Know the Security Adapts for WHMCS

You can easily manage your hosting business with the most powerful web hosting automation system i.e. WHMCS.

But over the past few years, we’ve been getting so many complaints against the security of the WHMCS. There are so many hackers as well as intruders who are trying their best to exploit the WHMCS system.

You have a lot of data of your customers whose hosting plans are in the running state. All of their domains registered plus their server access indulges a lot of sensitive data. There is a big need to secure your WHMCS system.

We monitored various security channels round the clock of our customer complaints. So, to prevent hacking, malware infection as well as vulnerability exploits, one needs to follow some security measures.

Let us talk about the security measures:

1. Securing the Writable Directories: To prevent web-based access, we recommend to move all the writable directories to a non-public directory rather than keeping in the public folder. The three directories which can be written are attachments, downloads as well as templates_c. So, you need to add new paths to these directories by updating the following lines in the configuration.php file.

$attachments_dir = “/home/username/attachments/”;
$downloads_dir = “/home/username/downloads/”;
$templates_compiledir = “/home/username/templates_c”;

2. Securing the “configuration.php” file: Here, you need to adjust the permissions for “configuration.php”file which is in your WHMCS root directory. This is one of the files which you cannot recover without taking a backup of the file. You need to change the permission setting of this file to 400 which will help in avoiding accidentally editing, overwriting as well as deleting. It will eventually provide read-only access to the file and prevents anyone else from spoofing.

3. Move the Crons directory: Here, we recommend you to move the crons folder to a non-public directory which is located above your web root to stop the web-based access. For the relocation, firstly, you need to choose a new location for your crons folder and secondly, uncomment the WHMCS path as well as provide the full path to your WHMCS installation. You need to add the following line to the configuration.php:

$crons_dir= ‘/home/username/whmcs_crons’;

4. Restricting access by IP: To add more privacy to your admin area, you can restrict access to the particular set of IPs. This can only be done by creating a file namely, .htaccess within your admin directory of WHMCS along with the following:

order deny, allow
allow from 12.34.5.67
allow from 98.76.54.32
deny from all

5. Changing WHMCS Admin Folder name: If you customize the URL of your WHMCS admin area, then it will be tough for the malicious hackers to attack it.

6. Restricting Database Privileges: You need to assign only the following database privileges and the rest you can disable.

  1. Delete
  2. Insert
  3. Select
  4. Update
  5. Lock Tables

During the installation as well as upgrading, you need the following privileges:

  1. Alter
  2. Create
  3. Drop
  4. Index

7. Enable SSL: As a web hoster, who handles the entire customer data via billing application, needs to take care of the most sensitive data passing between it and the end users.Therefore, it is important to have a valid SSL certificate which will enable the use of HTTPs as well as encrypted communication.

 

Other Security Measures:

  1. Install Mod Security in Easy Apache: You can take additional steps and one of them is installing Mod security in Apache which will help in blocking SQL injection attacks.
  2. Install mod_geoip for apache: It is generally a custom module in Easy Apache. With the help of this module, you can block the countries you’ve never done business with.
  3. You need to secure your physical server. For this, you need access to the files via SSH/SFTP and relocate the SSH port.
  4. You need to block all the outbound ports which are not of your use.
  5. Make in use of the certificates to connect the server and you must set really strong passwords for this.
  6. One more step is to backup your server and database files of the server.

So, these are the steps with which you can make your WHMCS more secure.

 

References: https://docs.whmcs.com/Further_Security_Steps

https://whmcs.community/topic/215429-10-ways-to-make-your-whmcs-installation-more-secure/