How to further secure your WHMCS installation?

22 Aug 2013   | WHMCS Setup

Now that you’ve installed WHMCS, there are a few steps that can be taken to strengthen its security. From this  WHMCS security tutorial and the video tutorial,  we will look at how we could achieve this.

To start of, open up your favorite FTP client or your control panel’s file manager. For this tutorial, we will be using cPanel’s file manager, but anything will work.

As you know by default all files and directories contained in the public directory of a web server can be directly downloaded by anyone. For certain content such as downloads and attachments, this behavior is generally undesirable.

Therefore you need to move the attachmentsdownloads, and templates_c directories outside of public access. It is important to note that on most shared hosting accounts, the public directory is named public_html or www. What we need to do is move the folders below that directory; in most cases, that will mean putting them in your home directory. For the purpose of this tutorial we will consider  /home/mybiz123 as our home directory.

  1. Let’s first create a directory in our home directory. Click here and remove path and click Go so we will go to home directory directly.file manager settings
  2. Click New folder.select-new-folder-icon-from-cpanel-file-manager
  3. Give the folder a name and click on Create New Folder, this is the new folder we will move the our folders into.click-on-create-new-folder
  4. Folder is created successfully, which we can see here.newly-created-folder-is-listed
  5. Let’s go back to our WHMCS installation folder and select those directories. Please note that you can select multiple directories by holding Ctrl and click.select-required-folders-to-secure
  6. Now click on Move File icon.select-the-move-file-icon-of-CPanel
  7. Let’s place these three directories in the new folder we just created. Set the path to that folder.select-the-new-folder-created
  8. Now click on Move Files and you will see the folders being removed from the list.select-move-files-button
  9. Next, let’s rename the admin directory to add some security through obscurity. This will help prevent malicious users from even attempting to log in to your admin area. Note: The admin directory must remain inside this folder; it cannot be moved like the others. Once renamed it can be moved.
  10. Select the directory.select-the-admin-folder
  11. Click Rename.rename-the-admin-folder
  12. Now click on Rename File button.click-on-rename-folder
  13. The renamed folder will be visible in the list now.the-new-folder-will-be-listed
  14. Finally, we must inform WHMCS of the changes to its directory structure.
  15. To configuration.php for editing, select it first.click-on-the-edit-button
  16. Next click on Edit.click-on-the-edit-button
  17. First update the variable $templates_compiledir.select-the-templates-compiledir-code-line
  18.  Next, add the two variables and directory paths that follow.adjust-directories-and-variable-paths
  19. Lastly, add the following variable to tell WHMCS the new name of the admin directory and click Save Changes.click-on-save-changes
  20. Let’s test it out whether the WHMCS admin log in is secure or not.verify-security-from-whmcs-login

Success! You’ve finished enhancing WHMCS with extra security.

Further securing your WHMCS Installation