Video

This guide is available as a video:

WHMCS Security Checklist

YouTube Subscribe

This tutorial is part of our WHMCS security tutorials series.

In this tutorial I would like to cover how to secure WHMCS. This video is a checklist breaking down each recommendation one by one, check the description if you'd like to skip to each section. You will also find a link to our video tutorials showing each of these steps in detail. You can also optionally hire us to complete either step for you. Check the description of this video for more information.

Let's get started.

1. The first and most important step is keeping WHMCS up to date. As with any software if you are running an old version there's a chance that it has become insecure overtime. WHMCS has an official end of life schedule where by they stop updating old versions after a certain time. Keeping WHMCS up to date is quick and easy thanks to WHMCS's admin based update feature. You should also keep both 3rd party templates and modules up to date for the same reason.

2. Next up we have enabling a SSL across WHMCS. With an SSL certificate enabled access to WHMCS will be via https:// which is a secure and encrypted connection. This is todays standard and recommended for all pages of WHMCS. Using an insecure http connection is not only bad for security but can also negatively effect your websites performance in the search engines.

3. Secure the configuration.php file by limiting access. This file is unique to your installation as it contains your database login and unique credit card hash. Both of which would could be used to compromise your installation. By default this file cannot be publicly viewed, however to add extra protection it is advised to reduce the permissions of this file to read only.

4. Next we have moving writable directories outside of public access. WHMCS has 3 writable directories, attachments, downloads and templates_c. All of which are publicly accessible and modified by both admins and users. The security risk is potentially allowing a hacker to access a malicious file via these known directories although it would first have to be uploaded. To be safe these directories can be moved from within /public_html to /home so they are no longer accessible publicly.

5. Renaming the default admin directory. When WHMCS is first installed the directory to access the administration panel is named admin. Anyone looking to hack a WHMCS installation will attempt to do so using known directory path. To fix this we can change the admin directory to a unique name of our choice. As an extra layer of protection we also also set a directory password for our new admin directory, this will then act as a second login required to access the administration area.

6. A very over looked security step is using strong passwords. Ensure that you are using a strong password for WHMCS consisting of both uppercase and lowercase letters, numbers and special characters. Following the same principal as the admin directory it's important to use a unique username for WHMCS instead of admin. As admin could be easily guessed by hackers. Aside from WHMCS it's also important to use strong passwords for all of the services that tie into your WHMCS installation. This includes your web hosting control panel, FTP, email and any payment gateways you're using.

7. Clean your WHMCS files and directories. Overtime your WHMCS installation may become cluttered with old files, these files become a security risk if left. For example if you backup a WHMCS module, as technology evolves and security changes that module will be forgotten about and left un-updated. If a hacker is able to discover it they may be able to exploit the dated code within. Over the last 12 years working with WHMCS and with hundreds of installations I have seen very bad examples of this. Including duplicated configuration files, many years old copies of WHMCS files and even publicly accessible backups of the database. At Zomex we provide a tidying service where we will clean your installation for you by moving duplicated and old files outside of public access. Check the description to hire Zomex for this service.

If this video has been helpful to you give it a like and be sure to leave a comment if you have any questions or would like to add your own recommendations.

Request Support

We hope you found this documentation useful. If you run into any issues we will be happy to assist you.