Sensitive Directory Check Errors

Problem

This information only applies to self-hosted WHMCS installations. WHMCS Cloud handles the installation and initial configuration process for you automatically.

You see the following message at Configuration () > System Health:

Sensitive Directory Check
One or more sensitive directories are accessible from the web: 
/vendor

Cause

This message indicates that your server configuration allows direct web access to directories that should be restricted. Direct access to these directories can cause unexpected behavior and security-related issues.

For example, the /vendor directory includes various common libraries that WHMCS uses. Your server should not serve file requests directly from this path.

Solution

The solution depends on the type of server that hosts your WHMCS installation.

For more information, see Enhancing Security.

Apache® Servers

If your server runs Apache, the included .htaccess file already protects against these problems. Verify that:

  1. The .htaccess file exists in the /vendor directory.
  2. Your Apache configuration allows .htaccess overrides.

Non-Apache Servers

If you use a server that does not run Apache, you must update your configuration to prohibit serving files directly from the /vendor directory.

troubleshooting troubleshooting-article security

Last modified: 2026 January 21