All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Info : How to Secure Your WHMCS ?
WHMCS has many features built-in to help keep your data safe, but there are several extra steps that we can take to secure your WHMCS installation even further.
It is recommeded that you are using the latest version of WHMCS. If you are not you can select that you want us to apply the latest updates or patch when ordering.
MANDATORY STEPS : Details are Here : http://docs.whmcs.com/Further_Security_Steps
These Mandatory steps Include :
- Keep WHMCS on a Separate VPS ( Dont use Shared Hosting )
- Change your WHMCS Admin Folder Name.
- Password Protect the Admin Directory.
- Move the attachments, downloads & templates_c folders outside public_html
- Move the crons folder outside public_html
- Restrict Access by IP using .htaccess
OPTIONAL STEPS :
Install Mod Security in Easy Apache : Using the default rules are better than nothing, though additional rules are available. It can help block SQL injection attacks.
Install mod_geoip for apache : It is a custom module in Easy Apache. Using this you can block countries you never do business with. Want to block the whole country of Florin, it's easy to do by adding a few lines in your .htaccess file, once mod_geoip is installed.
Secure the physical server : Only access files on it via SSH/SFTP and relocate the SSH port to something other than 22.
Use hosts.allow : Prevent SSH access from all but specific locations.
Use the built if firewall or a physical firewall to lock the server down. If you never receive email on the server, block incoming port 110, 25, etc. Block port 21 (FTP) as it is insecure. Basically default to blocked for everything and then just open the ports you use.
Block all outbound ports except those you use. e.g. 80, 443, 25, New_SSH_Port, etc.
Install csf http://configserver.com/cp/csf.html it makes it easier to secure yout server. ban any IP that you fins suspecious.
Use certificates to connect to the server and set really strong passwords.
Block root login via SSH, once everything is set.
Backup your server and database files off the server. Keep Backups on a SEPARATE Offsite location. A good backup is like a parachute, if you don't have one when you need it, it's too late.
Avoid having Wordpress or similar Installs on the server with WHMCS.
Dont Install Untested / UnSafe Addon Modules.
You can consider moving your config.php file outside of the public_html/whmcs directory and calling it with a simple include - and then you can also encrypt the files if you wish for additional security.
When possible use sFTP rather than standard FTP. sFTP offers a much higher security layer because it uses the SSH file transfer protocol and all traffic is encrypted.
Use a SSL. SSL boosts your client's confidance and provides an added security when placing orders, logging in, or registering new accounts. It will also give your customers a feeling of better security because the site is using SSL.
Security Addons : A few Addons are also available to make things eaisier for you :
Security Plus : Add extra security features to your WHMCS Installation. Know right away file system status, and track any changes via md5 and time-stamp verification.
Info : http://www.whmcs.com/appstore/3050/Security-Plusplus.html
File Monitor : The File Monitor for WHMCS will scan your WHMCS files recognising when a file has been modified, created or deleted and then notify you via email.
Info : http://www.whmcs.com/appstore/1830/File-Monitor-Security-Scanner.html
Two factor Authentication : For the client area and admin area, this system supports sending tokens via SMS using Twilio, Authy, and Google Authenticator
Info : http://www.whmcs.com/appstore/958/Two-Factor-Auth.html
LatchWHMCS : Use Latch and this module to protect your admin panel and admin accounts against password theft, denying access to hackers and allowing access through Lath's applications for iOS, Android and Windows Phone.
Info : http://www.whmcs.com/appstore/2314/LatchWHMCS-protect-admin-panel.html
More Suggestions Are Welcome ( I'll add Them in the List ).
Thank You.
Referances :
Comments
Nice copy and paste from https://forum.whmcs.com/showthread.php?80347-10-ways-to-make-your-WHMCS-installation-more-secure
wouldn't it be nice if the default WHMCS install sorted most of this our for you.
I'm sure that my thread having recommendation "rm -rf /" would get more likes but I didn't post because I don't have any link to put in sign :P
From experience.
Remove unused modules that are all over the place.
