5/5 - (1 vote)

Make WHMCS Secure: WHMCS is a hosting and billing management software that automates your hosting and domain business. To protect your whmcs, But over the last few years, we’ve received a lot of complaints against WHMCS security vulnerabilities and adapters. There are many hackers as well as intruders who are trying their best to hack and exploit the WHMCS system.

WHMCS stores very sensitive data of your client like server login, clients name, card details You have a lot of data from your customers whose hosting plans are running. All of your registered domains, in addition to server access, provide a large amount of confidential data. There is a great need to protect your WHMCS system. We continuously monitor various security channels in relation to our customers’ complaints. Therefore, to avoid hackers, malware infections and vulnerability exploits, it is necessary to follow some security measures.

1. Securing the Writable Directories

To prevent web-based access, You must need to move all writable directories to a private directory from the public folder. The three directories that can be written are attachments, downloads as well as templates_c. Therefore, you need to add new paths to these directories by updating the following lines in the configuration.php file.

$attachments_dir = “/home/username/public_html/attachments/”;
$downloads_dir = “/home/username/public_html/downloads/”;
$templates_compiledir = “/home/username/public_html/templates_c”;

After Moving to Pricate

$attachments_dir = “/home/username/whmcsdata/attachments/”;
$downloads_dir = “/home/username/whmcsdata/downloads/”;
$templates_compiledir = “/home/whmcsdate/username/templates_c”;

2. Securing the “configuration.php” file

Securing the configuration.php is very important because it contains database username, password and Hash Encrypt and Decrypts Key, you need to change the permissions for the “configuration.php” file which is in your WHMCS root directory. This is one of the files you cannot recover without backing up the file. adjusting the permissions for the “configuration.php” file in your WHMCS root directory. Change permission set to 400, which will help prevent accidental editing, overwriting and deleting. Eventually, it will provide read-only access to the file and prevent anyone else from spoofing.

3. Move the Crons directory

Here, we recommend you move the crons folder to a non-public directory which is located above your web root to stop the web-based access. For the relocation, firstly, you need to choose a new location for your crons folder and secondly, uncomment the WHMCS path as well as provide the full path to your WHMCS installation. You need to add the following line to the configuration.php:

$crons_dir= ‘/home/username/whmcs_crons’;

4. Restricting access by IP

To add more privacy to your admin area, you can restrict access to a particular set of IPs. This can only be done by creating a file namely, .htaccess within your admin directory of WHMCS along with the following:

order deny, allow
allow from
allow from

deny from all

5. Changing WHMCS Admin Folder Name

changing whmcs admin location is very important in whmcs to secure your whmcs admin login area, to customize whmcs admin folder will help your whmcs to get more secured.

  1. Open the configuration.php file within your WHMCS installation’s root directory
  2. At the bottom of the file (before the closing PHP tag ?> if one exists), add the following line:$customadminpath = “myadminfoldername”;
  3. Replacing myadminfoldername with the name you wish to use for your admin directory. This should just be the directory name, not a full path.
  4. If your configuration.php file already contains a custom admin path definition, you can simply update the existing line
  5. Rename the admin directory to the name you specified in step 2 above

6. Enable SSL

the owner of whmcs, which handles all customer data through the billing application, it needs to handle the passage of more sensitive data between it and end-users. Therefore, it is important to have a valid SSL certificate that will allow you to use HTTPS as well as encrypted communication.

  1. Install Mod Security in Easy Apache: You can take additional steps and one of them is installing Mod security in Apache which will help in blocking SQL injection attacks.
  2. install imunify365 on your server
  3. You need to secure your physical server. For this, you need access to the files via SSH/SFTP and relocate the SSH port.
  4. Block all unwanted Ports on your server.
  5. Choose Storgae Password of your whmcs when you setup and make sure there is no other CMS platform hosted in same hosting account or sub folder like wordpress.
  6. One more step is to backup your server and the database files of the server.
  7. Install WHMCS alone on a server.
  8. Hire Any WHMCS Expert To Make secure your whmcs all configuartion is good! if you want to hire me? Hire Now

About the Author

Shahid Malla

Shahid Malla is an accomplished system admin and web developer, renowned for his expertise in various fields. With a strong background in WHMCS development, WordPress development, and PHP development, Shahid has honed his skills over the years to deliver exceptional results. As a top-rated freelancer, he has consistently garnered praise and recognition, earning a stellar 5-star rating from a pool of 500 reviews. Shahid's proficiency extends beyond coding and development, encompassing server configuration, server management, and web security. With his extensive knowledge and dedication to delivering high-quality solutions, Shahid Malla is your go-to professional for all your technical needs.

View All Articles