Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Info : How to Secure Your WHMCS ?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Info : How to Secure Your WHMCS ?

XiNiXXiNiX Member, Host Rep
edited July 2015 in Tutorials

WHMCS has many features built-in to help keep your data safe, but there are several extra steps that we can take to secure your WHMCS installation even further.

It is recommeded that you are using the latest version of WHMCS. If you are not you can select that you want us to apply the latest updates or patch when ordering.

MANDATORY STEPS : Details are Here : http://docs.whmcs.com/Further_Security_Steps

These Mandatory steps Include :

  • Keep WHMCS on a Separate VPS ( Dont use Shared Hosting )
  • Change your WHMCS Admin Folder Name.
  • Password Protect the Admin Directory.
  • Move the attachments, downloads & templates_c folders outside public_html
  • Move the crons folder outside public_html
  • Restrict Access by IP using .htaccess

OPTIONAL STEPS :

  1. Install Mod Security in Easy Apache : Using the default rules are better than nothing, though additional rules are available. It can help block SQL injection attacks.

  2. Install mod_geoip for apache : It is a custom module in Easy Apache. Using this you can block countries you never do business with. Want to block the whole country of Florin, it's easy to do by adding a few lines in your .htaccess file, once mod_geoip is installed.

  3. Secure the physical server : Only access files on it via SSH/SFTP and relocate the SSH port to something other than 22.

  4. Use hosts.allow : Prevent SSH access from all but specific locations.

  5. Use the built if firewall or a physical firewall to lock the server down. If you never receive email on the server, block incoming port 110, 25, etc. Block port 21 (FTP) as it is insecure. Basically default to blocked for everything and then just open the ports you use.

  6. Block all outbound ports except those you use. e.g. 80, 443, 25, New_SSH_Port, etc.

  7. Install csf http://configserver.com/cp/csf.html it makes it easier to secure yout server. ban any IP that you fins suspecious.

  8. Use certificates to connect to the server and set really strong passwords.

  9. Block root login via SSH, once everything is set.

  10. Backup your server and database files off the server. Keep Backups on a SEPARATE Offsite location. A good backup is like a parachute, if you don't have one when you need it, it's too late.

  11. Avoid having Wordpress or similar Installs on the server with WHMCS.

  12. Dont Install Untested / UnSafe Addon Modules.

  13. You can consider moving your config.php file outside of the public_html/whmcs directory and calling it with a simple include - and then you can also encrypt the files if you wish for additional security.

  14. When possible use sFTP rather than standard FTP. sFTP offers a much higher security layer because it uses the SSH file transfer protocol and all traffic is encrypted.

  15. Use a SSL. SSL boosts your client's confidance and provides an added security when placing orders, logging in, or registering new accounts. It will also give your customers a feeling of better security because the site is using SSL.

Security Addons : A few Addons are also available to make things eaisier for you :

Security Plus : Add extra security features to your WHMCS Installation. Know right away file system status, and track any changes via md5 and time-stamp verification.

Info : http://www.whmcs.com/appstore/3050/Security-Plusplus.html

File Monitor : The File Monitor for WHMCS will scan your WHMCS files recognising when a file has been modified, created or deleted and then notify you via email.

Info : http://www.whmcs.com/appstore/1830/File-Monitor-Security-Scanner.html

Two factor Authentication : For the client area and admin area, this system supports sending tokens via SMS using Twilio, Authy, and Google Authenticator

Info : http://www.whmcs.com/appstore/958/Two-Factor-Auth.html

LatchWHMCS : Use Latch and this module to protect your admin panel and admin accounts against password theft, denying access to hackers and allowing access through Lath's applications for iOS, Android and Windows Phone.

Info : http://www.whmcs.com/appstore/2314/LatchWHMCS-protect-admin-panel.html

More Suggestions Are Welcome ( I'll add Them in the List ).

Thank You.

Referances :

  1. https://forum.whmcs.com/showthread.php?80347-10-ways-to-make-your-WHMCS-installation-more-secure

  2. http://www.whmcs.com/appstore/2/Admin-Area-Addons

  3. http://www.webhostingtalk.com

Thanked by 2blogmaster elgs

Comments

  • BruceBruce Member

    wouldn't it be nice if the default WHMCS install sorted most of this our for you.

