blog posts

WHMCS security

Change the address of whmcs management and prevent hacker attacks.

..

Steps to change the whmcs management address

To change the name of the whmcs admin folder, you need to log in to your website hosting panel.

After logging in to your panel, go to the file manager section, look for the configuration.php file in the public_html directory, and open it for editing.

Then look for the term custom admin path in the contents of this file; if it does not exist, add the following line.

;"customadminpath = "addressejadid$

Instead of addresejadid, enter the new name you want to replace with your previous login address in whmcs.

Now you have to replace the previous address or directory through which you entered the whmcs management section, which by default is /admin/, with the name you entered in the configuration.php file to connect the management section to the database.

From this moment on, you must enter the address of your website in the form below to enter your management section.

www.site.com/addresejadid

Well, you should enter the address of your website instead of site.com and enter the new address of the whmcs admin panel instead of addresejadid.

Change the whmcs management address for more security

whmcs is the best accounting system for web hosting services. Almost the majority of hosting providers in the world use this system, by default the whmcs management address is set to the /admin/ folder, and this is considered a security risk because hackers Having the management address of whmcs can create a severe risk to whmcs with SQL injections and brute force attacks, in this article we have sent you the training to change the management address of whmcs.

To change the address of your whmcs management, you must access your whmcs files through the host control panel, so after entering your host panel, click on the file manager option and then go to your whmcs installation location and look for the configuration.php file, look around.

Note that all whmcs settings are placed in the configuration.php file, and essential information, such as the database login password, is also included, so be careful to save that information.

You need to add a line of code to your configuration.php file, edit this file and then enter the following code:

$customadminpath = "injavaredkonid";

Note that instead of injavaredkonid, enter the name of the new whmcs admin folder, save it, and return it to your whmcs installation location; you should look for the admin folder and change its name as desired. This name must be the exact name you entered in the settings of the configuration.php file. After changing the admin address of whmcs, from now on, you need to enter the address of the new folder instead of /admin/ in your browser to enter your admin whmcs.

WHMCS security methods

1- Moving “ATTACHMENTS,” “DOWNLOADS,” and “TEMPLATES_C” directories

These three directories in whmcs must have written permission, so permission 777 must be considered.

Using private techniques, hackers can upload malicious and secret access directories such as shells and take complete control of your site.

To increase the security of whmcs, in the first step, we block access to these directories by moving these three directories to the home/ and removing them from the root host so that hackers cannot access them directly.

After moving them ultimately to an earlier directory, you must introduce their new path to the script for whmcs to work correctly. For this purpose, you should put the following three lines of code in the config file and set your host’s username instead of a username.

;"/templates_compiledir = "/home/username/templates_c$
;"/attachments_dir = "/home/username/attachments$
;"/downloads_dir = "/home/username/downloads$

2- Moving the CRONS directory

This directory is one of the places where the hacker tries to penetrate due to the presence of sensitive domain syncing files and processes. To solve this problem and ensure the security of this section, we must change this directory to another name as before.

After changing the directory’s name, we inform it of this change by adding the following line in the configuration file in the cron directory.

;'/whmcspath = '/home/username/public_html/whmcs$

We must finalize the whmcs main configuration file changes by adding the following code.

;'/crons_dir = '/home/username/whmcs_crons$

Instead of a username, you must enter the username of your host.

3- Limiting access to the management department

One of the common methods of hacker attacks is to use Bruteforce method to guess the admin password of whmcs. In this method, the hacker uses programs to try to find your password and access the management section by giving a list of passwords if your password is weak.

To increase the security of whmcs, we need to increase the access to management by changing the name of the directory or by using access restriction.

In this method, by entering the admin directory, a file named htaccess. make Then put the following code inside it.

order deny, allow
allowed from 1.2.3.4
deny from all

Instead of 1234, you have to enter your fixed Internet IP so that only you can access this section.

4- Change the name of the ADMIN directory

To further increase security, in addition to the previous method, you can make it extremely difficult for hackers by changing the name of the Admin directory.

For this purpose, it is enough to introduce the new path to the script by changing the name of the admin directory by inserting the following code into the whmcs config file.

;”customadminpath = “new_directort_name$
5- Installing a firewall

One of the best ways to ensure security is always to use a firewall. Only in this method you must have root access to the server or be the server administrator yourself.

Of course, in most hosts, the firewall is installed by default and you don’t need to do anything, but if you are a server administrator, you can increase the security of the server and hosting sites by installing the csf firewall.

6- Changing the permissions of the config file

This file is one of the main script files that you should pay a lot of attention to in order to increase the security of whmcs. Through this file, you can make it impossible for a hacker to access sensitive information by coding its contents.

In many cases, the coding of this file itself will cause problems for which we will try to teach you an alternative method that you can easily use without any problems.

For this, it is enough to reduce the permissions of the configuration.php file to 400 because direct access to this file is not necessary for users and only whmcs should be able to read its information. So having read-only access for host users will be enough.

7- Enable SSL

Using the https protocol instead of http is one of the best ways to encode the information sent and received between the user and the server.

The use of ssl in all websites is highly recommended and not only for whmcs. For this, in addition to providing SSL, you must enable this feature through Setup > General Settings in the management section.

8- Restrict access to the database

To increase the security of whmcs, another method is to limit user access permissions to the database. Whmcs only needs the following access to the database for its proper operation.

Upgrade whmcs security
Here are some steps you can take to improve your whmcs security:

Moving the attachments, downloads and templates_c folders

According to Whmcs requirement for these folders to be writable, i.e. Permachine 777 for these folders, it is better that the location of this folder is placed in a place outside of public access! The WHMCS program allows you to do this, so if you have transferred the folders, you must set the location of the folders in the program.

After transferring the folders, add the following three lines with the correct address in the configuration.php file:

$templates_compiledir = “/home/username/templates_c/”;
$attachments_dir = “/home/username/attachments/”;
$downloads_dir = “/home/username/downloads/”;

In the examples above, username is actually your cPanel username, which is in the home directory and at the top of the public_html folder!

Note that if you have run suphp or phpsuexec, you do not need to make these folders writable. In fact, you don’t need to change the permission to 777 when using suphp or phpsuexec. You can set the highest machine speed to 755 for both folders and files.

Change the Admin folder

Some users who visit your site and find that you are using whmcs know that you can log in by entering the admin folder, you can change the name of the admin folder to whatever you want. Prevent unwanted logins.
You cannot move this folder, you can only rename it. After changing the name of the admin folder, you must give the system the name of the admin folder. For this, add the following line in the configuration.php file:

$customadminpath = “myadminname”;

Replace myadminname with the folder name of your choice.

Please note that you must correct the cron job with the new address.
for example:

php -q /home/mylogin/public_html/secure/myadminname/cron.php

Prevent your templates from downloading

To prevent templates from being downloaded, you can access the download of tpl files by entering the following code in the .htaccess file of your whmcs installation folder:

<Files ~ “\.tpl$”>
Order allow, deny
Deny from all
</Files>