WHMCS and Security

[whmcsguru]

I'm not referring to the 'hacks' of earlier. I'm actually referring to the security of data, of the ability for admins to take control over various aspects of their install, such as blocking out countries known for fraud, locking down admin directories to certain IP's (or even countries), locking down orders to only certain countries, blocking certain browsers (known bots, etc).

What do you think? Is WHMCS doing enough to protect it's clients ? Should they be doing more? What would you like to see added here? Just doing a bit of research here.

 

[zomex]

Hello,

I think with any company they could always do more but they're certainly been focusing a lot of security over the last 12 months. Since partnering with cPanel there's been a lot of good focus on security.

I'd like to see WHMCS not include any modules out of the box, instead you can download/install only the modules you use a bit like how Wordpress works with plugins. That would be a nice security feature.

I don't like the idea of blocking access from certain countries as there is good and bad customer's from every country.

In terms of fraud I've had the biggest problem with France and the UK which always surprises me as I would have thought it would be a country such as Vietnam/Indonesia. So I don't discriminate against any country.

 

[whmcsguru]

No modules out of the box would likely cause problems. Keep in mind that even gateway processors are modules. This would likely only cause more customer frustration and resentment.

As far as blocking out countries, honestly, this has multiple benefits. I work with a few clients who host specifically for certain countries. In fact, when it comes down to it, nobody else should order from them. Well, WHMCS doesn't provide a way to do that out of the box. In addition, most sites only need admin accessing from one country, or one IP. Sure, htaccess can do that, but from my perspective, this is something that should have been built in from the get go.

 

[whmcsguru]

Adding to this, and I should have probably thought of this before I hit submit...

Why add an 'email verification' procedure if you're going to just do nothing with it? It's like they want people to just ignore things, I swear.

 

[cheapdedicated]

No modules out of the box would likely cause problems. Keep in mind that even gateway processors are modules. This would likely only cause more customer frustration and resentment.

Well The modules can still be available for download so if you want a processor you download one. Fortunately (Or I think so) Most WHMCS users are not completely ignorant so it should be very easy for them to single out what they need or they dont. Of course at the start it would lead to alot of support request but the power over what I need in my stsyem should be handed back to the user.

 

[whmcsguru]

Making the customer do that much more work isn't going to solve any real security issues, it'll just frustrate and alienate your customers.

 

[cheapdedicated]

Making the customer do that much more work isn't going to solve any real security issues, it'll just frustrate and alienate your customers.

Well wordpress has been giving us more and more powers over plugins and sont we all like it?

 

[SenseiSteve]

I don't know, but I'm not feeling the pain yet with WHMCS.

 

[whmcsguru]

Well wordpress has been giving us more and more powers over plugins and sont we all like it?

There's a difference between Wordpress and WHMCS. The two aren't even remotely close in this perspective.

 

[cheapdedicated]

There's a difference between Wordpress and WHMCS. The two aren't even remotely close in this perspective.

The two are mentioned to show that Just like wordpress gives users power over their plugins without bundling them into the default installation, WHMCS can do the same with the modules. I hope you now get the reason the two are mentioned here.