This guide is available as a video:

Securing The WHMCS Storage Directories

This tutorial is part of our WHMCS tutorials series.

In this video tutorial I will show you how to adjust your WHMCS storage settings to resolve the Customising Default Paths warning.

The storage settings set the path to your WHMCS download and attachment directories. The downloads directory is used to store downloads you upload as an admin that may be used by your clients. These can be associated with a product or service for example. The attachments directory stores attachments sent via tickets or emails.

When WHMCS is first installed the download and attachment directories are located within the root files. This makes these directories publicly accessible which is the reason why WHMCS shows a warning. This could be a potential security concern. For example if a user finds a way to upload a malicious file as a ticket attachment, knowing the default attachment directory path they could access that file publicly in an attempt to compromise your website.

To stop this potential security risk and resolve the warning we need to change the path of these directories. From within the default /public_html/ to /home/ directory.

Head to the WHMCS System Settings and access the Storage Settings page. To the left we have the file type WHMCS is storing and to the right the path of the directory storing those files. As you can see WHMCS gives us control to set unique locations for various file types including email attachments, client files and ticket attachments. In this guide I will stick to the same 3 directory structure but you are free to create more to separate files more specifically.

Following the same structure head to cPanel's file manager or access your files using an FTP client. Head to the /home/ directory. I like to create a parent directory for WHMCS files. Then within the WHMCS directory create the attachments and downloads directories. Within attachments create the projects directory.

Next head back to the WHMCS storage settings and click on the configurations tab. Within the add new configuration, we will need to create a local storage path for our new directories.

Let's go ahead and create the 3 paths to the directories we just created, attachments, downloads and projects. Note that the start of the path is shown at the top of the left column of file manager. Then the end will be our created directories.

Head back to the settings, we will now need to change the old public_html path to the new matching /home/ path. When you change the selection you will see the options to migrate or switch. Migrate will move all of the files within the old directory to new. Switch will switch the path without moving the files. If you have an install with existing clients and files use the migrate option. If it's a new install and in our case a test environment use the switch option.

The final step is to move the templates_c directory. This directory stores the cached template files which improves the performance of WHMCS. By default the templates_c directory is also located within the root WHMCS files. Instead of being defined within the storage settings this directory path is customised within the configuration.php file. Head to file manager and find the templates_c directory. Right click and select move. Let's go ahead and move this directory to our previously created whmcs directory within home. Next edit the configuration.php file and customize the $templates_compiledir variable with our new path.

Head back to the WHMCS Health And Status. You should see that the Customising Default Paths warning has disappeared. This confirms that your paths have been successfully changed to further secure your WHMCS.


If you have any questions please leave a comment below or contact our support.