Page 1 of 2 12 LastLast
Results 1 to 25 of 30

Hybrid View

  1. #1

    Securing WHMCS installs against hacks

    Hi guys,

    As many of you will know WHMCS servers got hacked last night.

    This is not a thread for bashing WHMCS, so if you want to bash please do so elsewhere.

    In this thread I want to review and get advice on securing WHMCS installs to prevent it from getting hacked.

    So please share what steps and techniques you have used to secure and lock down your WHMCS install (obviously omitting any sensitive data).

    Regards,
    Suhail.
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space

  2. #2
    Join Date
    Aug 2003
    Location
    127.0.0.1
    Posts
    273
    As a starting point, you should at least already have followed:

    http://docs.whmcs.com/Further_Security_Steps

  3. #3
    Quote Originally Posted by hostedas View Post
    As a starting point, you should at least already have followed:

    http://docs.whmcs.com/Further_Security_Steps
    Thanks hostedas!

    I typed up at the same time as you so got most of those steps in.

    So additionally:

    6. Restrict admin area access by IP
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space

  4. #4
    I'll start with some basic measures:

    1. Change the /admin folder to an obscure random name
    2. Move /attachments, /downloads and /templates _c to below /public_html and edit the config file
    3. Add password protection to the admin area
    4. Run WHMCS on seperate domain/sub-domain and not under main website
    5. Move WHMCS to separate server

    These are some straightforward WHMCS specific steps.

    What else?

    What about PHP security specifically related to WHMCS?

    Server security?
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space

  5. #5
    Join Date
    Aug 2006
    Posts
    1,171
    Use SSL ....
    WebSitePanel/ MspControl / SolidCP / Smartermail / Installation / Configuration / Troubleshooting / Migrations
    Windows Server Management / Security / Hardening
    I speak English and Spanish

  6. #6
    Quote Originally Posted by jackpx View Post
    Use SSL ....
    Thanks jackpx! Although it goes without saying I'm sure many may not be using SSL.

    What else?
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space

  7. #7
    Do not be alarmed, for your whmcs will not be affected whatsoever.

  8. #8
    Quote Originally Posted by SpeedWebSolutions View Post
    Do not be alarmed, for your whmcs will not be affected whatsoever.
    That's not the point buddy. You don't wait to get hacked and then work on security, it needs to be pre-emptive and pro-active.
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space

  9. #9
    Join Date
    Apr 2006
    Posts
    460
    I have whmcs admin secured by IP
    and also removed the Wordpress blog that used to be on the site.....
    Studyhost - Simple Web Hosting Solutions
    UK and USA cPanel Web Hosting
    99.9% Uptime Guarantee | 24/7 Support | 30 Day Money Back Guarantee
    Visit us at: studyhost.net

  10. #10
    Quote Originally Posted by websprite View Post
    I have whmcs admin secured by IP
    and also removed the Wordpress blog that used to be on the site.....
    Wordpress on the same domain/account is a BIG DISASTER waiting to happen, as Wordpress hacks are far too frequest and common.

    -->> Another major security step is to implement SuPHP to prevent base64 scripts run on home directories via php_flags in .htacess files.
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space

  11. #11
    Join Date
    Jan 2007
    Location
    Ireland
    Posts
    68
    How about ioncube encoding the configuration.php this would protect your card hash fairly well I think.
    Hosting Ireland - Irish Web Hosting and Domain Name Registration - Tel: +353 51 843464

  12. #12
    Join Date
    Oct 2011
    Posts
    1,459
    Quote Originally Posted by websprite View Post
    I have whmcs admin secured by IP
    and also removed the Wordpress blog that used to be on the site.....
    I prefer WHMCS install on a seperate server or VPS.

    Which is seperate from any other things of website, like blog, forum or main site.

  13. #13
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Best practice is to have your WHMCS install on a seperate machine if possible with nothing else within I.E wordpress or the likes.

    If you cannot afford a small dedicated server then a VPS from a decent provider is wise as you can adjust the enviroment to suit.

    Am not willing to disclose information of our setup but lets just say everything is locked down and secured along with administration ports and everything else.

    We then go a step further and have proactive scanning and monitoring in place which alerts us in a timely manner should anyone access anything they shouldnt.

    Its also good pratice to disable the "Forgot Password" link on the admin login and also double secure that area using .htaccess protection using a custom path for extra security against admin login area brute attacks.

    Although WHMCS will be only as secure as the machine it resides on it makes sense to disable things like FTP which are not needed, This is only a basic summary of things however putting mod_security with a decent rule set is also considered a wise move.

    In focus server management techniques should be use to secure the box then following WHMCS additional security steps should be used to secure the install, If you follow best practice and keep an eye on things you should get along just fine

    Regards,
    Last edited by Server Management; 05-22-2012 at 08:17 AM.
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  14. #14

    *

    I have some urgent tickets and now I can't reply them because of WHMCS show error: License Noconnection

    WHMCS Down or again hacked?

  15. #15
    I believe they are having another DDOS attack unfortunately.

