WHMCS includes features to help keep your data safe, and we recommend taking additional steps to secure your WHMCS installation further. We recommend moving all writeable directories to a secure, private location and updating related items to prevent unauthorized web-based access. Security questions add an extra level of security for users. During password resets, the system uses them to verify the user's identity. WHMCS recommends several options to help you stop spam orders, and includes support for reCAPTCHA, banning email domains, and more. API authentication credentials allow your API-connected devices and systems to authenticate with WHMCS using API roles that you create. Email verification ensures that a client's registered email address is valid after client creation or changes to the email address. When you secure your installation, we recommend adjusting the permissions for the configuration.php file to protect your sensitive data. We recommend moving the crons directory to a custom private directory above your web root to prevent unauthorized web-based access. Customizing the WHMCS admin directory name makes it harder for bots and malicious users to find the login URL for your Admin Area. WHMCS automatically bans IP addresses after three failed login attempts, or you can permanently ban them manually. Captchas help you prevent bots from placing orders, creating accounts, or logging in to your Client Area. WHMCS includes several captcha types. WHMCS's default captcha option displays an image with six characters on a striped background. This option does not require additional configuration or an additional account with a captcha service. The Security tab in General Settings allows you to configure security-related features. You can enable and configure captcha protection and email verification, set password strength and ban lengths, set a whitelist, and more. You can configure WHMCS to use an encrypted MySQL® database. This requires additional steps to add settings to your configuration.php file. NGINX® can't read the .htaccess file that WHMCS uses, so NGINX users must take additional steps to protect sensitive directories.