Learn how to secure your WHMCS installation & bolster its security.
This tutorial assumes you've already installed WHMCS.
Open your favorite FTP client or your cPanel's File Manager.
It is recommended that all write-able directories be moved to a non-public location above your web root to prevent web-based access.
Or stored remotely on an AWS S3-compatible service.
This will include:
- attachments
- downloads
- templates_c
- crons
Create a new directory at the root level.
Next, move these folders to the new root-level directory we created.
Let's rename the admin directory to add some security through obscurity.
This will help prevent malicious users from attempting to login to the admin area.
Finally, we need to tell WHMCS of the changes to its directory structure
Click to edit the configuration.php file.
Update the $templates_compiledir variable as follows:
$templates_compiledir = '/home/$username/templates_c/';
Then add the $attachments_dir and $downloads_dir variables as follows:
$attachments_dir = '/home/$username/attachments/'; $downloads_dir = '/home/$username/downloads/';
Finally, add a variable to tell WHMCS the new name of the admin directory:
$customadminpath = '$ObscuredAdminName';
Replacing "$ObscuredAdminName" with the name you wish to use for your admin directory.
Now rename the admin directory to the name.
When finished, Save and Close the editor.
For cron, open the config.php file within the crons directory and follow the instructions within it to uncomment the WHMCS path line to provide the full path to your WHMCS installation.
For example:
$whmcspath = '/home/$username/public_html/whmcs/';
Add the following line to the bottom of the file so that WHMCS is able to locate your custom crons directory location.
This will also help WHMCS show you the correct paths you need to use for cron and piping command configuration within the admin interface.
$crons_dir = '/home/$username/whmcs_crons/';
Do remember that after moving the crons directory and manually upgrade WHMCS in the future, you will need to update the cron files in your custom folder location.
Do not upload the cron files to the default crons sub-directory or you will lose the benefits of moving them.
It is time to secure the "configuration.php" file.
The WHMCS team recommends adjusting the permissions set for the "configuration.php" file located in your WHMCS root directory.
This file contains sensitive data that cannot be recovered without a backup of the file.
To avoid accidentally overwriting, editing or deleting the file, change the permission setting of this file to `400`.
This provides read-only access to the file by the system and prevents anyone else from reading, editing or executing the file.
To change the permissions on this file, you can run the following command from the shell while in your WHMCS root directory:
chmod 400 configuration.php
Or edit it with cPanel's File Manager by clicking on the configuration.php file and editing it with the Permission feature on top.
That's it!
You can now log in using the new admin location.
Then navigate back to our main WHMCS directory and select the attachments, downloads and templates_c directories.
