Securing WHMCS installs against hacks

suhailc · #1 05-22-2012, 05:05 AM

Hi guys,

As many of you will know WHMCS servers got hacked last night.

This is not a thread for bashing WHMCS, so if you want to bash please do so elsewhere.

In this thread I want to review and get advice on securing WHMCS installs to prevent it from getting hacked.

So please share what steps and techniques you have used to secure and lock down your WHMCS install (obviously omitting any sensitive data).

Regards,
Suhail.

hostvirtual · #2 05-22-2012, 05:11 AM

As a starting point, you should at least already have followed:

http://docs.whmcs.com/Further_Security_Steps

suhailc · #3 05-22-2012, 05:12 AM

I'll start with some basic measures:

1. Change the /admin folder to an obscure random name
2. Move /attachments, /downloads and /templates _c to below /public_html and edit the config file
3. Add password protection to the admin area
4. Run WHMCS on seperate domain/sub-domain and not under main website
5. Move WHMCS to separate server

These are some straightforward WHMCS specific steps.

What else?

What about PHP security specifically related to WHMCS?

Server security?

suhailc · #4 05-22-2012, 05:13 AM

Quote:

Originally Posted by hostedas

As a starting point, you should at least already have followed:

http://docs.whmcs.com/Further_Security_Steps

Thanks hostedas!

I typed up at the same time as you so got most of those steps in.

So additionally:

6. Restrict admin area access by IP

jackpx · #5 05-22-2012, 05:55 AM

Use SSL ....

suhailc · #6 05-22-2012, 06:00 AM

Quote:

Originally Posted by jackpx

Use SSL ....

Thanks jackpx! Although it goes without saying I'm sure many may not be using SSL.

What else?

ViperNet · #7 05-22-2012, 06:03 AM

Do not be alarmed, for your whmcs will not be affected whatsoever.

websprite · #8 05-22-2012, 06:12 AM

I have whmcs admin secured by IP
and also removed the Wordpress blog that used to be on the site.....

suhailc · #9 05-22-2012, 06:38 AM

Quote:

Originally Posted by SpeedWebSolutions

Do not be alarmed, for your whmcs will not be affected whatsoever.

That's not the point buddy. You don't wait to get hacked and then work on security, it needs to be pre-emptive and pro-active.

suhailc · #10 05-22-2012, 06:40 AM

Quote:

Originally Posted by websprite

I have whmcs admin secured by IP
and also removed the Wordpress blog that used to be on the site.....

Wordpress on the same domain/account is a BIG DISASTER waiting to happen, as Wordpress hacks are far too frequest and common.

-->> Another major security step is to implement SuPHP to prevent base64 scripts run on home directories via php_flags in .htacess files.

protocol1 · #11 05-22-2012, 08:10 AM

How about ioncube encoding the configuration.php this would protect your card hash fairly well I think.

**cd/home** · #12 05-22-2012, 08:14 AM

Best practice is to have your WHMCS install on a seperate machine if possible with nothing else within I.E wordpress or the likes.

If you cannot afford a small dedicated server then a VPS from a decent provider is wise as you can adjust the enviroment to suit.

Am not willing to disclose information of our setup but lets just say everything is locked down and secured along with administration ports and everything else.

We then go a step further and have proactive scanning and monitoring in place which alerts us in a timely manner should anyone access anything they shouldnt.

Its also good pratice to disable the "Forgot Password" link on the admin login and also double secure that area using .htaccess protection using a custom path for extra security against admin login area brute attacks.

Although WHMCS will be only as secure as the machine it resides on it makes sense to disable things like FTP which are not needed, This is only a basic summary of things however putting mod_security with a decent rule set is also considered a wise move.

In focus server management techniques should be use to secure the box then following WHMCS additional security steps should be used to secure the install, If you follow best practice and keep an eye on things you should get along just fine

Regards,