Your WHMCS installation handles sensitive customer and business data. While we implement security measures during each WHMCS version's development, we highly recommend additional steps to further enhance the security of your installation.
The following steps offer enhanced protection against malicious actors. For security-related inquiries, please consult your hosting provider or system administrator.
- Should you have installed WHMCS on a Plesk server using the Plesk WHMCS Installer, note that the extension automatically performs some, but not all, of the subsequent steps during its initial configuration.
- For further questions or concerns regarding server security, please reach out to your hosting provider or system administrator. They are best equipped to review your server, evaluate installed software and configurations, and offer customized recommendations and support.
1. Secure Writeable Directories
It is advisable to relocate all writeable directories to a private location, thereby preventing web-based access. This action necessitates corresponding adjustments to your file storage settings and the templates cache.
2. Secure the configuration.php File
We recommend adjusting the permissions for the configuration.php file, located in your WHMCS root directory. This file contains critical sensitive data that cannot be recovered without a backup. Modifying its permissions helps prevent accidental overwriting, editing, or deletion.
3. Move the Crons Directory
It is recommended to move the crons directory to a private location above your web root. This measure effectively prevents web-based access and enhances the security of your WHMCS installation.
4. Restrict Access to the Admin Area
For heightened protection, if your staff operates from fixed IP addresses, consider restricting access to a predefined set of these addresses. This helps mitigate unauthorized access by malicious users.
5. Rename the Admin Area Directory
Renaming your WHMCS admin directory makes it more challenging for bots and malicious actors to discover the login URL for your WHMCS Admin Area.
6. Enable SSL for Your Domain
WHMCS frequently handles private and sensitive data exchanged between the system and end-user browsers. Therefore, a valid SSL certificate, enabling HTTPS and encrypted communication, is crucial for data security.
7. Restrict Database Privileges
We advise disabling any unnecessary database privileges. WHMCS requires a specific set of permissions for routine operations, with additional privileges only necessary during installation, upgrades, and module activations.
8. Prohibit Direct Requests from the Vendor Directory
The vendor directory contains various common libraries utilized by WHMCS. To prevent unexpected behavior and potential issues, your server should not directly serve file requests from this path. While the .htaccess file included with Apache® servers already provides this protection, users of other web server technologies will need to update their configuration to prohibit direct file serving from the vendor directory.
9. Defend Against Clickjacking
Clickjacking attacks involve an attacker loading an external page (such as the WHMCS Client Area) and attempting to deceive the user into unknowingly granting access to their information. This can be prevented by ensuring your site consistently sends the appropriate Content Security Policy (CSP) frame-ancestors directive response headers.
10. Implement General Server Hardening
Further hardening measures will depend on your specific hosting control panel and server configuration.
