Restrict NGINX Directory Access

WHMCS uses a .htaccess file to protect the /vendor/ directory, but NGINX® does not read .htaccess files. Because of this, the directory loses its protection on servers that runs NGINX. If your server uses NGINX, you must take additional steps to protect sensitive directories.

Restrictions within .htaccess files will not apply to your system and you must perform the additional steps below.

Restricting Directory Access

For cPanel & WHM version 84 and Later

In cPanel & WHM version 84 and later, you can use cPanel’s Directory Privacy interface (Home » cPanel » Files » Directory Privacy) to add protection to this directory.

To protect the directory, perform the following steps:

Select the /whmcs/vendor directory in cPanel’s Directory Privacy interface (Home » cPanel » Files » Directory Privacy).
Select Password protect this directory.
Enter a display label for Enter a name for the protected directory.
This name only functions as a label for the directory. Do not confuse it with the directory’s actual name.
Click Save. A confirmation message will appear. Click Go Back to return to the directory’s configuration.

For All Other Control Panels

The steps below require root-level access to the server running NGINX. If you do not have root-level access, you will need to contact your hosting provider or system administrator.

To restrict directory access on servers that run cPanel & WHM version 82 and earlier or on other hosting control panels:

Log in to the web server.
Locate the NGINX configuration template.

Add the deny directive to the top of the server block of your site’s configuration:

server {
    location ^~ /vendor/ {
        deny all;
        return 403;
    }
    ...
}

Save your changes and restart NGINX.

Locating the NGINX Configuration File

NGINX has a very flexible configuration organization. Because of this, your configuration file may be in a number of different places:

Server Type	Default or Most Common Locations
cPanel & WHM	`/etc/nginx/conf.d/users/<username>.conf`
Debian® and Ubuntu	`/etc/nginx/sites-available/default` `/etc/nginx/sites-available/example.com` (if the administrator has set up configuration files for each website individually)
Other Servers	See below.

Other Servers

If you do not find the configuration file in any of the above locations:

Run the following command on your server:
```
nginx -t
```
The output will display the current directory path to your server’s NGINX configuration file. For example:
```
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
```
To check whether the NGINX configuration file contains any include directives, run the following command:
```
grep include /etc/nginx/nginx.conf
```
If the grep command does not return any output, you can proceed with your changes to the configuration. The server directive will exist in the file that you found in step 1.
If the grep command returns any results, you must check each include file for the server directive. For example, this output would require you to check all four include files for server directives:
```
include /etc/nginx/modules-enabled/*.conf;
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
```

Restarting NGINX

After making any configuration changes to NGINX, you must reload the NGINX configuration by restarting NGINX.

Server Type or OS	Command to Restart NGINX
cPanel & WHM	`/usr/local/cpanel/scripts/restartsrv_nginx`
CentOS 6	`/etc/init.d/nginx reload`
CentOS 7	`systemctl reload nginx.service`
Debian and Ubuntu	`systemctl reload nginx`

security

Last modified: 2025 July 28