10 Steps to Secure WHMCS after installation

WHMCS has a strong background security in their code, however there are always a few important extra steps to secure WHMCS after installation.

WHMCS is one of the top leading Web Hosting control panels in the industry. It’s a complete hosting, support and billing solution for all those who want to start an online business.

Today we are going to explore how to increase WHMCS security in 10 steps.

10 ways to secure WHMCS after installation

On this guide we will cover the following steps to secure WHMCS after the original installation:

1. Secure the Writeable Directories

One of the most important security recommendations is to move all writeable directories to a non-public directory above your web root, this is needed to prevent web based access over critical directories.

There are three important writable directories from WHMCS that you need to secure: /attachments, /downloads and /templates_c.

$attachments_dir = "/home/nixcp/attachments/";
$downloads_dir = "/home/cpaneltis/downloads/";
$templates_compiledir = "/home/nixcp/templates_c/";

On this example, nixcp is the username, replace it with your own username or path.

2. Move the Crons Directory

The crons directoryy is another important thing to move out of the public access. Let’s start by choosing a new location for the crons directory. Then move it to the new location, examle:

mv crons /home/username/whmcs_crons

Now move to the WHMCS crons, edit the config.php file within the crons directory and uncomment the WHMCS path line. For example:

$whmcspath = '/home/nixcp/public_html/whmcs/';

The above example shows ‘nixcp’ as the username, and ‘whmcs’ as the default directory, Change/tweak this to match your real installation directory and paths.

Finally, let’s update WHMCS to specify where the cron directory is located now. Move to the WHMCS installation directory.

nano -w configuration.php

And set the cron directory path:

$crons_dir='/home/nixcp/whmcs_crons/';

If you already have Cron Tasks configured before making this changes, you’ll need to update those crons to ensure you are using the new crons directory.

3. Restrict Access by IP

To increase your WHMCS security, we recommend you using a static IP for your Internet connection, this is provided by your ISP and it allows you to block every other IP addresses, and only allow your IP to login into protected areas.

This can be done by creating an .htaccess file with the following information inside:

Order deny,allow
Deny from all
Allow from XX.XX.XX.XX

You can specify as many different Allow from lines as you need. Replace XX.XX.XX.XX with your real static IP.

If you are using Nginx, this can be done using this code inside your nginx configuration:

location /whmcs {
    allow XX.XX.XX.XX;
    deny  all;
}

After that, reload Nginx to apply changes:

service nginx reload

4. Change your WHMCS Admin Directory Name

This is one of the most important suggestions to secure WHMCS, make sure you never use the default URL for the admin area. By changing your WHMCS admin directory, you will prevent lot of hacking attempts.

Edit your WHMCS configuration file and set your new Admin directory name on the $customdomainpath variable, as you see below:

nano -w configuration.php

At the end of the file before the closing PHP tag ?> if exists, add the following line:

$customadminpath="admincustomfolderhere";

Replace “admincustomfolderhere” with the name of your new Admin directory. It should be only the name, not the full path.

Finally, rename your Admin directory to match the one you configured at customadminpath variable.

5. Restrict Database Privileges

If you want to incease your security, you can tweak this too. On the day to day use of WHMCS, you will only need the following DB privileges, the rest can be disabled.

• DELETE
• INSERT
• SELECT
• UPDATE

However, during installation, upgrading, activating / deactivating WHMCS modules, you’ll need the following privileges:

• ALTER
• CREATE
• DROP
• INDEX

This privileges can be set from cPanel – MySQL Databases if you use a cPanel based server, or from phpMyAdmin or MySQL shell with a simple GRANT operation like this:

GRANT DELETE,INSERT,SELECT,UPDATE ON dbname.* TO 'db_username'@'localhost';
FLUSH PRIVILEGES;

Make sure you replace ‘dbname’, ‘db_username’ with the real MySQL Database name and Username.

6. Restrict Access using HTTP Authentication

HTTP Based Authentication is another user/password layer you can use to protect your WHMCS Admin area.
It can be configured easily from your .htaccess file.

