Methods to Secure WHMCS

By on August 17th, 2018

WHMCS is an all-in-one client management tool used for billing and support for online businesses. We can discuss some of the methods to secure WHMCS.


Use Firewalls

WHMCS is a secure platform but it is better to add some extra security measures for preventing the attacks. The common attacks on WHMCS are SQL injection, Remote file inclusion etc… It is possible to detect and block an attack using some web application firewalls (WAFs) such as mod_security, NAXI etc…

Web Application Firewall is an htaccess based firewall. It has some pre-loaded rules a notification. The WAF databases are constantly updated with the latest attack signatures from Comodo, OWASP etc…


Block common attack methods like directory traversal, remote file inclusion etc…

Add custom rules that block HTTP requests that try to exploit a vulnerable function.


Customizing WHMCS Settings

We can change the default WHMCS settings to improve the security. This includes:


 1) IP address restriction: For increased protection, we can set a limit for accessing the admin area only to the staffs. That allows staffs IP address only to WHMCS admin area. This is done by creating a file with the name .htaccess within your WHMCS admin directory, with the following content:

  order deny, allow

allow from

allow from

deny from all


2) Changing admin directory: Change the name of the admin directory from ‘admin’ to another one. This can do by the following steps:

Open the file configuration.php within your WHMCS installation directory

Move to the bottom of the line and add the following line:

 $customadminpath = “mycustomfoldername”;

Replace “mycustomfoldername” with the name which you want to set. This should be a single name.

If the configuration.php file already contains a custom admin path definition, then you can update the existing one.


3) Restrict Database Privileges: Set limit of the database user’s permissions to DELETE, INSERT, SELECT, UPDATE and LOCK TABLES.


4) Move the attachments, downloads & templates directories: Place the following directories outside the public_html folder to prevent web-based access. These directories are writable so that they require permission 777 so it is safer to place the folders outside of the public_html folder.


Remove un-used addon

The common source of vulnerabilities is third party addon and payment gateway modules. So it is better to remove unwanted add-on and modules.


Web server hardening

This can be done using the following steps:

1) Use https connections.

2) Hide PHP and server versions and disable dangerous PHP functions.

3) Block non-standard ports.

4) Block connections from infected computers using blocklists such as SpamHaus XBL.


Move crons folder

The ‘crons’ folder contains the domain synchronization files so it is better to move this folder outside public_html folder to prevent outside users from triggering it. You can move this folder using the following steps:

Edit the /crons/config.php file and specify the path to the WHMCS root directory.

Eg:  $whmcspath = ‘/home/username/public_html/whmcs/’;

Where “username” is the cPanel username.


If you need any further assistance please contact our support department.



Leave a Reply