Sensitive Directory Check Errors

Problem

This information only applies to self-hosted WHMCS installations. WHMCS Cloud handles the installation and initial configuration process for you automatically.

You see the following message at Configuration () > System Health:

Sensitive Directory Check
One or more sensitive directories are accessible from the web: 
/vendor

Cause

This message indicates that your server configuration allows direct web access to directories that should be restricted. Direct access to these directories can cause unexpected behavior and security-related issues.

For example, the /vendor directory includes various common libraries that WHMCS uses. Your server should not serve file requests directly from this path.

Solution

The solution depends on the type of server that hosts your WHMCS installation.

For more information, see Enhancing Security.

Apache® Servers

If your server runs Apache, the included .htaccess file already protects against these problems. Verify that:

  • The .htaccess file exists in the /vendor directory.
  • The AllowOverride setting in your Apache configuration is not set to None. This ensures that Apache allows .htaccess overrides.
For additional steps to troubleshoot Apache servers, see Apache’s documentation.

OpenLiteSpeed Servers

If your server runs OpenLiteSpeed, verify that you have explicitly enabled the use of .htaccess files.

For more information, see OpenLiteSpeed’s documentation.

Other Servers

If you use a server that does not run Apache, you must update your configuration to prohibit serving files directly from the /vendor directory.

We develop and validate WHMCS for use on Apache servers.
For steps to restrict access on other servers that use NGINX, see Restrict NGINX Directory Access.
troubleshooting troubleshooting-article security

Last modified: 2026 January 21