hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Securing WHMCS installs against hacks
Reply

Forum Jump

Securing WHMCS installs against hacks

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509

Securing WHMCS installs against hacks


Hi guys,

As many of you will know WHMCS servers got hacked last night.

This is not a thread for bashing WHMCS, so if you want to bash please do so elsewhere.

In this thread I want to review and get advice on securing WHMCS installs to prevent it from getting hacked.

So please share what steps and techniques you have used to secure and lock down your WHMCS install (obviously omitting any sensitive data).

Regards,
Suhail.

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices




Sponsored Links
  #2  
Old
Web Hosting Guru
 
Join Date: Aug 2003
Location: 127.0.0.1
Posts: 271
As a starting point, you should at least already have followed:

http://docs.whmcs.com/Further_Security_Steps

  #3  
Old
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509
I'll start with some basic measures:

1. Change the /admin folder to an obscure random name
2. Move /attachments, /downloads and /templates _c to below /public_html and edit the config file
3. Add password protection to the admin area
4. Run WHMCS on seperate domain/sub-domain and not under main website
5. Move WHMCS to separate server

These are some straightforward WHMCS specific steps.

What else?

What about PHP security specifically related to WHMCS?

Server security?

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices


Sponsored Links
  #4  
Old
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509
Quote:
Originally Posted by hostedas View Post
As a starting point, you should at least already have followed:

http://docs.whmcs.com/Further_Security_Steps
Thanks hostedas!

I typed up at the same time as you so got most of those steps in.

So additionally:

6. Restrict admin area access by IP

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices


  #5  
Old
Web Hosting Master
 
Join Date: Aug 2006
Posts: 769
Use SSL ....

__________________
WebSitePanel / Hosting Controller / Smartermail / Installation / Configuration / Troubleshooting / Migrations
Windows Server Management / Security / Hardening
I speak English and Spanish

  #6  
Old
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509
Quote:
Originally Posted by jackpx View Post
Use SSL ....
Thanks jackpx! Although it goes without saying I'm sure many may not be using SSL.

What else?

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices


  #7  
Old
Disabled
 
Join Date: Jan 2010
Location: WwW
Posts: 147
Do not be alarmed, for your whmcs will not be affected whatsoever.

  #8  
Old
Corporate Member
 
Join Date: Apr 2006
Posts: 449
I have whmcs admin secured by IP
and also removed the Wordpress blog that used to be on the site.....

__________________
Studyhost - Simple Web Hosting Solutions
UK and USA cPanel Web Hosting
99.9% Uptime Guarantee | 24/7 Support | 30 Day Money Back Guarantee
Visit us at: studyhost.net

  #9  
Old
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509
Quote:
Originally Posted by SpeedWebSolutions View Post
Do not be alarmed, for your whmcs will not be affected whatsoever.
That's not the point buddy. You don't wait to get hacked and then work on security, it needs to be pre-emptive and pro-active.

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices


  #10  
Old
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509
Quote:
Originally Posted by websprite View Post
I have whmcs admin secured by IP
and also removed the Wordpress blog that used to be on the site.....
Wordpress on the same domain/account is a BIG DISASTER waiting to happen, as Wordpress hacks are far too frequest and common.

-->> Another major security step is to implement SuPHP to prevent base64 scripts run on home directories via php_flags in .htacess files.

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices


  #11  
Old
Junior Guru Wannabe
 
Join Date: Jan 2007
Location: Ireland
Posts: 68
How about ioncube encoding the configuration.php this would protect your card hash fairly well I think.

__________________
Hosting Ireland - Irish Web Hosting and Domain Name Registration - Tel: +353 51 843464

  #12  
Old
Web Hosting Master
 
Join Date: Nov 2009
Location: /etc/my.cnf
Posts: 9,441
Best practice is to have your WHMCS install on a seperate machine if possible with nothing else within I.E wordpress or the likes.

If you cannot afford a small dedicated server then a VPS from a decent provider is wise as you can adjust the enviroment to suit.

Am not willing to disclose information of our setup but lets just say everything is locked down and secured along with administration ports and everything else.

We then go a step further and have proactive scanning and monitoring in place which alerts us in a timely manner should anyone access anything they shouldnt.

Its also good pratice to disable the "Forgot Password" link on the admin login and also double secure that area using .htaccess protection using a custom path for extra security against admin login area brute attacks.

Although WHMCS will be only as secure as the machine it resides on it makes sense to disable things like FTP which are not needed, This is only a basic summary of things however putting mod_security with a decent rule set is also considered a wise move.

In focus server management techniques should be use to secure the box then following WHMCS additional security steps should be used to secure the install, If you follow best practice and keep an eye on things you should get along just fine

Regards,

__________________
LeapHost High Performance Wordpress & Magento Hosting Powered By Litespeed.
Fast Dedicated Servers | Uptime Cloud Monitoring | Proactive Server Management.
Server Setups | Stable Migrations | Security/Hardening | cPanel DNS Cluster Setups.
24/7 Ticket + Phone + Live Chat Support | Fancy An Offer > | Visit Our Special Offers



Last edited by cd/home; 05-22-2012 at 08:17 AM.
  #13  
Old
Windows Xen VPS Expert
 
Join Date: Jul 2009
Location: Kshatriya
Posts: 1,923
*

I have some urgent tickets and now I can't reply them because of WHMCS show error: License Noconnection

WHMCS Down or again hacked?

  #14  
Old
Litespeed Powered
 
Join Date: Jul 2011
Location: /root
Posts: 862
I believe they are having another DDOS attack unfortunately.

  #15  
Old
Quality Web Hosting Matters
 
Join Date: Sep 2006
Location: Servers
Posts: 1,525
Secure WHMCS admin area with htpasswd user/pass. This is a good layer of security.

__________________
QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
Linux and Windows RDP VPS - Locations UK, US, CA, FR, DE, NL, CH | OpenVPN/PPTP Enabled
Instant setup | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, STP, EgoPay, OKPay
█ Call us: (USA +1) 877 423 1155 | (UK +44) 800 610 1580 | (Skype) : qhoster

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Forum installs hacks, mods and php scipts installs for $$ KPRS Other Offers & Requests 1 09-02-2005 07:01 PM
phpbb mods/hacks/languages/templates installs and training markerpower Employment / Job Offers 11 12-20-2004 01:27 AM
phpbb mods/hacks/templates installs markerpower Employment / Job Offers 5 11-26-2004 05:28 PM
Vbulletin Hacks and Installs provided SuperCoolnWo Other Offers & Requests 2 07-23-2003 09:37 PM
Vbulletin Hacks and Installs provided SuperCoolnWo Employment / Job Offers 0 07-23-2003 08:16 PM

Related posts from TheWhir.com
Title Type Date Posted
WHMCS Encourages Users to Upgrade as Part of Important Security Update Web Hosting News 2014-08-27 12:05:55
OnApp Releases New WHMCS Module for Service Providers Web Hosting News 2014-01-21 14:04:13
WHMCS Security Issue Allows for Information Disclosure Web Hosting News 2013-10-25 09:30:46
WHMCS Releases Patch to Address Critical Security Issue Web Hosting News 2013-10-04 16:12:43
WHMCS Releases Version 5.2 of Web Hosting Billing Solution Web Hosting News 2013-04-14 22:35:37


Tags
whmcs hack, whmcs hacked, whmcs security

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?