Best practice is to have your WHMCS install on a seperate machine if possible with nothing else within I.E wordpress or the likes.
If you cannot afford a small dedicated server then a VPS from a decent provider is wise as you can adjust the enviroment to suit.
Am not willing to disclose information of our setup but lets just say everything is locked down and secured along with administration ports and everything else.
We then go a step further and have proactive scanning and monitoring in place which alerts us in a timely manner should anyone access anything they shouldnt.
Its also good pratice to disable the "Forgot Password" link on the admin login and also double secure that area using .htaccess protection using a custom path for extra security against admin login area brute attacks.
Although WHMCS will be only as secure as the machine it resides on it makes sense to disable things like FTP which are not needed, This is only a basic summary of things however putting mod_security with a decent rule set is also considered a wise move.
In focus server management techniques should be use to secure the box then following WHMCS additional security steps should be used to secure the install, If you follow best practice and keep an eye on things you should get along just fine