Security

The Security tab allows you to configure security-related features in WHMCS.

The Security tab in General Settings

You can access this tab at Configuration () > System Settings > General Settings.

Email Verification

Whether to send an email verification notice each time that a user or admin creates a new client and each time that an existing client email address changes. The client must use the verification link in the email to confirm the new email address.

Email verification in the Security tab in General Settings
For more information, see Client Email Verification.

Captcha Form Protection

Whether to use captcha protection in the locations that you select for Captcha for Select Forms (below).

  • Captchas can help prevent automated bots from placing orders, searching for domains, creating accounts or support tickets, using contact forms, and logging in to your Client Area and Admin Area.
  • You can select whether captchas always perform verification (Always Enabled), only perform verification for unauthenticated visitors (Enabled for Unauthenticated Visitors Only), or never perform verification (Never Enabled).
    We updated the names for these options in WHMCS 8.11.
For more information, see Captcha Protection.

Captcha Type

  • We strongly recommend that you update your settings to use reCAPTCHA v3 or hCaptcha®. These captcha types include enhanced protection against automated captcha solvers.
  • In order to use reCAPTCHA or hCaptcha®, you must register for a Google reCAPTCHA or hCaptcha account and enter a set of keys.

The captcha type to use. You can select the following captcha types:

OptionCaptcha MethodDescription
Default (6 Character Verification Code)Verification CodeUse a captcha that displays an image with six characters on a blue-striped background. This option does not require additional configuration using the settings below.
This captcha type requires GD2 on your server.
For steps to enable this captcha type, see Enable Default Captchas.
reCAPTCHA v2 (WHMCS 8.11 and later)
or
reCAPTCHA (WHMCS 8.10 and earlier)		CheckboxUse Google®’s reCAPTCHA v2 service. When you select this option, the reCAPTCHA Site Key and reCAPTCHA Secret Key settings will appear.
Invisible reCAPTCHA v2 (WHMCS 8.11 and later)
or
Invisible reCAPTCHA (WHMCS 8.10 and earlier)		InvisibleUse the invisible version of Google’s reCAPTCHA v2 service. When you select this option, the reCAPTCHA Site Key and reCAPTCHA Secret Key settings will appear.
reCAPTCHA v3Invisible
We added full support for reCAPTCHA v3 in WHMCS 8.11.
Use the invisible version of Google’s reCAPTCHA v3 service. When you select this option, the reCAPTCHA Site Key, reCAPTCHA Secret Key, and reCAPTCHA Score Threshold settings will appear.
For steps to enable this captcha type, see Enable reCAPTCHA v3.
hCaptchaCheckbox
We added support for hCaptcha in WHMCS 8.11.
Use hCaptcha for captcha protection. When you select this option, the hCaptcha Site Key, hCaptcha Secret Key, and hCaptcha Score Threshold settings will appear.
For steps to enable this captcha type, see Enable hCaptcha.
Invisible hCaptchaInvisible
We added support for Invisible hCaptcha in WHMCS 8.11.
Use the invisible version of hCaptcha for verification. When you select this option, the hCaptcha Site Key, hCaptcha Secret Key, and hCaptcha Score Threshold settings will appear.
For steps to enable this captcha type, see Enable hCaptcha.
For more information on the different methods each captcha type uses, see Captcha Protection.

reCAPTCHA Site Key

This setting only displays if you selected a reCAPTCHA option for Captcha Type.

Your reCAPTCHA site key. You can find this key in your Google account.

reCAPTCHA Secret Key

This setting only displays if you selected a reCAPTCHA option for Captcha Type.

Your reCAPTCHA site secret key. You can find this key in your Google account.

reCAPTCHA Score Threshold

  • We added this setting in WHMCS 8.11.
  • This setting only displays if you selected reCAPTCHA v3 for Captcha Type.
  • hCaptcha and reCAPTCHA v3 both use score thresholds, but their scoring systems are inverted. Make certain that you use the correct score threshold for your captcha type.

The desired minimum score for reCAPTCHA verification. You can enter a value between 0 (least restrictive) and 1 (most restrictive).

This value defaults to 0.5.

hCaptcha Site Key

  • We added this setting in WHMCS 8.11.
  • This setting only displays if you selected an hCaptcha option for Captcha Type.

Your hCaptcha site key. You can find this key in your hCaptcha account.

hCaptcha Secret Key

  • We added this setting in WHMCS 8.11.
  • This setting only displays if you selected an hCaptcha option for Captcha Type.

Your hCaptcha site secret key. You can find this key in your hCaptcha account.

hCaptcha Score Threshold

  • We added this setting in WHMCS 8.11.
  • This setting only displays if you selected an hCaptcha option for Captcha Type.
  • hCaptcha and reCAPTCHA v3 both use score thresholds, but their scoring systems are inverted. Make certain that you use the correct score threshold for your captcha type.

The desired minimum score for hCaptcha verification. You can enter a value between 1 (least restrictive) and 0 (most restrictive).

This value defaults to 0.5.

Captcha for Selected Forms

The locations in which you want captchas to appear. You can select from the following locations:

  • Shopping Cart Checkout — On the checkout page in the Client Area.
  • Domain Checker — On the domain checker on the Client Area Homepage and when registering and transfering domains in the Shopping Cart.
  • Client Registration — On the register.php page.
  • Contact Form — On the contact.php page.
  • Ticket Submission — On the support ticket creation page.
  • Login Forms — On the Admin Area and Client Area login pages.

Auto Generated Password Format

The desired complexity of passwords that WHMCS generates for newly-provisioned services.

