hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Securing WHMCS installs against hacks
Reply

Forum Jump

Securing WHMCS installs against hacks

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 05-22-2012, 05:05 AM
linuxperts linuxperts is offline
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509

Securing WHMCS installs against hacks


Hi guys,

As many of you will know WHMCS servers got hacked last night.

This is not a thread for bashing WHMCS, so if you want to bash please do so elsewhere.

In this thread I want to review and get advice on securing WHMCS installs to prevent it from getting hacked.

So please share what steps and techniques you have used to secure and lock down your WHMCS install (obviously omitting any sensitive data).

Regards,
Suhail.

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - New London DC with Cheap Server Colo & Rack Space (launching 15th May 2012)




Sponsored Links
  #2  
Old 05-22-2012, 05:11 AM
hostvirtual hostvirtual is offline
Web Hosting Guru
 
Join Date: Aug 2003
Location: 127.0.0.1
Posts: 271
As a starting point, you should at least already have followed:

http://docs.whmcs.com/Further_Security_Steps

  #3  
Old 05-22-2012, 05:12 AM
linuxperts linuxperts is offline
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509
I'll start with some basic measures:

1. Change the /admin folder to an obscure random name
2. Move /attachments, /downloads and /templates _c to below /public_html and edit the config file
3. Add password protection to the admin area
4. Run WHMCS on seperate domain/sub-domain and not under main website
5. Move WHMCS to separate server

These are some straightforward WHMCS specific steps.

What else?

What about PHP security specifically related to WHMCS?

Server security?

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - New London DC with Cheap Server Colo & Rack Space (launching 15th May 2012)


Sponsored Links
  #4  
Old 05-22-2012, 05:13 AM
linuxperts linuxperts is offline
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509
Quote:
Originally Posted by hostedas View Post
As a starting point, you should at least already have followed:

http://docs.whmcs.com/Further_Security_Steps
Thanks hostedas!

I typed up at the same time as you so got most of those steps in.

So additionally:

6. Restrict admin area access by IP

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - New London DC with Cheap Server Colo & Rack Space (launching 15th May 2012)


  #5  
Old 05-22-2012, 05:55 AM
jackpx jackpx is offline
Web Hosting Master
 
Join Date: Aug 2006
Posts: 739
Use SSL ....

__________________
Helm 3 - 4 Control Panel Setup / WebSitePanel / Hosting Controller / Installation / Configuration / Troubleshooting / Migrations
Windows Server Management / Security / Hardening
I speak English and Spanish

  #6  
Old 05-22-2012, 06:00 AM
linuxperts linuxperts is offline
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509
Quote:
Originally Posted by jackpx View Post
Use SSL ....
Thanks jackpx! Although it goes without saying I'm sure many may not be using SSL.

What else?

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - New London DC with Cheap Server Colo & Rack Space (launching 15th May 2012)


  #7  
Old 05-22-2012, 06:03 AM
ViperNet ViperNet is offline
Disabled
 
Join Date: Jan 2010
Location: WwW
Posts: 147
Do not be alarmed, for your whmcs will not be affected whatsoever.

  #8  
Old 05-22-2012, 06:12 AM
neil@ukwebhosting neil@ukwebhosting is offline
Web Hosting Guru
 
Join Date: Apr 2006
Posts: 324
I have whmcs admin secured by IP
and also removed the Wordpress blog that used to be on the site.....

  #9  
Old 05-22-2012, 06:38 AM
linuxperts linuxperts is offline
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509
Quote:
Originally Posted by SpeedWebSolutions View Post
Do not be alarmed, for your whmcs will not be affected whatsoever.
That's not the point buddy. You don't wait to get hacked and then work on security, it needs to be pre-emptive and pro-active.

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - New London DC with Cheap Server Colo & Rack Space (launching 15th May 2012)


  #10  
Old 05-22-2012, 06:40 AM
linuxperts linuxperts is offline
Web Hosting Evangelist
 
Join Date: Jul 2004
Posts: 509
Quote:
Originally Posted by websprite View Post
I have whmcs admin secured by IP
and also removed the Wordpress blog that used to be on the site.....
Wordpress on the same domain/account is a BIG DISASTER waiting to happen, as Wordpress hacks are far too frequest and common.

-->> Another major security step is to implement SuPHP to prevent base64 scripts run on home directories via php_flags in .htacess files.

