Simple WHMCS/Billing Security!


New Member
Verified Provider
Well summer is coming (Not quite here yet in the UK!) and i thought this would be handy for some new comers.

Securing your WHMCS Billing System:

Before anything I'll start with the most basic security you could ever need in your life:

Configure your email,mysql,ftp, admin accounts all with different passwords (Strong Randomly Generated) never reuse the same passwords as it provides another point of access if it were ever obtained. AND NEVER use your system passwords on public websites.


1. Change the /admin folder to an random directory which you can remember.

2. Move /attachments, /downloads and /templates _c to /home/and edit the config file to match.

3. Add htaccess protection to the admin area & lock down to specific IP ranges.

4. Run WHMCS on separate sub-domain and not with the main website it helps having a separate server, depending on your budget.

5. Shared Hosting - It poses a major risk hosting your WHMCS/Billing system with numerous other accounts. it is not advised doing this its been proven a weak point for many providers before.

6. Updates - WHMCS has had quite a few security scares recently so it is advised to continously update your system/apply appropriate patches.

7. Server Logins (WHMCS) - It is known that when configuring WHMCS's servers page it will ask for a key to login or password, do not enter your password instead use the api key as having your password easily available in your database adds the risk of your production servers being hijacked.


Those are the main points for keeping your whmcs directory secure from within the hosting environment, on the administrator level if your running a VPS / Dedicated server then it is wise to keep everything up to date and having un needed services stopped on the server. Following some guides you should be fine. I would suggest having some backup space for your billing backups they are extremely important aswell as your clients data. If you don't know howto secure your server, you shouldn't be be in the hosting business without a technician capable of such things..


All the best,And remember keep safe :)
Last edited by a moderator:

D. Strout

Resident IPv6 Proponent
A lot of these are good security precautions for whatever you're using. Don't reuse passwords, don't put all your eggs in one basket, don't use default/insecure settings or locations for software, keep it up to date, etc. Good tips though.