New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to secure WHCMS?
techdragon
Member
in Help
Many WHCMS installations have historically been vulnerable, regardless of whether addons were used. Unfortunately, there are very few online guides available on how to properly secure these installations. As such, I'm wondering if any LET members can provide guidance or tips on how they secure their WHCMS setups.
Comments
One thing people normally do is change the admin folder, Instead of going to domain.com/admin, people change it to like maybe /staffarea, /modarea, /manage and such
Each 24 hours generate random uuid, use it for admin folder. Update your bookmark accordingly. Lock admin area to ip, use mfa. Alwqys uodate whmcs to latest version, use stock templates.
stock templates??
Yes, because third party templates tend to be full of sec holes, amateur code.
Use WAF
Quickest and most effecive method to secure your instance is moving away from WHMCS
Details?
Cloudflare Pro helps(free is fine too, but Advin found out that free one didn't block the Lagom attack which happened a few months earlier in his tests.)
You can also use modsecurity(owasp might be too strict for whmcs, try out comodo), blocking incoming post requests with "< questionmark p h p" ignore space and replace word, got triggered by cf could also help.
OWASP CRS is strict but it is not that hard to write exclusions, maybe I will publish what I use at our prod
Agree with this. However, comodo works well too
In addition to what other said, you can also take certain measures like dropping connections from all abusive countries(in terms of spam) like China, Russia and certain top providers in USA(Like AWS). You don't have to ban all proxy/VPN but if that option is on the table, good. Make sure to enforce this ban on edge instead of htaccess or webserver based restriction.
I normally would drop packets from everywhere except from these IPs and put your site behind Cloudflare. This will help in preventing SSH and other direct IP brute forcing, even if somehow the origin IP is exposed.
Personal opinion: I found Cloudflare Free version WAF to be very easy to bypass. Modsec is too strict but given enough exclusion(Wait for @tentor's reply, if he publishes) you can harden it on that level too. Make sure you do extensive testing before putting it on production because these things tend to break your site more often than not.
Follow WHMCS security guidelines.
Use a WAF (either local software or remote CDN WAF) for vulnerabilities.
Run scheduled vulnerability scan on your IP and software that's publicly accessible.
Don't use useless or encoded WHMCS addons that are not from well established companies that have a good reputation.
Remove unnecessary or old files that aren't used by the softwares anymore.
Common billing software isn't inherently insecure. Just gotta use common sense and due diligence when running public services.
https://docs.whmcs.com/getting-started/configuring-whmcs/enhancing-security/
You're absolutely right that WHMCS installations have historically been targets for vulnerabilities, and securing them is crucial, especially given the sensitive data they often handle. While comprehensive online guides may be limited, here are some best practices and tips that can help you secure your WHMCS setup:
Keep WHMCS Updated: Always ensure that your WHMCS installation is up to date. Security patches and updates are frequently released to address vulnerabilities, so keeping your software current is your first line of defense.
Use a Web Application Firewall (WAF): Implementing a WAF can help filter and block malicious traffic before it reaches your WHMCS installation. Services like Cloudflare offer WAF options that can be tailored to your needs.
Secure Your Server:
Use HTTPS: Ensure that your WHMCS installation is served over HTTPS to encrypt data between the client and server.
Harden PHP Configurations: Disable functions that are not required (e.g., exec, shell_exec) and ensure your PHP version is up to date.
Use Strong Passwords: Implement strong password policies for all accounts, including admin and user accounts.
Restrict Admin Access:
IP Whitelisting: Restrict access to the WHMCS admin panel by IP address, so only authorized IPs can access it.
Two-Factor Authentication (2FA): Enable 2FA for all admin accounts to add an extra layer of security.
Database Security:
Use a Strong Database Password: Ensure your MySQL/MariaDB root password is strong and unique.
Regular Backups: Perform regular backups of your WHMCS database and store them securely, off-site if possible.
Disable Unnecessary Addons and Modules: Only enable the addons and modules that are absolutely necessary for your operations. Disable or remove any that are not in use, as they can present security risks.
File Permissions: Set the correct file permissions for WHMCS directories and files. For instance, directories should generally have 755 permissions, and files should have 644 permissions. Make sure that the configuration file (configuration.php) is set to 400 or 440.
Monitor Logs: Regularly monitor your server and WHMCS logs for any suspicious activity. Tools like Fail2Ban can be used to block IPs after a certain number of failed login attempts.
Security Plugins/Addons: Consider using security plugins that are specifically designed for WHMCS to add extra layers of protection. These might include additional firewalls, login protection, and more.
Regular Audits: Perform regular security audits of your WHMCS installation to identify and rectify any vulnerabilities. This can include code reviews, penetration testing, and other security measures.
These practices should significantly improve the security of your WHMCS installation. While no system is completely invulnerable, staying proactive about security can help you minimize risks.
Thanks ChatGPT or it's cousins
Lol, no.