__________________
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - New London DC with Cheap Server Colo & Rack Space (launching 15th May 2012)


  #11  
Old 05-22-2012, 08:10 AM
protocol1 protocol1 is offline
Junior Guru Wannabe
 
Join Date: Jan 2007
Location: Ireland
Posts: 68
How about ioncube encoding the configuration.php this would protect your card hash fairly well I think.

__________________
Hosting Ireland - Irish Web Hosting and Domain Name Registration - Tel: +353 51 843464

  #12  
Old 05-22-2012, 08:14 AM
cd/home cd/home is offline
Web Hosting Master
 
Join Date: Nov 2009
Location: /etc/my.cnf
Posts: 9,106
Best practice is to have your WHMCS install on a seperate machine if possible with nothing else within I.E wordpress or the likes.

If you cannot afford a small dedicated server then a VPS from a decent provider is wise as you can adjust the enviroment to suit.

Am not willing to disclose information of our setup but lets just say everything is locked down and secured along with administration ports and everything else.

We then go a step further and have proactive scanning and monitoring in place which alerts us in a timely manner should anyone access anything they shouldnt.

Its also good pratice to disable the "Forgot Password" link on the admin login and also double secure that area using .htaccess protection using a custom path for extra security against admin login area brute attacks.

Although WHMCS will be only as secure as the machine it resides on it makes sense to disable things like FTP which are not needed, This is only a basic summary of things however putting mod_security with a decent rule set is also considered a wise move.

In focus server management techniques should be use to secure the box then following WHMCS additional security steps should be used to secure the install, If you follow best practice and keep an eye on things you should get along just fine

Regards,

__________________
LeapHost Premium High Performance Litespeed + MariaDB Shared / Reseller Hosting.
Managed Colocation | Uptime Monitoring | Webmin | Proactive Server Management.
Server Setups | Stable Migrations | Security/Hardening | cPanel DNS Cluster Setups.
24/7 Ticket + Phone + Live Chat Support | More Locations Coming! | Visit Our Special Offers



Last edited by cd/home; 05-22-2012 at 08:17 AM.
  #13  
Old 05-22-2012, 08:17 AM
DewlanceHosting DewlanceHosting is offline
Windows Xen VPS Expert
 
Join Date: Jul 2009
Location: Kshatriya
Posts: 1,791
*

I have some urgent tickets and now I can't reply them because of WHMCS show error: License Noconnection

WHMCS Down or again hacked?

  #14  
Old 05-22-2012, 08:24 AM
V7Host V7Host is offline
Litespeed Powered
 
Join Date: Jul 2011
Location: /root
Posts: 862
I believe they are having another DDOS attack unfortunately.

  #15  
Old 05-22-2012, 08:27 AM
WebHostDog WebHostDog is offline
Quality Web Hosting Matters
 
Join Date: Sep 2006
Location: Servers
Posts: 1,473
Secure WHMCS admin area with htpasswd user/pass. This is a good layer of security.

__________________
QHoster.com - Instant Hosting with DDoS Protection | Shared & Reseller in Europe and USA
Linux and Windows RDP VPS - Locations UK, US, FR, DE, NL, CH | OpenVPN/PPTP Enabled
Instant setup | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, STP, EgoPay, OKPay
█ Call us: (USA +1) 877 423 1155 | (UK +44) 800 610 1580 | (Skype) : qhoster

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Forum installs hacks, mods and php scipts installs for $$ KPRS Other Offers & Requests 1 09-02-2005 07:01 PM
phpbb mods/hacks/languages/templates installs and training markerpower Employment / Job Offers 11 12-20-2004 01:27 AM
phpbb mods/hacks/templates installs markerpower Employment / Job Offers 5 11-26-2004 05:28 PM
Vbulletin Hacks and Installs provided SuperCoolnWo Other Offers & Requests 2 07-23-2003 09:37 PM
Vbulletin Hacks and Installs provided SuperCoolnWo Employment / Job Offers 0 07-23-2003 08:16 PM

Related posts from TheWhir.com
Title Type Date Posted
OnApp Releases New WHMCS Module for Service Providers Web Hosting News 2014-01-21 14:04:13
WHMCS Security Issue Allows for Information Disclosure Web Hosting News 2013-10-25 09:30:46
WHMCS Releases Patch to Address Critical Security Issue Web Hosting News 2013-10-04 16:12:43
Authorities Arrest WHMCS Hacker Suspect Web Hosting News 2012-05-30 14:26:32
Web Hosting Control Panel WHMCS Hit by DDoS and Social Engineering Attack Web Hosting News 2012-05-24 17:28:26


Tags
whmcs hack, whmcs hacked, whmcs security

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?