    Thanked by 2agentmishra elgs
  • SadySady Member

    I'm sure that my thread having recommendation "rm -rf /" would get more likes but I didn't post because I don't have any link to put in sign :P

    Thanked by 1eastonch
  • From experience.

    Remove unused modules that are all over the place.
    Change Admin & Uploads Dir
    Lock down permissions (I fail to understand why they cant do this)

    **Don't be an idiot with your server security. **

    XiNiX said: File Monitor : The File Monitor for WHMCS will scan your WHMCS files recognising when a file has been modified, created or deleted and then notify you via email.

    And a simple cron job couldn't do this for you? Without exposing yet more addons to the world?

    Thanked by 1XiNiX
    1. Copy post from WHMCS

    2. Post at LET

    3. Have link in signature

    4. ?????

    5. PROFIT

    Thanked by 2alexvolk jar
  • agentmishraagentmishra Member, Host Rep

    i just wonder if blesta is more secure or whmcs...

  • @agentmishra said:
    i just wonder if blesta is more secure or whmcs...

    Blesta has been coded from the beginning with security in mind, and the majority of it's code is not obfuscated/encrypted like WHMCS. WHMCS has never been security audited (at least externally) as far as I know, so I trust Blesta more than WHMCS.

  • Lets see who knows their US cities/states....

    image

    Thanked by 1angrysnarl
  • BharatBBharatB Member, Patron Provider

    Well there are dummies who even fail to search this stuff so I think its not so bad to put it on here. Good work even if its a copy / paste you made an effort :) @XiNiX

  • FoulFoul Member

    BharatB said: Well there are dummies who even fail to search this stuff so I think its not so bad to put it on here. Good work even if its a copy / paste you made an effort :) @XiNiX

    Obviously you weren't here and were able to read the thread earlier. He hada thing at the bottom, send me ideas to improve. essentially taking credit...

  • @doughmanes said:
    Lets see who knows their US cities/states....

    image

    "300 miles. Close enough"

    Thanked by 1doughmanes
  • BruceBruce Member

    atlanta seems closer to miami than I remember

  • BharatBBharatB Member, Patron Provider
    edited July 2015

    @Foul said:
    Obviously you weren't here and were able to read the thread earlier. He hada thing at the bottom, send me ideas to improve. essentially taking credit...

    Oh I wasn't aware of that I guess.., I only check in to look for drserver thread questions if any left unanswered thats all. :)

  • All of you say that he copy/paste them from whmcs forum, but nobody had an ideea to make such tutorial before now, yes, it is a bad thing that he paste it from there, but still, had good intentions to put some good infos.. that would help some Summer Companies from here.

  • I hate people who copy and paste and doesn't even have the decency to indicate source.

  • Delete WHMCS folder, 100% Secure.. Trust me

  • Atleast, the guy who opened the thread added something good to thecommunity .

    He has placed the sources/credits as well.

  • FoulFoul Member

    Mridul said: Atleast, the guy who opened the thread added something good to thecommunity .

    He has placed the sources/credits as well.

    He didn't place the source/credits when he initally created the thread :-)

    Thanked by 1Licensecart
  • @Foul said:
    He didn't place the source/credits when he initally created the thread :-)

    Plz dont lie. I had visited this thread when it was osted, I remember , He updated the post several times and himself asked for suggestions and edits.

    Just check the source and his post, quite different. He has added a lot of extras. Is it a crime to Finish your whole post ( it takes time ) and then add credits ?

    If you care to focus on the message rather messenger , you can understand that he probably waited to go till the end, finish his thread and add credits in the last edit.

    I guess, Bashing and Meaningless Patroling is better than , adding something constructive, praising someones efforts and have a little patience to invest your thoughts positively.

  • With the new WHMCS 6, its a nice update the default template is actually quite nice if you twist it up a little.

  • elgselgs Member

    @XiNiX

    Move the attachments, downloads & templates_c folders outside public_html
    Move the crons folder outside public_html

    Do I need to change settings somewhere to let WHMCS know where they were moved to?

    Restrict Access by IP using .htaccess

    How? Can you show an example?

