Enhancing Security

WHMCS includes features to help keep your data safe, and we recommend taking additional steps to secure your self-hosted WHMCS installation further.

Secure Writeable Directories

We recommend moving all writeable directories to a secure, private location and updating related items to prevent unauthorized web-based access to self-hosted WHMCS installations.

Security Questions

Security questions add an extra level of security for users. During password resets, the system uses them to verify the user's identity.

Spam Orders

WHMCS recommends several options to help you stop spam orders, and includes support for reCAPTCHA, banning email domains, and more.

API Credentials

API authentication credentials allow your API-connected devices and systems to authenticate with WHMCS using API roles that you create.

Client Email Verification

Email verification ensures that a client's registered email address is valid after client creation or changes to the email address.

Secure the Configuration File

When you secure your self-hosted WHMCS installation, we recommend adjusting the permissions for the configuration.php file to protect your sensitive data.

Move the Cron Directory

We recommend moving the crons directory to a custom private directory above your web root to prevent unauthorized web-based access to self-hosted WHMCS installations.

Rename the Admin Directory

Customizing the WHMCS admin directory name makes it harder for bots and malicious users to find the login URL for the Admin Area of your self-hosted WHMCS installation.

Banned IP Addresses

WHMCS automatically bans IP addresses after three failed login attempts, or you can permanently ban them manually.

Captcha Protection

Captchas help you prevent bots from placing orders, creating accounts, or logging in to your Client Area. WHMCS includes several captcha types, including a default verification code captcha and options with enhanced protection from Google® reCAPTCHA and hCaptcha.

Enable Default Captchas

WHMCS's default captcha option displays an image with six characters on a striped background. This option does not require additional configuration or an additional account with a captcha service.

Enable hCaptcha®

Enable hCaptcha or Invisible hCaptcha as your captcha type in WHMCS. hCaptcha offers checkbox-based and invisible captcha options to help you prevent bots from placing orders, creating accounts, or logging in to your Client Area or Admin Area. Before enabling hCaptcha or Invisible hCaptcha in WHMCS, you must configure it in your hCaptcha account.

Enable reCAPTCHA v3

Enable reCAPTCHA v3 as your captcha type in WHMCS. reCAPTCHA v3 is an invisible captcha type that can help you prevent bots from placing orders, creating accounts, or logging in to your Client Area or Admin Area. Before enabling reCAPTCHA v3 in WHMCS, you must configure it in your Google® account.

Security

The Security tab in General Settings allows you to configure security-related features. You can enable and configure captcha protection and email verification, set password strength and ban lengths, set a whitelist, and more.

Encrypt Your MySQL Connection

You can configure WHMCS to use an encrypted MySQL® database with your self-hosted WHMCS installation. This requires additional steps to add settings to your configuration.php file.

Restrict NGINX Directory Access

NGINX® can't read the .htaccess file that WHMCS uses, so NGINX users must take additional steps to protect sensitive directories on self-hosted WHMCS installations.