How-To

Securing WHMCS

WHMCS is a powerful web host automation system for WHM/cPanel that allows you to quickly and easily manage a hosting reseller business. You can purchase a WHMCS license directly through your ServInt Portal in the Services section. The following tips can help you add extra security to your WHMCS installation.

Move Writeable Directories
WHMCS has three directories which can be written to. It is recommended that you move these three directories to a non-public directory on your web root. The three directories are “attachments”, “downloads”, and “templates_c”.

Once you move these directories, you will need to change the configuration.php file in the root WHMCS directory to point it to the new paths. For instance, if you move the directories to /home/username/secure, you would use that path in the configuration file. The three lines you need to change are:

$attachments_dir = "/home/username/attachments/";
$downloads_dir = "/home/username/downloads/";
$templates_compiledir = "/home/username/templates_c/";

Move Crons Directory
Much like the writeable directories, it’s recommended that you move the crons directory to a non-public directory above your web root. Once you have moved the directory, you will need to make two changes.

First, open the config.php file inside the crons directory and find the line:

$whmcspath = '/home/username/public_html/whmcs/';

Uncomment it by removing the #. This provides your crons folder the directory to your full WHMCS installation. Make sure the path points to where your WHMCS is installed.

Next, add the following line to the configuration.php file in your root WHMCS directory:

$crons_dir = '/home/username/whmcs_crons/';

Make sure the path is your current directory. If you had existing cron tasks before making this change, you’ll need to update them to the new path.

Restrict Access by IP
If you use a fixed IP address to connect to your server, you can add extra protection to WHMCS by creating an .htaccess file to the WHMCS admin directory. The file would contain the following:

order deny,allow
allow from 8.67.53.09
allow from 5.55.
deny from all

This would allow users from 8.67.53.09 and any IP starting with 5.55 to connect to the site. You can put as many “allow from” lines as you like.

Change WHMCS Admin Folder Name
You can give your WHMCS admin folder a custom name in order to make it more difficult for hackers to find. To do so, open the configuration.php file in the root directory and add the following line:

$customadminpath = "mycustomfoldername";

Place your custom admin name and path with the name you want to use. Take note that if you do this, when you apply updates or patches, you’ll have to move the files contained from the default admin directory in the distribution to the custom admin folder.

Restrict Database Privileges
For day to day use, only the following database privileges are required by WHMCS:

DELETE
INSERT
SELECT
UPDATE

Installing, upgrading, activating, and deactivating modules require the following privileges:

ALTER
CREATE
DROP
INDEX

You can change privileges by logging into your cPanel, going to the MySQL Databases option, and clicking on the user for the WHMCS database in the “Privileged User” column. You can uncheck all the unnecessary database privileges. When you need the other privileges, you can temporarily enable them.

These five suggestions will help add additional security to your WHMCS installation, giving it greater protection against hackers. If you have any questions about implementing these changes, feel free to file a support ticket with our MST! We can help with these security tweaks and more.

 

Find out more about ServInt solutions
VPS

Starting at $27

  • The New York Times
  • The Hill
  • Bloomberg
  • The Seattle Times
  • Computer World
  • Ars Technica
  • MSNBC