  • XiNiXXiNiX Member, Host Rep
    edited August 2015

    @elgs said:
    XiNiX

    How? Can you show an example?

    A. Yes, after changing the location of the three writable folders, you need to mention the location in configuration.php file.

    Move the attachments, downloads & templates_c folders If you do move the folders, then you must tell WHMCS where they have been moved to by adding the following lines to your configuration.php file:

    $templates_compiledir = "/home/username/templates_c/";
    $attachments_dir = "/home/username/attachments/";
    $downloads_dir = "/home/username/downloads/";
    

    In the above example, "username" is the cpanel username and so the 3 folders are located in the home directory, above public_html.

    Note that if you are running suphp or phpsuexec you should not make the mode changes as the folders will already be writeable. In fact, you cannot set folder or file permissions to be 777 when running suphp or phpsuexec - the highest permissions are 755 for both folders and files.
    Change your WHMCS Admin Folder name

    Malicious users who visit your site and recognise a WHMCS install will know that they can try logging into your admin area via the admin folder. To protect against this, you can rename the admin folder name to any name you like. You cannot move the folder - only rename it. You can then tell WHMCS what the name of that folder is for the links in admin notification emails by adding the following line to your configuration.php file:

    $customadminpath = "myfoldername";

    Replace "myfoldername" above with the new name you just gave to your admin folder.

    Please note that if you have already created a cron job, or one has been created for you, you will need to update the path on the cron as well.

    Example: php -q /home/mylogin/public_html/secure/myfoldername/cron.php

    B. For .htaccess access restriction, the trick is to allow all the safe IPs from where you would frequently access the Admin Area, while blocking the rest.

    Suppose I have two IPs from which i can access the Admin Area 12.34.5.67 & 98.76.54.32 :

    order deny,allow
    allow from 12.34.5.67
    allow from 98.76.54.32
    deny from all
    

    If you have a dynamic IP, you can add IP ranges as well like :

    allow from 98.76.54.

    Thanked by 2Foul elgs
  • FoulFoul Member

    Mridul said: Plz dont lie. I had visited this thread when it was osted, I remember , He updated the post several times and himself asked for suggestions and edits.

    I'm not lying as he didn't put the credits when it was posted, as you can see from when i posted originally.

    Stop trying to make yourself seem innocent.

    Thanked by 1k0nsl
  • elgselgs Member

    @XiNiX said:

    Thank you so much. That is definitely very helpful.

  • elgselgs Member

    @XiNiX I understand what the worst thing could happened when leaving the admin folder and .htaccess as is. But how about the three folders template_c, attachments and downloads? What is the worst thing could happen when leaving these three folders in their original places?

  • @Foul said:
    Stop trying to make yourself seem innocent.

    Plz dont troll. Dont think you can READ everyones mind.

    You never answered the logical statemwnt i gave, why couldnt you wait for the EDIT eriod of LET to be over so that one can verify your pain ?

    As far as i can see is, This is not his first tutorial and this one includes credit. You are unnecessarily trying to make fuss out of nothing and have left no effort to ruin this useful thread ( I wish you could have invested your energy to come up with a similar thread rather being jealous of other,s efforts )

    There are Mods, for a purpose at LET you can report a thread.

  • FoulFoul Member

    Mridul said: There are Mods, for a purpose at LET you can report a thread.

    You can PM a mod and they can tell you the original posting did not include credit :)

    So once again keep thinking i'm trolling little one, when i'm only stating facts.

  • XiNiXXiNiX Member, Host Rep
    edited August 2015

    @elgs said:
    XiNiX I understand what the worst thing could happened when leaving the admin folder and .htaccess as is. But how about the three folders template_c, attachments and downloads? What is the worst thing could happen when leaving these three folders in their original places?

    These are the folders which have permission 777. Its safe to have these out to a different location. To be honest, even after all these methods, you can be hacked, the best you can do is to leave no stone unturned from your side.

    Above all, make sure you have daily backups of your datatabase. This is done automatically in WHMCS.

  • elgselgs Member

    @XiNiX I understand they have permission 777. But what could happen when hackers take advantage of the 777 permission? Are the module authors the dangerous people who can take advantage of these 777 folders, or are there any other possibilities?

  • Thanks guys, it is very useful guide !

Sign In or Register to comment.