Security/Ban Control

From WHMCS Documentation

Banning IP Addresses

With WHMCS, it is possible to ban an IP address from accessing your entire WHMCS system.

Managing Banned IPs

To view all the banned IP addresses in your system, go to Configuration () > System Settings > Other > Manage Banned IPs. You will then see the banned IP addresses, the reason for that ban, and the date and time at which the ban expires. You can delete IP addresses that have been banned in error from the ban list using the red delete icon to the right of the line.

Adding a New Banned IP

To add a new banned IP address, click the Add tab near the top of the page. The add options will appear. You can enter the IP address you want to ban, the reason for banning it, and the date and time at which the ban should expire. Then, click the Add Banned IP button to ban the IP address. The change will take effect immediately.

The last two blocks accept wildcards to enable you to block IP address ranges (for example, 189.123.789.* or 189.123.*.*).

Searching Banned IPs

To search for a banned IP address, click the Filter tab near the top of the page. You can then filter the list of banned IP addresses, by IP address or reason, to locate specific IPs you wish to un-ban.

Banning Email Domains

With WHMCS, you can ban email domains from signing up. This is useful if you want to block customers from signing up using free email accounts.

To enable this feature, go to Configuration () > System Settings > Other > Manage Banned Emails. You will then see a list of all the currently banned email domains and the number of times a customer has attempted to sign up using them.

To add a new banned email domain, click the Add tab at the top of the page and then enter the email domain you wish to ban. For example, "".

Auto Ban Control

By default, WHMCS blocks any user IP addresses that attempt to log in to the admin area with a valid username and incorrect password three or more times. The length of this ban, by default, is 15 minutes. This helps to prevent hackers from endlessly trying different password combinations in order to gain access to your admin area. You can alter the length of this ban by going to Configuration () > System Settings > General Settings > Security tab > Failed Admin Login Ban Time.

To disable IP banning for failed admin logins, set this value to 0. The system will never attempt to ban IP addresses and the user will be able to continue to attempt to log in endlessly. For this reason, we recommend a minimum value of at least 1.