Page 1 of 2 12 LastLast
Results 1 to 15 of 30
  1. #1

    Securing WHMCS installs against hacks

    Hi guys,

    As many of you will know WHMCS servers got hacked last night.

    This is not a thread for bashing WHMCS, so if you want to bash please do so elsewhere.

    In this thread I want to review and get advice on securing WHMCS installs to prevent it from getting hacked.

    So please share what steps and techniques you have used to secure and lock down your WHMCS install (obviously omitting any sensitive data).

    Regards,
    Suhail.
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
    EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices

  2. #2
    Join Date
    Aug 2003
    Location
    127.0.0.1
    Posts
    273
    As a starting point, you should at least already have followed:

    http://docs.whmcs.com/Further_Security_Steps

  3. #3
    I'll start with some basic measures:

    1. Change the /admin folder to an obscure random name
    2. Move /attachments, /downloads and /templates _c to below /public_html and edit the config file
    3. Add password protection to the admin area
    4. Run WHMCS on seperate domain/sub-domain and not under main website
    5. Move WHMCS to separate server

    These are some straightforward WHMCS specific steps.

    What else?

    What about PHP security specifically related to WHMCS?

    Server security?
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
    EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices

  4. #4
    Quote Originally Posted by hostedas View Post
    As a starting point, you should at least already have followed:

    http://docs.whmcs.com/Further_Security_Steps
    Thanks hostedas!

    I typed up at the same time as you so got most of those steps in.

    So additionally:

    6. Restrict admin area access by IP
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
    EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices

  5. #5
    Join Date
    Aug 2006
    Posts
    825
    Use SSL ....
    WebSitePanel / Hosting Controller / Smartermail / Installation / Configuration / Troubleshooting / Migrations
    Windows Server Management / Security / Hardening
    I speak English and Spanish

  6. #6
    Quote Originally Posted by jackpx View Post
    Use SSL ....
    Thanks jackpx! Although it goes without saying I'm sure many may not be using SSL.

    What else?
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
    EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices

  7. #7
    Do not be alarmed, for your whmcs will not be affected whatsoever.

  8. #8
    I have whmcs admin secured by IP
    and also removed the Wordpress blog that used to be on the site.....
    Studyhost - Simple Web Hosting Solutions
    UK and USA cPanel Web Hosting
    99.9% Uptime Guarantee | 24/7 Support | 30 Day Money Back Guarantee
    Visit us at: studyhost.net

  9. #9
    Quote Originally Posted by SpeedWebSolutions View Post
    Do not be alarmed, for your whmcs will not be affected whatsoever.
    That's not the point buddy. You don't wait to get hacked and then work on security, it needs to be pre-emptive and pro-active.
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
    EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices

  10. #10
    Quote Originally Posted by websprite View Post
    I have whmcs admin secured by IP
    and also removed the Wordpress blog that used to be on the site.....
    Wordpress on the same domain/account is a BIG DISASTER waiting to happen, as Wordpress hacks are far too frequest and common.

    -->> Another major security step is to implement SuPHP to prevent base64 scripts run on home directories via php_flags in .htacess files.
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
    EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices

  11. #11
    Join Date
    Jan 2007
    Location
    Ireland
    Posts
    68
    How about ioncube encoding the configuration.php this would protect your card hash fairly well I think.
    Hosting Ireland - Irish Web Hosting and Domain Name Registration - Tel: +353 51 843464

  12. #12
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    9,875
    Best practice is to have your WHMCS install on a seperate machine if possible with nothing else within I.E wordpress or the likes.

    If you cannot afford a small dedicated server then a VPS from a decent provider is wise as you can adjust the enviroment to suit.

    Am not willing to disclose information of our setup but lets just say everything is locked down and secured along with administration ports and everything else.

    We then go a step further and have proactive scanning and monitoring in place which alerts us in a timely manner should anyone access anything they shouldnt.

    Its also good pratice to disable the "Forgot Password" link on the admin login and also double secure that area using .htaccess protection using a custom path for extra security against admin login area brute attacks.

    Although WHMCS will be only as secure as the machine it resides on it makes sense to disable things like FTP which are not needed, This is only a basic summary of things however putting mod_security with a decent rule set is also considered a wise move.

    In focus server management techniques should be use to secure the box then following WHMCS additional security steps should be used to secure the install, If you follow best practice and keep an eye on things you should get along just fine

    Regards,
    Last edited by cd/home; 05-22-2012 at 08:17 AM.
    UK Based Server Management
    Tel: 0203 189 1159

  13. #13
    Join Date
    Jul 2009
    Location
    Kshatriya
    Posts
    2,108

    *

    I have some urgent tickets and now I can't reply them because of WHMCS show error: License Noconnection

    WHMCS Down or again hacked?

  14. #14
    Join Date
    Jul 2011
    Location
    /root
    Posts
    862
    I believe they are having another DDOS attack unfortunately.

  15. #15
    Join Date
    Sep 2006
    Location
    Servers
    Posts
    1,548
    Secure WHMCS admin area with htpasswd user/pass. This is a good layer of security.
    QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
    Linux/Windows RDP VPS - Locations UK, US, CA, BG, LT, FR, DE, NL, CH | OpenVPN/PPTP Enabled
    Instant setup | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, STP, Ukash, CashU
    █ Call us: (USA +1) 877 423 1155 | (UK +44) 800 610 1580 | (Skype) : qhoster

Page 1 of 2 12 LastLast

Similar Threads

  1. Forum installs hacks, mods and php scipts installs for $$
    By KPRS in forum Other Offers & Requests
    Replies: 1
    Last Post: 09-02-2005, 07:01 PM
  2. phpbb mods/hacks/languages/templates installs and training
    By markerpower in forum Employment / Job Offers
    Replies: 11
    Last Post: 12-20-2004, 01:27 AM
  3. phpbb mods/hacks/templates installs
    By markerpower in forum Employment / Job Offers
    Replies: 5
    Last Post: 11-26-2004, 05:28 PM
  4. Vbulletin Hacks and Installs provided
    By SuperCoolnWo in forum Other Offers & Requests
    Replies: 2
    Last Post: 07-23-2003, 09:37 PM
  5. Vbulletin Hacks and Installs provided
    By SuperCoolnWo in forum Employment / Job Offers
    Replies: 0
    Last Post: 07-23-2003, 08:16 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •