Securing WHMCS

This page has additional steps that one can do to further secure their WHMCS installation. Refer to http://docs.whmcs.com/Further_Security_Steps first, then use some of these techniques.

Limit Read Access with SuPHP

If you're running WHMCS on any server doing virtual hosting (meaning your hosting more than one site on a single server) then you should be running suPHP. SuPHP is an Apache module that changes the uid of the process executing your php scripts to the REAL user rather than the Apache user. This allows you to lock down read access to all of your php scripts and config files to a single user. Once suPHP has been installed you can do the following inside your WHMCS directory:

find ./ -iname "*.php" -exec chmod 600 {} \;
find ./ -type d -exec chmod 711 {} \;


Deny web access to template files

It's not a secret what the templates are named and one can simply call /whmcs/templates/default/clientareahome.tpl and view the contents of that file. Hopefully you have not added any {php}{/php} smarty tags with sensitive information but either way you dont want to give potential hackers any more information about your setup than you have too. The following will lock down your templates directory so that it's not accessible via the web.

Create /whmcs/templates/.htaccess and put the following inside it:

<filesMatch "\.(tpl|.php)$">
   deny from all
</filesMatch>


Deny web access to CRON jobs

WHMCS uses cron jobs to handle certain tasks, one of these tasks is syncing all domains expire dates with the registrar. The problem is the script that handles this task is accessible by default via the web. Not only that but the script is verbose! An unauthorized user can easily run this script and get a list of all domains listed in your WHMCS system! You can stop this by doing the following

cd /path/to/whmcs
cd crons
echo "deny from all" > .htaccess