Security
The Security tab allows you to configure security-related features in WHMCS.
You can access this tab at Configuration () > System Settings > General Settings.
Email Verification
Enable this to cause WHMCS to send an email verification notice each time that a user or admin creates a new client and each time that an existing client email address changes. The client must use the verification link in the email to confirm the new email address.
Captcha Form Protection
Enable this to enable Captcha image verification for your WHMCS installation. This feature displays an image that contains letters and numbers that only humans can read. It will appear on the ticket submission, registration, and domain checker pages in the Client Area to help prevent automated submissions and spam. You can select whether the image verification never displays, always displays, or only displays to visitors.
You can select the following Captcha types:
| Option | Description |
|---|---|
| Default | This requires GD2 on your server and displays an image with five characters on a blue striped background. This option does not require additional configuration. |
| reCAPTCHA or Invisible reCAPTCHA | Use the Google® reCAPTCHA service. You must register for and then enter a set of keys to use this service. For more information, see Google reCAPTCHA. |
Required Password Strength
Enter the desired password strength for user passwords, or set this to 0 to disable the password strength check on the order form.
To reach a password strength of 100, the user must enter a password that contains five or more characters, contains one symbol, and contains one uppercase letter or number.
/assets/js/PasswordStrength.js file.Auto Generated Password Format
Select the desired complexity of passwords that WHMCS generates for newly-provisioned services.
- The default complexity consists of 14 characters that contain uppercase and lowercase letters, numbers, and symbols.
- To reduce the complexity of generated passwords, you can choose to generate passwords that only use combinations of letters and numbers.
Failed Admin Login Ban Time
Enter a number of minutes before users can try again after failed login attempts. By default, WHMCS blocks any visitor IP addresses that attempt to log in to the Admin Area with a valid username and incorrect password three or more times.
- The default length of this ban is 15 minutes. This helps to prevent hackers from endlessly trying different password combinations in order to gain access to your Admin Area (dictionary attack protection).
- Set this to
0to disable the login ban feature. The system will never attempt to ban IP addresses and the user will be able to continue to attempt to log in endlessly. - We recommend a minimum value of
1.
Whitelisted IPs
Enter IP addresses that you want to whitelist. The system will never ban these IP addresses from accessing the Admin Area due to login failures. For example, you may wish to whitelist your office’s IP address.
Whitelisted IP Login Failure Notices
Enable this option to suppress notifications for failed logins from whitelisted IP addresses. If you disable this option, the system will send notification emails to admins with the Full Administrator admin role whenever a login fails, even if the login is from a whitelisted IP address.
Disable Admin Password Reset
Enable this to remove the Forgotten Password link on the Admin Area login page.
Delete Encrypted Credit Card Data
Click Delete to delete all locally-stored encrypted credit card data from the database. This will not delete remote gateway tokens.
Delete Encrypted Bank Account Data
Click Delete to delete all locally-stored encrypted bank account data from the database.
Allow Client Pay Method Removal
Enable this to allow clients to delete payment methods from their accounts. An option will appear in the Shopping Cart and Client Area to store payment details as a saved pay method for faster future checkouts.
- If you disable this, only admins can delete credit card details.
- We recommend enabling this option.
Disable Session IP Check
Enable this to disable session IP checks. Session IP checks protect your WHMCS installation from cookie or session hijacking, but can cause problems for users with dynamic IP addresses or who use mobile devices.
Allow Smarty PHP Tags
We deprecated legacy Smarty tag backwards compatibility in WHMCS 8.7 and will remove support entirely in WHMCS 9.0.
- Because of this change, this setting will not display for new WHMCS installations on WHMCS 8.7 and later.
- You must remove these tags from your custom themes and templates.
Smarty 3 removed support for Smarty {php} tags. Prior to WHMCS 8.7, this setting enables backwards compatibility that allows you to continue using these tags in your custom themes and templates. We strongly recommend disabling it.
Trusted Proxy Settings
Enter IP addresses or IP address ranges for proxies or other forwarding services so that WHMCS can accurately determine the IP address of inbound traffic.
You may need to configure this setting if your WHMCS installation:
- is behind a proxy you control.
- is behind a load balancer or firewall that modifies HTTP requests.
- receives HTTP requests from a proxy or DDOS protection service like CloudFlare® or BlackLotus.
- is behind infrastructure that can modify the information in the link layer of a request.
These types of deployment setups will alter the value from the originating IP address to their own IP address. This is expected behavior because it is part of standard network specifications.
Unfortunately, this also makes it look as if your client logins, admin logins, and orders are all coming from the proxy instead of the real location. When this happens, the location is masked for logging, access authorization, fraud detection, or other IP address-related purposes.
Using these settings can help to mitigate these issues.
Proxy IP Header
Enter the HTTP header that WHMCS will use to find the IP address that is the authoritative IP address for the request. Most proxies use X_FORWARDED_FOR, allowing you to leave this setting blank.
Trusted Proxies
Enter the IP addresses and IP address CIDR ranges of trusted proxies. WHMCS will check the header to discover the actual canonical request IP address.
- To add an IP address or IP address range, click Add IP, enter the address or range and any notes, and click Add IP.
- To remove an IP address or IP address range, select the desired list item and click Remove Selected. To remove multiple addresses, press
Control(for Windows®) orCommand(for Mac®) and single-click the proxies that you want to remove.
API IP Access Restriction
If you use the WHMCS API from an off-server location, enter that IP address here to preserve your access.
Log API Authentication
Enable logging of successful authentications via the API in the Admin Log at Configuration () > System Logs. By default, the system does not log these authentications.
CSRF Tokens
Enable this option to prevent malicious visitors from forging form posts to try to gain access to your WHMCS installation. This option is enabled by default and we recommend that you always enable it unless WHMCS Technical Support instructs you to disable it.
CSRF Tokens: Domain Checker
Enable CSRF tokens for the domain checker in the Client Area. This allows you to send domain information to WHMCS from an external page (for example, using the domain checker integration code on your website). By default, CSRF tokens are disabled for the domain checker.
If you are not using the integration code, you can enable this option and visitors will only be able to use the built-in domain checker pages.
Last modified: June 14, 2024