Hosting Discussion

Hosting Discussion (http://www.hostingdiscussion.com/)
-   Billing and Accounting (http://www.hostingdiscussion.com/billing-accounting/)
-   -   Tips for protecting WHMCS from hackers! (http://www.hostingdiscussion.com/billing-accounting/18985-tips-protecting-whmcs-hackers.html)


mfwl 11-18-2008 11:49 AM

Tips for protecting WHMCS from hackers!
 
You can protect your WHMCS installation from hackers by doing the following 3 things:
  1. Change the name of the admin folder to something less obvious
  2. htaccess password the administration folder so you have to pass htaccess before entering whmcs admin username and password
  3. choose an obscure password/username

Oh and use Maxmind with manaul acceptance on all orders of value - in the long run you will be pleased you did!

If anyone has any bad experiences of WHMCS hacking or other methods of preventing this valuable data please post!

davet 11-18-2008 09:07 PM

We nor any of our resellers who use WHMCS have had any problems with WHMCS being hacked.

headbull 11-19-2008 03:07 PM

whmcs blocks IP adresses if they try wrong passw 5 times for 15 minutes.

So It would take quite a long time to hack the WHMCS installation, as long as there is no known backdoor then :)

But its usefull tips anyway! :)

rayanaga 11-19-2008 06:41 PM

Quote:

Originally Posted by davetanguay (Post 96388)
We nor any of our resellers who use WHMCS have had any problems with WHMCS being hacked.

I've seen it happen once and only once. It was probably due to a bad password then to a WHMCS security breach though.

WeWatch 11-23-2008 10:46 AM

We've seen many cases where sites are hacked and people automatically start assuming the cause of the breach.

WHMCS has been extremely secure and would be one of the last areas we would look at for a successful security breach.

As stated previously, strong passwords are always highly recommended. At least 8 characters, combination of upper and lower case and use some special characters too.

Frequently we'll take a movie title and obfuscate it. Take Oceans 11. It could become a password like: $0C3@n$_eLEv3N#

This becomes a little bit easier to remember than something just totally random.

Also while renaming the admin folder falls under security through obscurity, it does offer an additional layer of protection from the automated tools used by so many cybercriminals. The more layers the better.

handsonhosting 12-10-2008 10:12 AM

No issues with the software on this end since we started with them live about a year ago. No issues with ModernBill prior to that going back to 2000.

Many of the hacks are not software exploits but admin exploits. People failing to review logs, password protect areas, and change passwords on a regular basis. A 12 character random password is necessary on anything (if not a long password). NO two passwords that same in our network on any of our servers.

Put CSF on the server, watch for failed passwords.
Kill Telnet Access and limit from a single or a couple of servers that you own - static IP.
Disable root access, only allow login under one user, then SU to root.

And the number one issue for people with problms - when an upgrade comes out - UPGRADE!!

iiDesign 12-11-2008 01:19 PM

Quote:

Originally Posted by davet (Post 96388)
We nor any of our resellers who use WHMCS have had any problems with WHMCS being hacked.

Yes, I never had any attempts of being hacked either. WHMCS is pretty damn secure!

shockym 12-11-2008 01:37 PM

I gotta jump on the good boat here, we have never had issues either. *knock on wood*

Where did you other folk hear of this being hacked before, I must have missed this talk as I remember no such thing, was it recent?

mfwl 12-11-2008 04:23 PM

Quote:

Originally Posted by shockym (Post 97156)
I gotta jump on the good boat here, we have never had issues either. *knock on wood*

Where did you other folk hear of this being hacked before, I must have missed this talk as I remember no such thing, was it recent?

No it was back a few months with version 3.5.1, since upgrading (now 3.7.2 obv) its not problem although we have done what I suggested at the top of the page so I wouldnt know if whmcs have fixed the issues (whatever they were)

thecubehost 12-11-2008 05:46 PM

Good Tips.

The-Pixel 12-12-2008 11:34 PM

Hello,

I've never seen WHMcs get 'hacked'. And I would bet the farm that 9 times out of 10 it happens. And that 1% changes are is something they did. Thats just me...

HivelocityLB 12-15-2008 11:09 AM

This does not happen often but it obviously can happen.
These are some good tips to prevent this from happening in the future.

hostingsir 12-17-2008 10:36 AM

Is Clientexec hacker safe!?

mfwl 12-19-2008 04:18 AM

Quote:

Originally Posted by hostingsir (Post 97423)
Is Clientexec hacker safe!?

We have not used Clientexec, however I assume the above tips would also be beneficial for any install of clientexec also..

LaneHost 12-19-2008 12:26 PM

You can also move the attachments, downloads & templates_c folders outside of the public accessible folder tree on your website. WHMCS allows you to do this. If you do move the folders, then you must tell WHMCS where they have been moved to by adding the following lines to your configuration.php file:

Code:

$templates_compiledir = "/home/whmcs/templates_c/";
$attachments_dir = "/home/whmcs/attachments/";
$downloads_dir = "/home/whmcs/downloads/";



All times are GMT -6. The time now is 12:00 PM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.1.0