WHMCS Security – 7 Best Practices To Follow in 2024

You can easily manage your hosting business with the most powerful web hosting automation system i.e. WHMCS. But over the past few years, we’ve been getting so many complaints against the Security Adapts for WHMCS. There are so many hackers as well as intruders who are trying their best to exploit the WHMCS system.

You have a lot of data of your customers whose hosting plans are in the running state. All of their domains registered plus their server access indulges a lot of sensitive data. There is a big need to secure your WHMCS system. We monitored various security channels round the clock of our customer complaints. So, to prevent hacking, malware infection as well as vulnerability exploits, one needs to follow some WHMCS security best practices .

WGS VMware WHMCS Module

Let us Talk About the WHMCS Security 7 Best Practices:

1. Securing the Writable Directories

To prevent web-based access, we recommend moving all the writable directories to a non-public directory rather than keeping them in the public folder. The three directories which can be written are attachments, downloads as well as templates_c. So, you need to add new paths to these directories by updating the following lines in the configuration.php file.

$attachments_dir = “/home/username/attachments/”;
$downloads_dir = “/home/username/downloads/”;
$templates_compiledir = “/home/username/templates_c”;

2. Securing the “configuration.php” file

Here, you need to adjust the permissions for the “configuration.php” file which is in your WHMCS root directory. This is one of the files which you cannot recover without taking a backup of the file. You need to change the permission setting of this file to 400 which will help in avoiding accidentally editing, overwriting as well as deleting. It will eventually provide read-only access to the file and prevent anyone else from spoofing.

3. Move the Crons directory

Here, we recommend you move the crons folder to a non-public directory which is located above your web root to stop the web-based access. For the relocation, firstly, you need to choose a new location for your crons folder and secondly, uncomment the WHMCS path as well as provide the full path to your WHMCS installation. You need to add the following line to the configuration.php:

$crons_dir= ‘/home/username/whmcs_crons’;

4. Restricting access by IP

To add more privacy to your admin area, you can restrict access to a particular set of IPs. This can only be done by creating a file namely, .htaccess within your admin directory of WHMCS along with the following:

order deny, allow
allow from
allow from

deny from all

5. Changing WHMCS Admin Folder Name

If you customize the URL of your WHMCS admin area, then it will be tough for malicious hackers to attack it.

6. Restricting Database Privileges

You need to assign only the following database privileges and the rest you can disable.

  1. Delete
  2. Insert
  3. Select
  4. Update
  5. Lock Tables
During the installation as well as upgrading, you need the following privileges
  1. Alter
  2. Create
  3. Drop
  4. Index

7. Enable SSL

As a web hoster, who handles the entire customer data via billing application, need to take care of the most sensitive data passing between it and the end-users.Therefore, it is important to have a valid SSL certificate that will enable the use of HTTPS as well as encrypted communication.

Other WHMCS Security Measures

  1. Install Mod Security in Easy Apache: You can take additional steps and one of them is installing Mod security in Apache which will help in blocking SQL injection attacks.
  2. Install mod_geoip for apache: It is generally a custom module in Easy Apache. With the help of this module, you can block the countries you’ve never done business with.
  3. You need to secure your physical server. For this, you need access to the files via SSH/SFTP and relocate the SSH port.
  4. You need to block all the outbound ports which are not of your use.
  5. Make use of the certificates to connect the server and you must set really strong passwords for this.
  6. One more step is to backup your server and the database files of the server.

So, these are the steps with which you can make your WHMCS more secure.

References: https://docs.whmcs.com/Further_Security_Steps


Paid vs Free SSL Certificates: Which One Should You Pick in 2023?

Looking for Something More? We can help!

Our WHMCS experts are ready to accept your custom requirements.