  16. #16
    Join Date
    Mar 2006
    Location
    Servers
    Posts
    1,590
    Secure WHMCS admin area with htpasswd user/pass. This is a good layer of security.
    QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
    Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
    Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
    INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard

  17. #17
    Join Date
    Feb 2012
    Location
    Detroit, MI
    Posts
    119
    Quote Originally Posted by suhailc View Post
    Hi guys,

    As many of you will know WHMCS servers got hacked last night.

    This is not a thread for bashing WHMCS, so if you want to bash please do so elsewhere.

    In this thread I want to review and get advice on securing WHMCS installs to prevent it from getting hacked.

    So please share what steps and techniques you have used to secure and lock down your WHMCS install (obviously omitting any sensitive data).

    Regards,
    Suhail.
    More importantly than anything, keeping everything up to date. Whether it be your wordpress, plugins, OS installation, everything, or at least on stable-release versions.

    Being secure, and following the security steps recommended via the documentation is also a good thing to remember - moving the file locations of your attachments folder, renaming and securing your admin folder, and closely monitoring your server for any malicious occurrences.
    █| Velxo Hosting | Quality Hosting Solution - Lightening Fast & Secure Servers
    █| cPanel - Fantastico De Luxe - CloudFlare - RV Site Builder - Daily Backups
    █| 30 Day Money Back Guarantee - Affordable Services - 24/7/365 Technical Support - 99.97%+ Uptime Guarantee
    █| www.velxo.com

  18. #18
    Today I get 10 spam email on my WHMCS ticket system

    - Happy new year
    - Buy hosting
    - WHMCS Services for your site
    - Service for dewlance
    - xyz

    Is spammer start using WHMCS DB?

  19. #19
    Join Date
    Oct 2011
    Location
    London, UK
    Posts
    78
    If I were to password protect the admin directory would it stop any crons running or are they not affected by .htaccess and .htpasswd?
    Senta Hosting - Shared, Reseller, VPS and Dedicated Hosting
    99.9% Uptime and 30 Day Money Back Guarantee
    24/7 Support (Phone support coming soon)
    Follow us on Twitter for exclusive discounts

  20. #20
    Quote Originally Posted by sentahosting View Post
    If I were to password protect the admin directory would it stop any crons running or are they not affected by .htaccess and .htpasswd?
    Cronjobs should not be affected.
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space

  21. #21
    Join Date
    Oct 2011
    Location
    London, UK
    Posts
    78
    Ok great, will I be able to reissue the license or is their licensing system still playing up?
    Senta Hosting - Shared, Reseller, VPS and Dedicated Hosting
    99.9% Uptime and 30 Day Money Back Guarantee
    24/7 Support (Phone support coming soon)
    Follow us on Twitter for exclusive discounts

  22. #22
    Quote Originally Posted by sentahosting View Post
    Ok great, will I be able to reissue the license or is their licensing system still playing up?
    Password protecting the admin folder has nothing to do with the licensing system. WHMCS.com and forums are back up now and they say their licensing is back online so you should be able ok.
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space

  23. #23
    Join Date
    Oct 2011
    Location
    London, UK
    Posts
    78
    Quote Originally Posted by suhailc View Post
    Password protecting the admin folder has nothing to do with the licensing system. WHMCS.com and forums are back up now and they say their licensing is back online so you should be able ok.
    I know that password protection has nothing to do the licensing system! I just wanted to know if it was still playing up as I know they are receiving a lot of DDoS at the moment.
    Senta Hosting - Shared, Reseller, VPS and Dedicated Hosting
    99.9% Uptime and 30 Day Money Back Guarantee
    24/7 Support (Phone support coming soon)
    Follow us on Twitter for exclusive discounts

  24. #24
    Not sure if they are back up after the hack earlier or what exactly was done should find out in a few days

  25. #25
    anyone see this changes in WHMCS?

    I click on "Refund money, manually" and get this error: TCPDPF: Unable to fetch image /home2/user/whmcs/images/xyz.png

    (Note: First time I see this error, I use this many times but never get this type of error)

Page 1 of 2 12 LastLast

Similar Threads

  1. Forum installs hacks, mods and php scipts installs for $$
    By KPRS in forum Other Offers & Requests
    Replies: 1
    Last Post: 09-02-2005, 07:01 PM
  2. phpbb mods/hacks/languages/templates installs and training
    By markerpower in forum Employment / Job Offers
    Replies: 11
    Last Post: 12-20-2004, 01:27 AM
  3. phpbb mods/hacks/templates installs
    By markerpower in forum Employment / Job Offers
    Replies: 5
    Last Post: 11-26-2004, 05:28 PM
  4. Vbulletin Hacks and Installs provided
    By SuperCoolnWo in forum Other Offers & Requests
    Replies: 2
    Last Post: 07-23-2003, 09:37 PM
  5. Vbulletin Hacks and Installs provided
    By SuperCoolnWo in forum Employment / Job Offers
    Replies: 0
    Last Post: 07-23-2003, 08:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •