Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to secure WHCMS?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to secure WHCMS?

Many WHCMS installations have historically been vulnerable, regardless of whether addons were used. Unfortunately, there are very few online guides available on how to properly secure these installations. As such, I'm wondering if any LET members can provide guidance or tips on how they secure their WHCMS setups.

Comments

  • One thing people normally do is change the admin folder, Instead of going to domain.com/admin, people change it to like maybe /staffarea, /modarea, /manage and such

    Thanked by 1techdragon
  • LeviLevi Member
    edited August 20

    Each 24 hours generate random uuid, use it for admin folder. Update your bookmark accordingly. Lock admin area to ip, use mfa. Alwqys uodate whmcs to latest version, use stock templates.

    Thanked by 1techdragon
  • @Levi said:
    Each 24 hours generate random uuid, use it for admin folder. Update your bookmark accordingly. Lock admin area to ip, use mfa. Alwqys uodate whmcs to latest version, use stock templates.

    stock templates?? :)

  • LeviLevi Member

    @ArrowBoi said:

    @Levi said:
    Each 24 hours generate random uuid, use it for admin folder. Update your bookmark accordingly. Lock admin area to ip, use mfa. Alwqys uodate whmcs to latest version, use stock templates.

    stock templates?? :)

    Yes, because third party templates tend to be full of sec holes, amateur code.

    Thanked by 2ArrowBoi sasslik
  • AdvinAdvin Member, Host Rep

    Use WAF

    Thanked by 1tentor
  • Quickest and most effecive method to secure your instance is moving away from WHMCS

  • raindog308raindog308 Administrator, Veteran

    @Advin said: Use WAF

    Details?

  • FatGrizzlyFatGrizzly Member, Host Rep

    @raindog308 said:

    @Advin said: Use WAF

    Details?

    Cloudflare Pro helps(free is fine too, but Advin found out that free one didn't block the Lagom attack which happened a few months earlier in his tests.)

    You can also use modsecurity(owasp might be too strict for whmcs, try out comodo), blocking incoming post requests with "< questionmark p h p" ignore space and replace word, got triggered by cf could also help.

  • tentortentor Member, Host Rep
    edited August 20

    @FatGrizzly said: You can also use modsecurity(owasp might be too strict for whmcs, try out comodo)

    OWASP CRS is strict but it is not that hard to write exclusions, maybe I will publish what I use at our prod

  • rskrsk Member, Patron Provider

    @tentor said:

    @FatGrizzly said: You can also use modsecurity(owasp might be too strict for whmcs, try out comodo)

    OWASP CRS is strict but it is not that hard to write exclusions, maybe I will publish what I use at our prod

    Agree with this. However, comodo works well too :)

  • In addition to what other said, you can also take certain measures like dropping connections from all abusive countries(in terms of spam) like China, Russia and certain top providers in USA(Like AWS). You don't have to ban all proxy/VPN but if that option is on the table, good. Make sure to enforce this ban on edge instead of htaccess or webserver based restriction.

    I normally would drop packets from everywhere except from these IPs and put your site behind Cloudflare. This will help in preventing SSH and other direct IP brute forcing, even if somehow the origin IP is exposed.

    Personal opinion: I found Cloudflare Free version WAF to be very easy to bypass. Modsec is too strict but given enough exclusion(Wait for @tentor's reply, if he publishes) you can harden it on that level too. Make sure you do extensive testing before putting it on production because these things tend to break your site more often than not.

    Thanked by 1techdragon
  • MikeAMikeA Member, Patron Provider

    Follow WHMCS security guidelines.
    Use a WAF (either local software or remote CDN WAF) for vulnerabilities.
    Run scheduled vulnerability scan on your IP and software that's publicly accessible.
    Don't use useless or encoded WHMCS addons that are not from well established companies that have a good reputation.
    Remove unnecessary or old files that aren't used by the softwares anymore.

    Common billing software isn't inherently insecure. Just gotta use common sense and due diligence when running public services.

    Thanked by 1techdragon
  • You're absolutely right that WHMCS installations have historically been targets for vulnerabilities, and securing them is crucial, especially given the sensitive data they often handle. While comprehensive online guides may be limited, here are some best practices and tips that can help you secure your WHMCS setup:

    Keep WHMCS Updated: Always ensure that your WHMCS installation is up to date. Security patches and updates are frequently released to address vulnerabilities, so keeping your software current is your first line of defense.

    Use a Web Application Firewall (WAF): Implementing a WAF can help filter and block malicious traffic before it reaches your WHMCS installation. Services like Cloudflare offer WAF options that can be tailored to your needs.

