Results 1 to 25 of 30
-
05-22-2012, 05:05 AM #1Premium Member
- Join Date
- Jul 2004
- Posts
- 535
Securing WHMCS installs against hacks
Hi guys,
As many of you will know WHMCS servers got hacked last night.
This is not a thread for bashing WHMCS, so if you want to bash please do so elsewhere.
In this thread I want to review and get advice on securing WHMCS installs to prevent it from getting hacked.
So please share what steps and techniques you have used to secure and lock down your WHMCS install (obviously omitting any sensitive data).
Regards,
Suhail.OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space
-
05-22-2012, 05:11 AM #2Web Hosting Guru
- Join Date
- Aug 2003
- Location
- 127.0.0.1
- Posts
- 273
As a starting point, you should at least already have followed:
http://docs.whmcs.com/Further_Security_Steps
-
05-22-2012, 05:12 AM #3Premium Member
- Join Date
- Jul 2004
- Posts
- 535
I'll start with some basic measures:
1. Change the /admin folder to an obscure random name
2. Move /attachments, /downloads and /templates _c to below /public_html and edit the config file
3. Add password protection to the admin area
4. Run WHMCS on seperate domain/sub-domain and not under main website
5. Move WHMCS to separate server
These are some straightforward WHMCS specific steps.
What else?
What about PHP security specifically related to WHMCS?
Server security?OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space
-
05-22-2012, 05:13 AM #4Premium Member
- Join Date
- Jul 2004
- Posts
- 535
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space
-
05-22-2012, 05:55 AM #5Web Hosting Master
- Join Date
- Aug 2006
- Posts
- 1,171
Use SSL ....
WebSitePanel/ MspControl / SolidCP / Smartermail / Installation / Configuration / Troubleshooting / Migrations
Windows Server Management / Security / Hardening
I speak English and Spanish
-
05-22-2012, 06:00 AM #6Premium Member
- Join Date
- Jul 2004
- Posts
- 535
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space
-
05-22-2012, 06:03 AM #7Disabled
- Join Date
- Jan 2010
- Location
- WwW
- Posts
- 164
Do not be alarmed, for your whmcs will not be affected whatsoever.
-
05-22-2012, 06:12 AM #8Web Hosting Evangelist
- Join Date
- Apr 2006
- Posts
- 460
I have whmcs admin secured by IP
and also removed the Wordpress blog that used to be on the site.....█ Studyhost - Simple Web Hosting Solutions
█ UK and USA cPanel Web Hosting
█ 99.9% Uptime Guarantee | 24/7 Support | 30 Day Money Back Guarantee
█ Visit us at: studyhost.net
-
05-22-2012, 06:38 AM #9Premium Member
- Join Date
- Jul 2004
- Posts
- 535
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space
-
05-22-2012, 06:40 AM #10Premium Member
- Join Date
- Jul 2004
- Posts
- 535
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space
-
05-22-2012, 08:10 AM #11Junior Guru Wannabe
- Join Date
- Jan 2007
- Location
- Ireland
- Posts
- 68
How about ioncube encoding the configuration.php this would protect your card hash fairly well I think.
█ Hosting Ireland - Irish Web Hosting and Domain Name Registration - Tel: +353 51 843464
-
05-22-2012, 08:14 AM #12Hello World
- Join Date
- Nov 2009
- Location
- /etc/my.cnf
- Posts
- 10,657
Best practice is to have your WHMCS install on a seperate machine if possible with nothing else within I.E wordpress or the likes.
If you cannot afford a small dedicated server then a VPS from a decent provider is wise as you can adjust the enviroment to suit.
Am not willing to disclose information of our setup but lets just say everything is locked down and secured along with administration ports and everything else.
We then go a step further and have proactive scanning and monitoring in place which alerts us in a timely manner should anyone access anything they shouldnt.
Its also good pratice to disable the "Forgot Password" link on the admin login and also double secure that area using .htaccess protection using a custom path for extra security against admin login area brute attacks.
Although WHMCS will be only as secure as the machine it resides on it makes sense to disable things like FTP which are not needed, This is only a basic summary of things however putting mod_security with a decent rule set is also considered a wise move.
In focus server management techniques should be use to secure the box then following WHMCS additional security steps should be used to secure the install, If you follow best practice and keep an eye on things you should get along just fine
Regards,Last edited by Server Management; 05-22-2012 at 08:17 AM.
UK Based Proactive Server Management.
Zabbix Enterprise 24/7 Monitoring.
-
05-22-2012, 08:17 AM #13
I have some urgent tickets and now I can't reply them because of WHMCS show error: License Noconnection
WHMCS Down or again hacked?
