Tips for protecting WHMCS from hackers!

mfwl

mfwl

New member
You can protect your WHMCS installation from hackers by doing the following 3 things:

  1. Change the name of the admin folder to something less obvious
  2. htaccess password the administration folder so you have to pass htaccess before entering whmcs admin username and password
  3. choose an obscure password/username

Oh and use Maxmind with manaul acceptance on all orders of value - in the long run you will be pleased you did!

If anyone has any bad experiences of WHMCS hacking or other methods of preventing this valuable data please post!
 
whmcs blocks IP adresses if they try wrong passw 5 times for 15 minutes.

So It would take quite a long time to hack the WHMCS installation, as long as there is no known backdoor then :)

But its usefull tips anyway! :)
 
We've seen many cases where sites are hacked and people automatically start assuming the cause of the breach.

WHMCS has been extremely secure and would be one of the last areas we would look at for a successful security breach.

As stated previously, strong passwords are always highly recommended. At least 8 characters, combination of upper and lower case and use some special characters too.

Frequently we'll take a movie title and obfuscate it. Take Oceans 11. It could become a password like: $0C3@n$_eLEv3N#

This becomes a little bit easier to remember than something just totally random.

Also while renaming the admin folder falls under security through obscurity, it does offer an additional layer of protection from the automated tools used by so many cybercriminals. The more layers the better.
 
No issues with the software on this end since we started with them live about a year ago. No issues with ModernBill prior to that going back to 2000.

Many of the hacks are not software exploits but admin exploits. People failing to review logs, password protect areas, and change passwords on a regular basis. A 12 character random password is necessary on anything (if not a long password). NO two passwords that same in our network on any of our servers.

Put CSF on the server, watch for failed passwords.
Kill Telnet Access and limit from a single or a couple of servers that you own - static IP.
Disable root access, only allow login under one user, then SU to root.

And the number one issue for people with problms - when an upgrade comes out - UPGRADE!!
 
I gotta jump on the good boat here, we have never had issues either. *knock on wood*

Where did you other folk hear of this being hacked before, I must have missed this talk as I remember no such thing, was it recent?
 
shockym said:
I gotta jump on the good boat here, we have never had issues either. *knock on wood*

Where did you other folk hear of this being hacked before, I must have missed this talk as I remember no such thing, was it recent?
Click to expand...

No it was back a few months with version 3.5.1, since upgrading (now 3.7.2 obv) its not problem although we have done what I suggested at the top of the page so I wouldnt know if whmcs have fixed the issues (whatever they were)
 
Hello,

I've never seen WHMcs get 'hacked'. And I would bet the farm that 9 times out of 10 it happens. And that 1% changes are is something they did. Thats just me...
 
You can also move the attachments, downloads & templates_c folders outside of the public accessible folder tree on your website. WHMCS allows you to do this. If you do move the folders, then you must tell WHMCS where they have been moved to by adding the following lines to your configuration.php file:

Code: 
$templates_compiledir = "/home/whmcs/templates_c/";
$attachments_dir = "/home/whmcs/attachments/";
$downloads_dir = "/home/whmcs/downloads/";
 
You must log in or register to reply here.

Supporters

Back
Top