Banned IP Addresses
WHMCS allows you to manually ban IP addresses from accessing your entire WHMCS system.
You can access this feature at Configuration () > System Settings > Banned IPs.
After three consecutive failed admin login attempts, the system will separately block the source IP address for those attempts. This helps to prevent dictionary password attacks.
- You can configure the length of automatic IP address bans in the Security tab at Configuration () > System Settings > General Settings.
- You can ban email domains at Configuration () > System Settings > Banned Emails.
Manually Banned IP Addresses
The list of banned IP addresses at Configuration () > System Settings > Banned IPs displays the reason for each ban and the date and time at which the ban expires.
- To search for a banned IP address, choose the Filter tab. You can filter the list of banned IP addresses by IP address or ban reason.
- You can delete IP addresses from the ban list (allowing access) using the red delete icon to the right of the line.
To ban an IP address:
- Choose the Add tab.
- Enter the IP address that you want to ban. The last two blocks accept wildcards to enable you to block IP address ranges (for example,
189.123.789.*
or189.123.*.*
). - Enter the reason for the ban.
- Enter the date and time at which the ban will expire.
- Click Add Banned IP. The ban will begin immediately.
Automatically Banned IP Addresses
After three consecutive failed admin login attempts, the system will block the source IP address for the amount of time that you specified in the Security at Configuration () > System Settings > General Settings. This helps to prevent against dictionary password attacks.
Remove the Automatic Ban
To remove the automatic ban, you can wait for the ban to expire in the displayed time on the error message, log in from a different IP address, or lift the ban immediately.
To lift the ban immediately:
- Log in to your database administration interface (usually phpMyAdmin via your server control panel).
- Select the WHMCS database.
- Browse to the
tblbannedips
table. - Locate the row containing your IP address.
- Delete that row.
Restricting Access to the Admin Area
For increased protection, if your staff uses fixed IP addresses, you can restrict Admin Area access to a specific set of IP addresses. This will help to prevent access by hackers and other malicious users.
To restrict access:
- Create a
.htaccess
file in your WHMCS admin directory. - Add the correct content for your version of Apache® to the new
.htaccess
file:- For Apache 2.2, add:
order deny,allow allow from 12.34.5.67 allow from 98.76.54.32 deny from all
- For Apache 2.4, add:
Require ip 12.34.5.67 Require ip 98.76.54.32
You can specify as many differentallow from
orRequire ip
lines as you require. You can allow entire IP subnets by specifying only the first part of an IP address (for example,12.34.
). This is.htaccess
IP restriction. - For Apache 2.2, add:
- Save the file.
Last modified: December 17, 2024