Change Admin & Uploads Dir
Lock down permissions (I fail to understand why they cant do this)
**Don't be an idiot with your server security. **
And a simple cron job couldn't do this for you? Without exposing yet more addons to the world?
Copy post from WHMCS
Post at LET
Have link in signature
?????
PROFIT
i just wonder if blesta is more secure or whmcs...
Blesta has been coded from the beginning with security in mind, and the majority of it's code is not obfuscated/encrypted like WHMCS. WHMCS has never been security audited (at least externally) as far as I know, so I trust Blesta more than WHMCS.
Lets see who knows their US cities/states....
Well there are dummies who even fail to search this stuff so I think its not so bad to put it on here. Good work even if its a copy / paste you made an effort
@XiNiX
Obviously you weren't here and were able to read the thread earlier. He hada thing at the bottom, send me ideas to improve. essentially taking credit...
"300 miles. Close enough"
atlanta seems closer to miami than I remember
Oh I wasn't aware of that I guess.., I only check in to look for drserver thread questions if any left unanswered thats all.
All of you say that he copy/paste them from whmcs forum, but nobody had an ideea to make such tutorial before now, yes, it is a bad thing that he paste it from there, but still, had good intentions to put some good infos.. that would help some Summer Companies from here.
I hate people who copy and paste and doesn't even have the decency to indicate source.
Delete WHMCS folder, 100% Secure.. Trust me
Atleast, the guy who opened the thread added something good to thecommunity .
He has placed the sources/credits as well.
He didn't place the source/credits when he initally created the thread :-)
Plz dont lie. I had visited this thread when it was osted, I remember , He updated the post several times and himself asked for suggestions and edits.
Just check the source and his post, quite different. He has added a lot of extras. Is it a crime to Finish your whole post ( it takes time ) and then add credits ?
If you care to focus on the message rather messenger , you can understand that he probably waited to go till the end, finish his thread and add credits in the last edit.
I guess, Bashing and Meaningless Patroling is better than , adding something constructive, praising someones efforts and have a little patience to invest your thoughts positively.
With the new WHMCS 6, its a nice update the default template is actually quite nice if you twist it up a little.
@XiNiX
Do I need to change settings somewhere to let WHMCS know where they were moved to?
How? Can you show an example?
A. Yes, after changing the location of the three writable folders, you need to mention the location in configuration.php file.
$customadminpath = "myfoldername";B. For .htaccess access restriction, the trick is to allow all the safe IPs from where you would frequently access the Admin Area, while blocking the rest.
Suppose I have two IPs from which i can access the Admin Area 12.34.5.67 & 98.76.54.32 :
If you have a dynamic IP, you can add IP ranges as well like :
allow from 98.76.54.I'm not lying as he didn't put the credits when it was posted, as you can see from when i posted originally.
Stop trying to make yourself seem innocent.
Thank you so much. That is definitely very helpful.
@XiNiX I understand what the worst thing could happened when leaving the admin folder and .htaccess as is. But how about the three folders template_c, attachments and downloads? What is the worst thing could happen when leaving these three folders in their original places?
Plz dont troll. Dont think you can READ everyones mind.
You never answered the logical statemwnt i gave, why couldnt you wait for the EDIT eriod of LET to be over so that one can verify your pain ?
As far as i can see is, This is not his first tutorial and this one includes credit. You are unnecessarily trying to make fuss out of nothing and have left no effort to ruin this useful thread ( I wish you could have invested your energy to come up with a similar thread rather being jealous of other,s efforts )
There are Mods, for a purpose at LET you can report a thread.
You can PM a mod and they can tell you the original posting did not include credit
So once again keep thinking i'm trolling little one, when i'm only stating facts.
These are the folders which have permission 777. Its safe to have these out to a different location. To be honest, even after all these methods, you can be hacked, the best you can do is to leave no stone unturned from your side.
Above all, make sure you have daily backups of your datatabase. This is done automatically in WHMCS.
@XiNiX I understand they have permission 777. But what could happen when hackers take advantage of the 777 permission? Are the module authors the dangerous people who can take advantage of these 777 folders, or are there any other possibilities?
Thanks guys, it is very useful guide !