New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Securing WHMCS?
elijahpaul
Member
Providers using WHMCS.
Apart from the recommended security measures (http://docs.whmcs.com/Further_Security_Steps), what extra steps have you taken to secure your WHMCS install?
Comments
Run WHMCS on a separate server to your clients.
If you need complete security:
Feel free to replace "whmcs" with the directory WHMCS is installed on.
Just make sure WHMCS is the only thing on that directory or you might delete something that actually has no security holes.
Please make relavent comments regarding to what OP asked.
@elijahpaul
Please replace your admin directory , protect it with a .htpasswd based authentication to be extra carefull please run WHMCS on a completely different server with strong VPS password. We do offer managed whmcs hosting on our end please let me know if you're interested by dropping a message @ support [at] readydedi.com or phoenix.talisman on skype.
< shameless sales plug>
I'd also limit the database down to the webserver WHMCS is running on.
:P
Please make relavent (usually relevant) comments regarding to what OP asked.
Good one
I made a relavent comment + offer at the same time :P
Run a WAF, an IPS, an integrity checker ecc. on the isolated server where you are WHMCS. I don't know which functions are required by WHMCS but there's a lot to disable for security in PHP.
"mod_security"? Uhum. Use a solid server (hint: not apache) and be anal about keeping it up to date.
Be anal too about keeping your OS up to date.
There is more. But as long as by far most WHMCS run on linux, apache (php, mysql (or clone)) and use OpenSSL that question is somewhat akin to "How can I make my bicycle bullet proof?".
You may wish to turn off the remote license debug.
http://lowendtalk.com/discussion/8689/how-to-block-whmcs-licensedebug
Thanks everyone for your input. Much appreciated.
Except the irrelevance of all your offers generally cancels out any remotely relevant statement you might have made.
This is actually the correct answer.
Just do further security steps at that link you posted and you will be fine.
If you already have whmcs setup and have customers with paypal subscriptions, you don't want to start moving directories around. Paypal subscriptions won't work after you do that and PayPal does not give you the option to change that. Not even if you contact them and ask them to do it. I learned the hard way.