The Security tab allows you to configure security-related features in WHMCS.

The Security tab in General Settings

You can access this tab at Configuration () > System Settings > General Settings.

Email Verification

Enable this to cause WHMCS to send an email verification notice each time that a user or admin creates a new client and each time that an existing client email address changes. The client must use the verification link in the email to confirm the new email address.

Email verification in the Security tab in General Settings
For more information, see Client Email Verification.

Captcha Form Protection

Enable this to enable Captcha image verification for your WHMCS installation. This feature displays an image that contains letters and numbers that only humans can read. It will appear on the ticket submission, registration, and domain checker pages in the Client Area to help prevent automated submissions and spam. You can select whether the image verification never displays, always displays, or only displays to visitors.

You can select the following Captcha types:

DefaultThis requires GD2 on your server and displays an image with five characters on a blue striped background. This option does not require additional configuration.
Invisible reCAPTCHA
Use the Google® reCAPTCHA service. You must register for and then enter a set of keys to use this service.
For more information, see Google reCAPTCHA.

Required Password Strength

Enter the desired password strength for user passwords, or set this to 0 to disable the password strength check on the order form.

To reach a password strength of 100, the user must enter a password that contains five or more characters, contains one symbol, and contains one uppercase letter or number.

For more detailed information, see the /assets/js/PasswordStrength.js file.

Auto Generated Password Format

Select the desired complexity of passwords that WHMCS generates for newly-provisioned services.

  • The default complexity consists of 14 characters that contain uppercase and lowercase letters, numbers, and symbols.
  • To reduce the complexity of generated passwords, you can choose to generate passwords that only use combinations of letters and numbers.

Failed Admin Login Ban Time

Enter a number of minutes before users can try again after failed login attempts. By default, WHMCS blocks any visitor IP addresses that attempt to log in to the Admin Area with a valid username and incorrect password three or more times.

  • The default length of this ban is 15 minutes. This helps to prevent hackers from endlessly trying different password combinations in order to gain access to your Admin Area (dictionary attack protection).
  • Set this to 0 to disable the login ban feature. The system will never attempt to ban IP addresses and the user will be able to continue to attempt to log in endlessly.
  • We recommend a minimum value of 1.
For more information, see Remove an IP Address Ban.

Whitelisted IPs

Enter IP addresses that you want to whitelist. The system will never ban these IP addresses from accessing the Admin Area due to login failures. For example, you may wish to whitelist your office’s IP address.

Whitelisted IP Login Failure Notices

Enable this option to suppress notifications for failed logins from whitelisted IP addresses. If you disable this option, the system will send notification emails to admins with the Full Administrator admin role whenever a login fails, even if the login is from a whitelisted IP address.

Disable Admin Password Reset

Enable this to remove the Forgotten Password link on the Admin Area login page.

For more information, see Reset an Admin Password.

Delete Encrypted Credit Card Data

Click Delete to delete all locally-stored encrypted credit card data from the database. This will not delete remote gateway tokens.

This action is irreversible.

Delete Encrypted Bank Account Data

Click Delete to delete all locally-stored encrypted bank account data from the database.

This action is irreversible.

Allow Client Pay Method Removal

Enable this to allow clients to delete payment methods from their accounts. An option will appear in the Shopping Cart and Client Area to store payment details as a saved pay method for faster future checkouts.

  • If you disable this, only admins can delete credit card details.
  • We recommend enabling this option.

Disable Session IP Check

Enable this to disable session IP checks. Session IP checks protect your WHMCS installation from cookie or session hijacking, but can cause problems for users with dynamic IP addresses or who use mobile devices.

Allow Smarty PHP Tags

We deprecated legacy Smarty tag backwards compatibility in WHMCS 8.7 and will remove support entirely in WHMCS 9.0.

  • Because of this change, this setting will not display for new WHMCS installations on WHMCS 8.7 and later.
  • You must remove these tags from your custom themes and templates.

Smarty 3 removed support for Smarty {php} tags. Prior to WHMCS 8.7, this setting enables backwards compatibility that allows you to continue using these tags in your custom themes and templates. We strongly recommend disabling it.

For more information, see Legacy Smarty Tags.

Trusted Proxy Settings

Enter IP addresses or IP address ranges for proxies or other forwarding services so that WHMCS can accurately determine the IP address of inbound traffic.

You may need to configure this setting if your WHMCS installation:

  • is behind a proxy you control.
  • is behind a load balancer or firewall that modifies HTTP requests.
  • receives HTTP requests from a proxy or DDOS protection service like CloudFlare® or BlackLotus.
  • is behind infrastructure that can modify the information in the link layer of a request.

These types of deployment setups will alter the value from the originating IP address to their own IP address. This is expected behavior because it is part of standard network specifications.

Unfortunately, this also makes it look as if your client logins, admin logins, and orders are all coming from the proxy instead of the real location. When this happens, the location is masked for logging, access authorization, fraud detection, or other IP address-related purposes.

Using these settings can help to mitigate these issues.

Some of CloudFlare’s features are not compatible with WHMCS. If you use CloudFlare, ensure that Script Minimisation and Rocket Loader are disabled for the WHMCS installation domain.

Proxy IP Header

Enter the HTTP header that WHMCS will use to find the IP address that is the authoritative IP address for the request. Most proxies use X_FORWARDED_FOR, allowing you to leave this setting blank.

Only change this value if you are sure that your proxy uses a different header. Entering the wrong header here can cause improper recording of IP addresses.

Trusted Proxies

Enter the IP addresses and IP address CIDR ranges of trusted proxies. WHMCS will check the header to discover the actual canonical request IP address.

The Trusted Proxies setting in General Settings

  • To add an IP address or IP address range, click Add IP, enter the address or range and any notes, and click Add IP.
  • To remove an IP address or IP address range, select the desired list item and click Remove Selected. To remove multiple addresses, press Control (for Windows®) or Command (for Mac®) and single-click the proxies that you want to remove.

API IP Access Restriction

This is an advanced setting.

If you use the WHMCS API from an off-server location, enter that IP address here to preserve your access.

Log API Authentication

Enable logging of successful authentications via the API in the Admin Log at Configuration () > System Logs. By default, the system does not log these authentications.

CSRF Tokens

Enable this option to prevent malicious visitors from forging form posts to try to gain access to your WHMCS installation. This option is enabled by default and we recommend that you always enable it unless WHMCS Technical Support instructs you to disable it.

CSRF Tokens: Domain Checker

Enable CSRF tokens for the domain checker in the Client Area. This allows you to send domain information to WHMCS from an external page (for example, using the domain checker integration code on your website). By default, CSRF tokens are disabled for the domain checker.

If you are not using the integration code, you can enable this option and visitors will only be able to use the built-in domain checker pages.

Last modified: June 24, 2024