This guide is available as a video:

Fixing the WHMCS insecure permission check warning

This tutorial is part of our WHMCS security tutorials series.

In your WHMCS admin panel you will find all security & function warnings under the help > system health status menu. In this video we will be focusing on resolving the Insecure Permissions Check warning.

This warning is valid as your configuration.php file contains your database login, license key & credit card encryption hash. Needless to say this data is very sensitive and needs to be out of reach for hackers. By limiting the permission access of this file we will be adding a extra layer of defence and make it harder for hackers to view & modify this file.

Now it's time to fix this error. The majority of websites use cPanel but if your website isn't hosted on a cPanel server then you could use a FTP program.

Once logged-in to cPanel head to file manager then access your root WHMCS files which will be within your public_html directory.

Scroll down to find the configuration.php file, click on the permission number and change the value to 400. This permission provides read only access to the file by the system and prevents anyone else from reading, editing or executing the file. Please note that some systems will require a different permission value.

If 400 doesn't work for you try 440 and then 444. Your web hosting provider should be able to confirm which one to use in this case.

Once the permission is changed refresh the system health status menu of WHMCS and you should see that the warning has now disappeared which confirms the issue has been resolved.


If you have any questions please leave a comment below or contact our support.