Results 1 to 15 of 15
  1. #1
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657

    Post WHMCS Security: How To Remove The "Forgot your password?" Link From Admin Login Area.

    Hello,

    To stop the "Forgot your password?" link from displaying on your admin login area on WHMCS.

    Simply edit and add the following line (below) to your root WHMCS "configuration.php" file:

    $disableadminforgottenpw = true;
    By disabling this feature it will reduce the risk of someone gaining access to your WHMCS admin area should your email account be compromised.

    Regards,
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  2. #2
    Thank you. Doing this right now.

  3. #3
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by rsfk View Post
    Thank you. Doing this right now.
    Thank You, Please help spread the word

    Regards,
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  4. #4
    Join Date
    Jun 2010
    Location
    Grand Rapids, Mi
    Posts
    1,200
    ditto.

    Do they happen to have a list of variables you can set in the config at WHMC's documentation?
    IonVz - Nginx/FreeBSD/VPS Consulting | VPSNodeBox - Managed Support Representative

  5. #5
    Join Date
    Jun 2010
    Posts
    592
    Setup > General Settings > Security > Disable Admin Password Reset [x]

  6. #6
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by kbeezie View Post
    ditto.

    Do they happen to have a list of variables you can set in the config at WHMC's documentation?
    I dont think they do

    Quote Originally Posted by SirMarcel View Post
    Setup > General Settings > Security > Disable Admin Password Reset [x]
    Although this is available for newer WHMCS installations...

    The older ones dont have this option available as it was only implemented into WHMCS during the Version 5.0 release
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  7. #7
    Join Date
    Jun 2010
    Posts
    592
    is there any particular reason one wouldn't want to upgrade to the most recent version? surely just by having an outdated installation you're risking your system being compromised

  8. #8
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by SirMarcel View Post
    is there any particular reason one wouldn't want to upgrade to the most recent version? surely just by having an outdated installation you're risking your system being compromised
    Mainly because people have heavily modified WHMCS installations which includes various modules so some people find it easyer to stay patched and focused on security rather than being an upgrade junkie

    A patched WHMCS 4.5 is just as secure as an patched WHMCS 5.0

    However this isnt a debate about release notes and release candidate security, Its merely a tutorial to help all WHMCS users disable the link.
    Last edited by Server Management; 05-30-2012 at 10:38 AM.
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  9. #9
    Join Date
    Jun 2010
    Location
    Grand Rapids, Mi
    Posts
    1,200
    Quote Originally Posted by cd/home View Post
    Mainly because people have heavily modified WHMCS installations which includes various modules so some people find it easyer to stay patched and focused on security rather than being an upgrade junkie

    A patched WHMCS 4.5 is just as secure as an patched WHMCS 5.0
    Adding to this, in theory you only lacking 'new features' and such, as any security patches they release tend to be available for as far back as version 4.0 (as you would have noticed from their most recent patch). The upgrades aren't really for security fixes but rather features and such.
    IonVz - Nginx/FreeBSD/VPS Consulting | VPSNodeBox - Managed Support Representative

  10. #10
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by kbeezie View Post
    Adding to this, in theory you only lacking 'new features' and such, as any security patches they release tend to be available for as far back as version 4.0 (as you would have noticed from their most recent patch). The upgrades aren't really for security fixes but rather features and such.
    Thank You for adding additional information on the subject.

    The more information we can get around about securing WHMCS the better

    However I shall forward my opinion about having this included to the WHMCS documentation to Matt.

    Regards,
    Last edited by Server Management; 05-30-2012 at 11:01 AM.
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  11. #11
    Join Date
    Apr 2008
    Location
    UK
    Posts
    239
    Why not just VPN the backend altogether ? i mean this is going to do very little security wise !
    SafeSrv.net - Secure Hosting, VPN and Management Services.
    WHMCS FreeRADIUS VPN Module. - Build a fully featured VPN business in no time.

  12. #12
    Quote Originally Posted by SafeSrv View Post
    Why not just VPN the backend altogether ? i mean this is going to do very little security wise !
    Indeed, a lot of people miss this...
    SimplexWebs for awesome British web hosting, servers & domain names. Seven fantastic years of it.
    Need more power? We've got Enterprise Hosting for that.

  13. #13
    Join Date
    Jun 2010
    Location
    Grand Rapids, Mi
    Posts
    1,200
    Quote Originally Posted by SafeSrv View Post
    Why not just VPN the backend altogether ? i mean this is going to do very little security wise !
    Wouldn't that throw off the licensing? (i.e.: thinks the app being hosted on a internal/VPN IP then won't let you login on account of the licensing) ?
    IonVz - Nginx/FreeBSD/VPS Consulting | VPSNodeBox - Managed Support Representative

  14. #14
    Join Date
    Apr 2008
    Location
    UK
    Posts
    239
    Quote Originally Posted by kbeezie View Post
    Wouldn't that throw off the licensing? (i.e.: thinks the app being hosted on a internal/VPN IP then won't let you login on account of the licensing) ?
    No it won't affect licensing at all, i have always restricted backends to either my ISP IP or VPN, its the best way to keep your backend secure.
    SafeSrv.net - Secure Hosting, VPN and Management Services.
    WHMCS FreeRADIUS VPN Module. - Build a fully featured VPN business in no time.

  15. #15
    Thanks for tutorial.

Similar Threads

  1. Replies: 2
    Last Post: 07-28-2010, 03:07 AM
  2. Typo3 Security Question for "Forgot Password"
    By bsimoneau in forum Web Design and Content
    Replies: 0
    Last Post: 04-30-2008, 01:31 PM
  3. What link do you use for your "client" management area?
    By mrzippy in forum Running a Web Hosting Business
    Replies: 1
    Last Post: 10-08-2006, 09:26 PM
  4. Replies: 6
    Last Post: 08-05-2003, 11:29 PM
  5. I want to make a "forgot my password" form...but I can't....help?
    By hdezela in forum Programming Discussion
    Replies: 10
    Last Post: 07-23-2003, 12:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •