WHMCS Security Steps After Complete Installation

WHMCS security is a most essential step after complete their installation successfully. Almost beginners even some experts, doesn’t put their attention on this aspect but that is necessary if you want to sustain your website worth among your users. In another condition if you don’t give priority to WHMCS security steps so there is no doubt that your hosting account associated with WHMCS can be hacked. Make your strong password is not enough anymore, until your hosting files are fully secured.

WHMCS Security Steps After Installation:

After installation your journey will begin with WHMCS and this journey should satisfactory in future not insecure. Here I had personally experienced few things, even WHMCS itself recommended these security steps so feel free to implement these WHMCS security steps on your side. Check it out the below security steps.

Delete the Install Folder:

One of the most crucial note for all folks who installed their WHMCS. After done your WHMCS installation successfully, must delete the Install folder, which exist on your WHMCS root folder. It contains sensitive information which can be the cause of hacking so after done your installation that is totally freak for you and your hosting account. Simply delete this folder, Install folder deletion will not create any problem on your WHMCS but is necessary to perform this action.

home/username/whmcs/install

Move OR Secure the Writable Directories:

At this time WHMCS have three writable directories, which are web-based address and accessible for public. That is why WHMCS recommended that to move these three directories (attachments, downloads and templates_c) under the home directory or non public location which are not accessible for public.

Another important note when you move these directories under the home directory so now you are responsible to give new path to WHMCS to use these directories for future by using or adding below lines in your configuration.php file in your WHMCS root directory.

$attachments_dir = "/home/username/attachments/";
$downloads_dir = "/home/username/downloads/";
$templates_compiledir = "/home/username/templates_c/";

You can use professional code editors to edit your server files.

Make Secure Configuration.php File:

As we know that configuration.php file have sensitive and personal info within in your root directory. You must change their permission to 400 just for read only, because it can be overwrite, edit or delete without any deliberately (unintentionally) action.

Enable IP Restriction:

Extreme security level, when you feel that your WHMCS is affected by hacking again and again. So you can allow particular IP address to your WHMCS  login page or deny all other IPs to see that page. Just simply make it forbidden for all other IP addresses. You can do this by creating a .htaccess file inside your whmcs/admin folder and then add the below lines.

order deny,allow
allow from 12.34.5.67 //Replace your IP address with this IP Address
deny from all

For example, you can just allow your IP address and deny all other computers IPs by using above lines. If you don’t know your IP address then simply ask to Google “MY IP ADDRESS” then Google will tell you in return.

Customize the WHMCS Admin Directory:

Edit the admin directory name makes harder for hackers and malicious bots to get access to your WHMCS login page. So we personally recommend this step to our all readers. Simply just you need to add a single line in your configuration.php file, which are stated below.

$customadminpath = "customfoldername";

Replace customfoldername to your admin folder name which you chosen on your side. Add the above line before closing php tag ?> if this one exist.

If the above line already exist so replace only the customfoldername with your admin folder name and save changes. After done this rename your admin directory which custom name you specified in your configuration.php file then it will work correctly.