-
05-22-2012, 08:24 AM #14Web Hosting Master
- Join Date
- Jul 2011
- Posts
- 863
I believe they are having another DDOS attack unfortunately.
-
05-22-2012, 08:27 AM #15Quality Web Hosting Matters
- Join Date
- Mar 2006
- Location
- Servers
- Posts
- 1,590
Secure WHMCS admin area with htpasswd user/pass. This is a good layer of security.
█ QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
█ Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
█ Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
█ INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard
-
05-22-2012, 08:29 AM #16
Today I get 10 spam email on my WHMCS ticket system
- Happy new year
- Buy hosting
- WHMCS Services for your site
- Service for dewlance
- xyz
Is spammer start using WHMCS DB?
-
05-22-2012, 08:58 AM #17WHT Addict
- Join Date
- Feb 2012
- Location
- Detroit, MI
- Posts
- 119
More importantly than anything, keeping everything up to date. Whether it be your wordpress, plugins, OS installation, everything, or at least on stable-release versions.
Being secure, and following the security steps recommended via the documentation is also a good thing to remember - moving the file locations of your attachments folder, renaming and securing your admin folder, and closely monitoring your server for any malicious occurrences.█| Velxo Hosting | Quality Hosting Solution - Lightening Fast & Secure Servers
█| cPanel - Fantastico De Luxe - CloudFlare - RV Site Builder - Daily Backups
█| 30 Day Money Back Guarantee - Affordable Services - 24/7/365 Technical Support - 99.97%+ Uptime Guarantee
█| www.velxo.com
-
05-22-2012, 09:27 AM #18Junior Guru Wannabe
- Join Date
- Oct 2011
- Location
- London, UK
- Posts
- 78
If I were to password protect the admin directory would it stop any crons running or are they not affected by .htaccess and .htpasswd?
█ Senta Hosting - Shared, Reseller, VPS and Dedicated Hosting
█ 99.9% Uptime and 30 Day Money Back Guarantee
█ 24/7 Support (Phone support coming soon)
█ Follow us on Twitter for exclusive discounts
-
05-22-2012, 09:30 AM #19Premium Member
- Join Date
- Jul 2004
- Posts
- 535
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space
-
05-22-2012, 09:32 AM #20Junior Guru Wannabe
- Join Date
- Oct 2011
- Location
- London, UK
- Posts
- 78
Ok great, will I be able to reissue the license or is their licensing system still playing up?
█ Senta Hosting - Shared, Reseller, VPS and Dedicated Hosting
█ 99.9% Uptime and 30 Day Money Back Guarantee
█ 24/7 Support (Phone support coming soon)
█ Follow us on Twitter for exclusive discounts
-
05-22-2012, 09:43 AM #21Premium Member
- Join Date
- Jul 2004
- Posts
- 535
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space
-
05-22-2012, 09:44 AM #22Junior Guru Wannabe
- Join Date
- Oct 2011
- Location
- London, UK
- Posts
- 78
█ Senta Hosting - Shared, Reseller, VPS and Dedicated Hosting
█ 99.9% Uptime and 30 Day Money Back Guarantee
█ 24/7 Support (Phone support coming soon)
█ Follow us on Twitter for exclusive discounts
-
05-22-2012, 11:18 AM #23Disabled
- Join Date
- Apr 2006
- Posts
- 34
Not sure if they are back up after the hack earlier or what exactly was done should find out in a few days
-
05-22-2012, 12:27 PM #24Web Hosting Master
- Join Date
- Oct 2011
- Posts
- 1,459
-
05-22-2012, 01:11 PM #25
anyone see this changes in WHMCS?
I click on "Refund money, manually" and get this error: TCPDPF: Unable to fetch image /home2/user/whmcs/images/xyz.png
(Note: First time I see this error, I use this many times but never get this type of error)
Similar Threads
-
Forum installs hacks, mods and php scipts installs for $$
By KPRS in forum Other Offers & RequestsReplies: 1Last Post: 09-02-2005, 07:01 PM -
phpbb mods/hacks/languages/templates installs and training
By markerpower in forum Employment / Job OffersReplies: 11Last Post: 12-20-2004, 01:27 AM -
phpbb mods/hacks/templates installs
By markerpower in forum Employment / Job OffersReplies: 5Last Post: 11-26-2004, 05:28 PM -
Vbulletin Hacks and Installs provided
By SuperCoolnWo in forum Other Offers & RequestsReplies: 2Last Post: 07-23-2003, 09:37 PM -
Vbulletin Hacks and Installs provided
By SuperCoolnWo in forum Employment / Job OffersReplies: 0Last Post: 07-23-2003, 08:16 PM