Banned IP Addresses

WHMCS allows you to manually ban IP addresses from accessing your entire WHMCS system.

You can access this feature at Configuration () > System Settings > Banned IPs.

After three consecutive failed admin login attempts, the system will separately block the source IP address for those attempts. This helps to prevent dictionary password attacks.

You can configure the length of automatic IP address bans in the Security tab at Configuration () > System Settings > General Settings.
You can ban email domains at Configuration () > System Settings > Banned Emails.

Manually Banned IP Addresses

The list of banned IP addresses at Configuration () > System Settings > Banned IPs displays the reason for each ban and the date and time at which the ban expires.

To search for a banned IP address, choose the Filter tab. You can filter the list of banned IP addresses by IP address or ban reason.
You can delete IP addresses from the ban list (allowing access) using the red delete icon to the right of the line.

To ban an IP address:

Choose the Add tab.
Enter the IP address that you want to ban. The last two blocks accept wildcards to enable you to block IP address ranges (for example, 189.123.789.* or 189.123.*.*).
Enter the reason for the ban.
Enter the date and time at which the ban will expire.
Click Add Banned IP. The ban will begin immediately.

Automatically Banned IP Addresses

After three consecutive failed admin login attempts, the system will block the source IP address for the amount of time that you specified in the Security at Configuration () > System Settings > General Settings. This helps to prevent against dictionary password attacks.

If you become banned often, consider adding your connection’s IP address to the Whitelisted IPs list in the Security at Configuration () > System Settings > General Settings.

Remove the Automatic Ban

To remove the automatic ban, you can wait for the ban to expire in the displayed time on the error message, log in from a different IP address, or lift the ban immediately.

To lift the ban immediately:

Log in to your database administration interface (usually phpMyAdmin via your server control panel).
Select the WHMCS database.
Browse to the tblbannedips table.
Locate the row containing your IP address.
Delete that row.

Restricting Access to the Admin Area

For increased protection, if your staff uses fixed IP addresses, you can restrict Admin Area access to a specific set of IP addresses. This will help to prevent access by hackers and other malicious users.

For more information about recommended security measures, see More Ways to Secure Your WHMCS Installation.

To restrict access:

Create a .htaccess file in your WHMCS admin directory.
Add the correct content for your version of Apache® to the new .htaccess file:
- For Apache 2.2, add:
```
order deny,allow
allow from 12.34.5.67
allow from 98.76.54.32
deny from all
```
- For Apache 2.4, add:
```
Require ip 12.34.5.67
Require ip 98.76.54.32
```
You can specify as many different allow from or Require ip lines as you require. You can allow entire IP subnets by specifying only the first part of an IP address (for example, 12.34.). This is .htaccess IP restriction.
Save the file.

Last modified: June 14, 2024