    Secure Your Server:

    Use HTTPS: Ensure that your WHMCS installation is served over HTTPS to encrypt data between the client and server.
    Harden PHP Configurations: Disable functions that are not required (e.g., exec, shell_exec) and ensure your PHP version is up to date.
    Use Strong Passwords: Implement strong password policies for all accounts, including admin and user accounts.
    Restrict Admin Access:

    IP Whitelisting: Restrict access to the WHMCS admin panel by IP address, so only authorized IPs can access it.
    Two-Factor Authentication (2FA): Enable 2FA for all admin accounts to add an extra layer of security.
    Database Security:

    Use a Strong Database Password: Ensure your MySQL/MariaDB root password is strong and unique.
    Regular Backups: Perform regular backups of your WHMCS database and store them securely, off-site if possible.
    Disable Unnecessary Addons and Modules: Only enable the addons and modules that are absolutely necessary for your operations. Disable or remove any that are not in use, as they can present security risks.

    File Permissions: Set the correct file permissions for WHMCS directories and files. For instance, directories should generally have 755 permissions, and files should have 644 permissions. Make sure that the configuration file (configuration.php) is set to 400 or 440.

    Monitor Logs: Regularly monitor your server and WHMCS logs for any suspicious activity. Tools like Fail2Ban can be used to block IPs after a certain number of failed login attempts.

    Security Plugins/Addons: Consider using security plugins that are specifically designed for WHMCS to add extra layers of protection. These might include additional firewalls, login protection, and more.

    Regular Audits: Perform regular security audits of your WHMCS installation to identify and rectify any vulnerabilities. This can include code reviews, penetration testing, and other security measures.

    These practices should significantly improve the security of your WHMCS installation. While no system is completely invulnerable, staying proactive about security can help you minimize risks.

    Thanked by 1techdragon
  • @markussivilia said:
    You're absolutely right that WHMCS installations have historically been targets for vulnerabilities, and securing them is crucial, especially given the sensitive data they often handle. While comprehensive online guides may be limited, here are some best practices and tips that can help you secure your WHMCS setup:

    Keep WHMCS Updated: Always ensure that your WHMCS installation is up to date. Security patches and updates are frequently released to address vulnerabilities, so keeping your software current is your first line of defense.

    Use a Web Application Firewall (WAF): Implementing a WAF can help filter and block malicious traffic before it reaches your WHMCS installation. Services like Cloudflare offer WAF options that can be tailored to your needs.

    Secure Your Server:

    Use HTTPS: Ensure that your WHMCS installation is served over HTTPS to encrypt data between the client and server.
    Harden PHP Configurations: Disable functions that are not required (e.g., exec, shell_exec) and ensure your PHP version is up to date.
    Use Strong Passwords: Implement strong password policies for all accounts, including admin and user accounts.
    Restrict Admin Access:

    IP Whitelisting: Restrict access to the WHMCS admin panel by IP address, so only authorized IPs can access it.
    Two-Factor Authentication (2FA): Enable 2FA for all admin accounts to add an extra layer of security.
    Database Security:

    Use a Strong Database Password: Ensure your MySQL/MariaDB root password is strong and unique.
    Regular Backups: Perform regular backups of your WHMCS database and store them securely, off-site if possible.
    Disable Unnecessary Addons and Modules: Only enable the addons and modules that are absolutely necessary for your operations. Disable or remove any that are not in use, as they can present security risks.

    File Permissions: Set the correct file permissions for WHMCS directories and files. For instance, directories should generally have 755 permissions, and files should have 644 permissions. Make sure that the configuration file (configuration.php) is set to 400 or 440.

    Monitor Logs: Regularly monitor your server and WHMCS logs for any suspicious activity. Tools like Fail2Ban can be used to block IPs after a certain number of failed login attempts.

    Security Plugins/Addons: Consider using security plugins that are specifically designed for WHMCS to add extra layers of protection. These might include additional firewalls, login protection, and more.

    Regular Audits: Perform regular security audits of your WHMCS installation to identify and rectify any vulnerabilities. This can include code reviews, penetration testing, and other security measures.

    These practices should significantly improve the security of your WHMCS installation. While no system is completely invulnerable, staying proactive about security can help you minimize risks.

    Thanks ChatGPT or it's cousins

  • FatGrizzlyFatGrizzly Member, Host Rep

    @markussivilia said: Security Plugins/Addons: Consider using security plugins that are specifically designed for WHMCS to add extra layers of protection. These might include additional firewalls, login protection, and more.

    Lol, no.

Sign In or Register to comment.