SecureWHMCS Module (Client Area Security)
I've been working on a new WHMCS module for the last few days. It's basically a WHMCS client side security plugin with the following features:
- Gives WHMCS clients to restrict their client area access with a IP address whitelist. It only allows logging in with the white listed IP addresses.
- Records WHMCS clients' browser name, operating system name, city and ISP (using MaxMind paid API) into the database and creates a browser cookie and matches those distinctive information for the future logins. If the WHMCS client uses a different browser, os or connected in different city or with different ISP, the module sends out an email with a url to click to give access using WHMCS's built in emailing functions.
The hosting company does not need to have a MaxMind account, the module uses a central API located on a 100% uptime guaranteed InterNAP's cloud server which interacts with the MaxMind API directly.
The module is currently done and operational. I'm working on a licencing and billing system which should be done this Monday. I'm also having people beta testing it and making sure everything is working as expected.
When I'm 100% sure everything is working and my licensing system is ready, I'll start renting the module for $5/month.
I'll go ahead and ask your opinions about this project. Is this something you would be interested in as a hosting company or would you like to have this extra security features as a hosting customer?
Here are some screenshots:
Sounds good, few questions,
@AnthonySmith, Thanks for your interest. I've just tested it with 5.2. I'll test it with 5.1 and 5.0. I'm not thinking to go any lower. What do you think?
One time fee is something I'm considering. However, I'm not sure about the amount, yet. Any suggestions?
How about the ability to customize each notification prompt? I like how some of them are but the other ones I don't like them.
WHMCS's owned price is equal to a little under 16 months worth of monthly payments. Maybe do 12 months worth ($60) with a optional annual fee for updates/support?
I support this
Love it. I think as providers we could all be doing a better job at protecting the WHMCS client side, especially when modules are used that allow you to interface with more critical panels.
@HalfEatenPie, Every text on the module can be edited with the language file. I know, my wording sucks. I'll have it audited by a native speaker.
@KuJoe, sounds about right. Thanks.
Thanks a lot @jarland. I really appreciate your contributions in the project.
@KuJoe, just realized, for one time, you would have to use your own MaxMind API code.
Looks fantastic! Time to pick this up!
UPDATE: I've changed it to use ip-api.com instead of MaxMind. Thanks to @vld
Looks good. Implements one feature I like in Hostbill
Just an informational question.
How does this compare to the two factor features that was released by WHMCS? I personally would like to use this but want to know more about the differences and what is best to us.
If not mistaken, this is IP based whitelisting. WHMCS uses 2nd factor which is either a code that is sent via text or app generated one time code on the smartphone?
It's quite interesting, they have 3 different modules for it:
@XFS_Brian, to be honest. I find 2 factor login for WHMCS inconvenient. It requires too much work on the user side. The browser and connection integrity check method is used in lots of websites and applications widely including Steam, Facebook.
I do find the two factor be something that users have requested. I, for one, am all for the least about more possible. If the client can still get access to the system and security be checked based on the IP address and browser, I am all for it. After thinking about it, my bank site does this same process as well.
I have bookmarked this post as I am interested getting this setup for our clients to use.
I thought ip-API was only free for non commercial
@bdtech, yes. I have a special deal with the owner. Not to worry!
Nice, just like Hostbill has by default.
It's just MaxMind full version as API, non-commercial is due to MaxMind's ToS, all MaxMind databases are identical so there is no way to find out who the issuer is ;-)
Would anyone like to test the module?
I would love too.
I think a lot would
Count me in.
@XFS_Brian, @Infinity sent you PMs including credentials. Thank you!
Just figured I had to chime in and say that this looks awesome! +1
How would a user be able to reset the Integrity Check or see which systems have been granted access?
@XFS_Brian, what do you mean by resetting?
Currently, they can't see which systems gained access, do you think I should add that in the client area?
I think it would be great for users to see what has been allowed access as well as the option to remove them.
I will agree, this sounds like a beneficial option.
@XFS_Brian, @BK_, I've added that functionality: