The Ultimate Guide About How to Secure WHMCS 100%
How to Secure WHMCS ?
- Customize Your Admin Slug.
- Delete The install folder.
- How to Secure WHMCS Secure Templates Cache Directories.
- Move All Writable Directories.
- Move Cron Directory.
- How to Secure the WHMCS Configuration.php file.
- Password Protect Admin Directory.
- Enable SSL Certificate.
- Restrict Database Privileges.
- Restrict Access by IP.
Is Whmcs Secure ?
WHMCS is a secure platform, but it is better to add some extra security measures to prevent various attacks Like SQL injection and remote file inclusion Attacks. It’s possible to detect and block an attack using some web application firewalls (WAFs) such as mod_security, NAXI, etc.
WHMCS Provides So many features to help keep your data safe And private that they update their system from time to time for Improving their security And fixing variability, but you need to take simple additional steps to improve Your whmcs security Level.
How To Setup whmcs Security ?
We can customize the WHMCS settings And improve the whmcs security. You can Follow This Article step By Step And Secure Your Whmcs 100% .
1. Customize Your Admin Slug:
- To Prevent This First of All Login To Your File Manager And Go To root Folder Where You installed Whmcs. Here You can Find “admin” Folder And change the Folder Name To What You Want.
- Edit the configuration.php file And Add At the bottom of the file before the closing PHP tag ?> if one exists, add the following line:
$customadminpath = "myslug";
Here “Myslug” is the Name What You Want in Slug.
2. Delete The install folder :
The install folder needs to be deleted for security reasons before using WHMCS .
3. How to Secure WHMCS Secure Templates Cache Directories :
We recommend you to move all writeable directories to a non-public location to prevent web-based access. You can Move it To Outside of The public_html Directory.
You Can Follow Those Steps to Fix This Problem :
- Go To the Whmcs installation’s Root Directory And Move the templates_c Folder to the outside of The public_html Directory (If You’re using Cpanel Otherwise you need to Move non-public location).
- Edit the configuration.php file and Add At the bottom of the file before the closing PHP tag ?> if one exists, add the following line:
$templates_compiledir = "/home/username/whmcsdata/templates_c/";
To specify the path to the new location. Here “/home/username/whmcsdata/templates_c/” is The New Location of templates_c Directory.
I recommend You Make A Folder “whmcsdata” outside of The public_html And Move This templates_c Directory Because Next time you can find it easily also you can store more folders which I will show the next steps.
4. Move Writable Directories :
You Need To Move All Writable Directories to a non-public location As We Do Templates Cache Directory. There are two more writeable directories, they are attachments And downloads.
- Move the attachments And downloads Directory to the outside of The public_html Directory (I recommend You To Move it “whmcsdata” Directory which I create in the Previous Steps.)
- Edit the configuration.php file and Add add the following line:
$downloads_dir = "/home/username/whmcsdata/downloads/"; $attachments_dir = "/home/username/whmcsdata/attachments/";
Here “/home/username/whmcsdata/downloads/” And “/home/username/whmcsdata/attachments/” is The New Location of the downloads And attachments Directory.
5. Move Cron Directory:
Basically In This step we need to edit two places Because crons directory need to know where to find your WHMCS root Directory, and your WHMCS installation needs to know where to find the crons directory.
- Move to A new location for your crons directory and move the entire /crons/ folder and contents to it. (As My Recommendation You can Move it whmcsdata Directory).
- Edit the config.php file within the crons directory and Add The Code For example:
$whmcspath = '/home/username/public_html/whmcs/';
Here “/home/username/public_html/whmcs/” is the Whmcs installation’s Root Directory.
- Edit the configuration.php file and Add add the following line:
$crons_dir = '/home/username/whmcsdata/whmcs_crons/';
Here “/home/username/whmcsdata/whmcs_crons/” is whmcs new corn Directory.
6. How to Secure WHMCS Configuration.php file :
As We Know configuration.php File contains sensitive data To avoid accidentally overwriting, editing, or deleting the file, change the permission setting of this file to 400. It provides the system with read-only access.
7. Password Protect Admin Directory:
As WHMCS is All in One billing CRM that handles customer data and all sensitive information passing between it and end-users so it is very much essential to password protect your Admin Directory.
if you Are Using Cpanel So Can Use Directory Privacy Option.
8. Enable SSL Certificate :
As a billing application that handles customer’s Private data, there are often private and sensitive data passing between it and end user’s browsers. Therefore having a valid SSL Certificate that enables the use of HTTPS (Hypertext Transfer Protocol Secure) and encrypted communication is essential.
9. Restrict Database Privileges :
You can Set limit of the database user’s permissions to DELETE, INSERT, SELECT, UPDATE and LOCK TABLES . Only Those following database privileges are required And i recommend you to disable others.
10. Restrict Access by IP :
For increased protection, if your staff uses fixed IP addresses, you can restrict access to a specific set of IPs. To do this, create a file with the name .htaccess within your WHMCS admin directory with the following content:
order deny,allow allow from 102.34.5.167 allow from 102.34.5.168 deny from all
Here this ips as example you can replace with your device IP also You can allow entire IP subnets by specifying just the first part of an IP address (for example, 12.34.).
Consultation :
I recommend you install whmcs FROM Softacolous Because All of the Moving Releated steps are Done By the Softacolous installer you need to do just 4-5 easy steps. I Don’t Recommend “Restrict Access by IP step” Becouse when your ip will be change then you can not access but you must do “Password Protect Admin Directory ” Step. Use High-Quality SSL certificate And Chose A Good Hosting Provider That Give You the Best Backend Server Security Like Imunify360 Server security. This is Compleate Solution About How to Secure Whmcs?
[…] done with this delete the installation folder from the web server to Secure WHMCS and keep a check on the […]