Securing WHMCS Installations
As of December 2014, Reseller Hosting is no longer available to purchase. If you wish to use WHMCS with your new server, you will need to purchase a license directly from WHMCS, and use their instructions to install it on your server. If you still have Reseller Hosting, you can still use this service for as long as you have the server.
There are additional precautions you can take to secure your installation of WHMCS. While we recommend additional layers of security to protect your server and website, we can only offer these suggestions to point you in the right direction. For technical support regarding these extra security measures, see the WHMCS website.
Change your WHMCS admin folder name
Malicious users who visit your site and recognize a WHMCS installation might know that they can try logging into your admin area through the /admin/ directory path. To protect against this, you can rename the admin directory. If you do this, add the following line to your configuration.php file:
Note: If you have already created a cron job, you need to update the path on the cron command as well. For example,
php -q /home/username/public_html/whmcs/myadminfoldername/cron.php
(where username is your Reseller Hosting User Name, and myadminfoldername is the new admin directory name).
Move the attachments, downloads, and templates_c folders
The attachments, downloads, and templates_c folders need to be writeable by WHMCS, and therefore require the permissions 777 (writeable by all). When folders have this permission level it is safer to place the folders outside of the publicly accessible folder tree on your website.
If you choose to move the folders, then you must tell WHMCS where they are located by adding the following lines to the configuration.php file:
$attachments_dir = "/home/username/attachments/";
$downloads_dir = "/home/username/downloads/";
In the above example, username is the Reseller Hosting username and the three folders are located in the home directory — above the public_html directory.
Password protect the admin directory
Add a second layer of protection to the admin directory by setting up .htaccess password protection. You can do this with the Password Protect Directories option in cPanel. Remember to keep your .htaccess username and password distinct and unique. You can use the Random Password Generation feature in cPanel to help.