First Step: Htaccess Generation

Create a .htaccess file inside your WHMCS admin directory, example:

nano -w /home/nixcp/public_html/admin/.htaccess

Paste this inside:

AuthType Basic
AuthName "WHMCS Admin Protected Area"
AuthUserFile /home/nixcp/.htpasswd
Require valid-user

DIrectory Protection for Nginx Users:

If you use Nginx instead of old crappy Apache, you’ll need to configure your http based auth from your Nginx configuration, example:

server {
listen 80;
server_name nixcp.com www.nixcp.com;

location / {
# All the rest of your Nginx configuration goes here.
}

location /admin {
auth_basic "WHMCS Admin Protected Area";
auth_basic_user_file /home/nixcp/.htpasswd;
}

}

Reload Nginx to apply changes:

service nginx reload

Second Step: Generate a Random Password

Generate a .htpassword using htpasswd command, make sure you store the .htpasswd file on the same path specified on your htaccess file:

htpasswd -c /home/nixcp/.htpasswd nixcp

All done, now try to login from www.yourwhmcsdomain.com/admin/, and you’ll be prompted for user/password.

7. Configure Two Factor Authentication

Passwords are extremely easy to hack, most of the users always use the same password on their accounts, and lots of them use simple text passwords that are really weak (no numbers, symbols or capital letters).

Two-factor Authentication (or Multi Factor Authentication) adds an additional layer of security by introducing a second step to your login. It takes something you know (i.e.: your password), and adds a second factor, typically something you physically have (such as your phone). Since both are required to log in, in the event an attacker obtains your password two-factor authentication would stop them for accessing your account.

Two Factor authentication is a must for all kind of websites that use login forms. It’s a second step to protect your login after you enter the account password.
2 Factor Auth requires a phone to work. This is a very useful method to protect your WHMCS Admin & Client Area against password hacking, as the hacker would also have to get the user’s phone in order to enter the accesing code.

On WHMCS, the easiest way to setup this is to order the Time Based Token solution. This way you and your users can use a multi-platform solution like Google Authenticator to protect your logins.

It’s only $1.50 usd/month for unlimited users Read more & Order this useful protection from WHMCS Two Factor Page

8. Restrict configuration.php permissions

This is the main WHMCS configuration file, and it contains very sensitive information. You must protect this file to avoid any kind of issues with it as accidental removing, editing or overwriting. To avoid mistakes on this file, set its permissions to 444.

chmod 444 configuration.php

This will allow read only access and prevent any editing or deleting mistakes on it.

If you ever need to update your WHMCS license key, set the file permissions to 755, update the license, and then revert the changes to be back at 444.

9. Find WHMCS Security Modules

WHMCS has an App Marketplace, where 3rd companies and developers offer their cool addons and apps to expand WHMCS features. In this case, there are a few interesting WHMCS Security Modules that you should take a look at. For example:

WHMCS Firewall adds some extra security to your WHMCS default installation, it also allow offsite backups to Amazon S3 and Dropbox. It integrates a web application firewall, file auditing, security audit and many other things to harden your WHMCS installation.

WHMCS User and IP Control allows you to set IP & user access control over the WHMCS areas. Some of its features include Require login before ordering, Top visitors by IP, Block certain countries from WHMCS or ordering, and allow only countries to order.

Security Login adds an extra security layer to secure WHMCS logins. If an user failed logins attemps 5 times for example, then even if he enters the right password on the last chance, it will be forced to enter a second passcode sent to his WHMCS email, after that the access will be granted.

10. Keep WHMCS Up to Date

Keeping your WHMCS updated is the most important security step that you must take when you start using this software. Updates exist to give you more stability and security. Now with WHMCS 7.0 there is a new Auto Update function that will avoid manual updates.

But, until version 7 reaches stable you must keep updating your WHMCS manually. Check out the official docs about Upgrading WHMCS

Another thing to consider: keep all your WHMCS Addons updated, addons and plugins are as important as the WHMCS core code and always must be updated.

Conclusion

A Secure WHMCS after installation is the first thing in your to-do list in order to start working with your customer data. There are many ways to secure whmcs, however, the list here does not include all the tips to harden your WHMCS installation, but it will help you a lot.

If you have other tips to harden WHMCS, please share it with us.

Further Security Steps:

This WHMCS Security tutorial only covers WHMCS security, but it is not focused on server-side security. You should also harden and secure your webserver from the operating system side. Here is a list of Security Tutorials you may find useful to secure and harden your cPanel server:

• Hardening PHP on cPanel servers in 10 steps
• How to Install Suhosin on cPanel
• Secure /tmp partition on cPanel using /scripts/securetmp
• How to install ModSecurity on cPanel
• How to migrate from DSO to suPHP on cPanel/WHM servers