpanel/
When possible use sFTP rather than standard FTP. sFTP offers a much higher security layer because it uses the SSH file transfer protocol and all traffic is encrypted.
For more information about sFTP, please see the following link…
We can also move the crons folder to help prevent people from accessing it and possibly spamming the domain synchronization file. For more information about what the domain sync file does, please see the following link…
For information on how to move the crons folder, please see our article on the subject by clicking one of the following links…
- SiteAdmin: /scripts/whmcs/whmcs-how-to-move-the-cron-folder-for-whmcs-using-siteadmin/
- cPanel: /scripts/whmcs/whmcs-how-to-move-the-cron-folder-for-whmcs-using-cpanel/
Attachments, Downloads and Templates_c directories
We can also help secure our website by moving the attachments, downloads and templates_c folders out of the public_html folder. For information on how to do this, please see one of the following two links…
- SiteAdmin: /scripts/whmcs/whmcs-how-to-move-the-attachments-downloads-and-templates_c-folders-using-siteadmin/
- cPanel: /scripts/whmcs/whmcs-how-to-move-the-attachments-downloads-and-templates_c-folders-using-cpanel/
This concludes our article on WHMCS security. For more general security guides, please click here.