[WHMCS] Additional Security Measures

If you are a reseller and are looking for a one-stop hosting solution for things such as handling Billing and Support ticket requests, WHMCS is an incredible solution. It is compatible with the major payment gateways such as PayPal, Google Checkout, and Authorize.Net, and includes many features such as the ability to use various currencies, create invoices, and create promotions. Hence, the importance to keep your WHMCS installation as locked down as possible to prevent intrusions and hacking attempts. If you need a dedicated server check out ServerMania for a great selection of options. Below is an article explaining attentional highly recommended security steps within WHMCS.

Step 1: Changing your WHMCS admin directory

WHMCS is a very popular and well known software so it is likely that if someone was to try and gain access to your WHMCS admin area, they would via /admin/. This needs to be changed to something only you and your administrators would be aware of.

To change the admin directory simply rename the /admin/ folder in your file manager (or FTP client) and then modify the configuration.php file to let WHMCS know where the new location is:

$customadminpath = "new-admin-folder";

Step 2: Admin IP Restriction

If someone was to gain access to your WHMCS admin area or your system was compromised from an exploit it is a very nice idea to have this restriction in place to add some extra hurdles for your attackers. To block IP addresses create a .htaccess file within the admin directory of your WHMCS installation.

In your file manager or text editor edit the .htaccess file to contain the following:

order deny,allow
allow from
allow from
deny from all

Replace the IP addresses above with the ones you want to enable access to your WHMCS area. You can add as many “allow from” rules as you like.

Step 3: Password Protect Your Admin Directory

Using the “Password Protected Directories” feature within cPanel you can set a password on the WHMCS admin folder. The result will mean anyone who attempts to visit your admin directory would be prompted for a password before they are able to access. Failing the password would result in a 403 forbidden error message.

Step 4: Remove WHMCS Branding

Removing WHMCS branding doesn’t only give you a “whitelabel” support and billing system, it actually increases security. When an exploit is out and being abused hackers usually go to Google and search for “Powered by WHMCS” which will give them a complete list of indexed WHMCS installations to hack from.

Paying to remove this will prevent that from happening. Best of all, it is a mere £4 per month or £48 annually, a minimal fee to potentially put you out of the line of being hacked.

Looking for secure WHMCS reseller hosting? Check out EzpzHosting.co.uk