  • The default complexity consists of 14 characters that contain uppercase and lowercase letters, numbers, and symbols.
  • To reduce the complexity of generated passwords, you can choose to generate passwords that only use combinations of letters and numbers.

Minimum User Password Strength

The desired password strength for user passwords. Set this to 0 to disable the password strength check on the order form.

To reach a password strength of 100, the user must enter a password that contains five or more characters, contains one symbol, and contains one uppercase letter or number.

For more detailed information, see the /assets/js/PasswordStrength.js file.

Failed Admin Login Ban Time

A number of minutes before users can try again after failed login attempts. By default, WHMCS blocks any visitor IP addresses that attempt to log in to the Admin Area with a valid username and incorrect password three or more times.

  • The default length of this ban is 15 minutes. This helps to prevent hackers from endlessly trying different password combinations in order to gain access to your Admin Area (dictionary attack protection).
  • Set this to 0 to disable the login ban feature. The system will never attempt to ban IP addresses and the user will be able to continue to attempt to log in endlessly.
  • We recommend a minimum value of 1.
For more information, see Remove an IP Address Ban.

Whitelisted IPs

IP addresses that you want to whitelist. The system will never ban these IP addresses from accessing the Admin Area due to login failures. For example, you may wish to whitelist your office’s IP address.

Whitelisted IP Login Failure Notices

Whether to suppress notifications for failed logins from whitelisted IP addresses. If you disable this option, the system will send notification emails to admins with the Full Administrator admin role whenever a login fails, even if the login is from a whitelisted IP address.

Disable Admin Password Reset

Whether to remove the Forgotten Password link on the Admin Area login page.

For more information, see Reset an Admin Password.

Delete Encrypted Credit Card Data

Click Delete to delete all locally-stored encrypted credit card data from the database. This will not delete remote gateway tokens.

This action is irreversible.

Delete Encrypted Bank Account Data

Click Delete to delete all locally-stored encrypted bank account data from the database.

This action is irreversible.

Allow Client Pay Method Removal

Whether to allow clients to delete payment methods from their accounts. If you enable this setting, an option will appear in the Shopping Cart and Client Area to store payment details as a saved pay method for faster future checkouts.

  • If you disable this, only admins can delete credit card details.
  • We recommend enabling this option.

Disable Session IP Check

Whether to disable session IP checks. Session IP checks protect your WHMCS installation from cookie or session hijacking, but can cause problems for users with dynamic IP addresses or who use mobile devices.

Allow Smarty PHP Tags

We deprecated legacy Smarty tag backwards compatibility in WHMCS 8.7 and will remove support entirely in WHMCS 9.0.

  • This setting will not display for new WHMCS installations on WHMCS 8.7 and later.
  • You must remove these tags from your custom themes and templates.

Smarty 3 removed support for Smarty {php} tags. Prior to WHMCS 8.7, this setting enables backwards compatibility that allows you to continue using these tags in your custom themes and templates. We strongly recommend disabling it.

For more information, see Legacy Smarty Tags.

Trusted Proxy Settings

Enter IP addresses or IP address ranges for proxies or other forwarding services so that WHMCS can accurately determine the IP address of inbound traffic.

You may need to configure this setting if your WHMCS installation:

  • is behind a proxy you control.
  • is behind a load balancer or firewall that modifies HTTP requests.
  • receives HTTP requests from a proxy or DDOS protection service like CloudFlare® or BlackLotus.
  • is behind infrastructure that can modify the information in the link layer of a request.

These types of deployment setups will alter the value from the originating IP address to their own IP address. This is expected behavior because it is part of standard network specifications.

Unfortunately, this also makes it look as if your client logins, admin logins, and orders are all coming from the proxy instead of the real location. When this happens, the location is masked for logging, access authorization, fraud detection, or other IP address-related purposes.

Using these settings can help to mitigate these issues.

Some of CloudFlare’s features are not compatible with WHMCS. If you use CloudFlare, ensure that Script Minimisation and Rocket Loader are disabled for the WHMCS installation domain.

Proxy IP Header

The HTTP header that WHMCS will use to find the IP address that is the authoritative IP address for the request. Most proxies use X_FORWARDED_FOR, allowing you to leave this setting blank.

Only change this value if you are sure that your proxy uses a different header. Entering the wrong header here can cause improper recording of IP addresses.

Trusted Proxies

The IP addresses and IP address CIDR ranges of trusted proxies. WHMCS will check the header to discover the actual canonical request IP address.

The Trusted Proxies setting in General Settings

  • To add an IP address or IP address range, click Add IP, enter the address or range and any notes, and click Add IP.
  • To remove an IP address or IP address range, select the desired list item and click Remove Selected. To remove multiple addresses, press Control (for Windows®) or Command (for Mac®) and single-click the proxies that you want to remove.

API IP Access Restriction

This is an advanced setting.

The IP address of the off-server location from which you use the WHMCS API, if you use it in an off-server location. Entering the IP address here preserves your continued access.

Log API Authentication

Whether to log successful authentications via the API in the Admin Log at Configuration () > System Logs. By default, the system does not log these authentications.

CSRF Tokens: General

Whether to prevent malicious visitors from forging form posts to try to gain access to your WHMCS installation.

This option is enabled by default and we recommend that you always enable it unless WHMCS Technical Support instructs you to disable it.

CSRF Tokens: Domain Checker

Whether to use CSRF tokens for the domain checker in the Client Area. This allows you to send domain information to WHMCS from an external page (for example, using the domain checker integration code on your website). By default, CSRF tokens are disabled for the domain checker.

If you are not using the integration code, you can enable this option and visitors will only be able to use the built-in domain checker pages.

general-settings security password-resets captchas

Last modified: October 30, 2024