Further Security Steps

Secure the Writeable Directories

We recommend further enhancing the security of WHMCS by making sure sensitive files have restrictive permissions or are in private locations. For more information, see Further Security Steps.

This walkthrough uses a cPanel server.

Move Writable Directories

We recommend moving all writable directories to a private location, to prevent web based access. There are three writable directories that WHMCS requires to function: attachments, downloads and templates_c. When you move these, you will need to give WHMCS the new location of the writable directories.

First, open cPanel's File Manager interface and navigate to your WHMCS installation path.

Perform the following actions for each of the folders.

  1. Right-click on each of the above folders and choose Move.
  2. Specify the new path, which needs to be above the public_html directory.
  3. Click Move File(s).

You will see the moved folders appear in the left-side navigation pane.

Make sure to note these folder paths. You will need them for the next steps.

Navigate back to the WHMCS installation path within File Manager. Right-click on configuration.php and choose Edit.

Modify the $templates_compiledir path to be the full path to the new location of the templates_c folder. In our example, we will change this to /home/whmcshelp/templates_c.

When you're done, click Save Changes.

Now, set the paths for the Attachments and Downloads directories. To do this, use the WHMCS admin area.

Log in to the admin area and navigate to Configuration > System Settings > Storage Settings (Setup > Storage Settings in WHMCS 7.10 and earlier). Then, click the Configurations tab.

In the Add New Configuration box, select Local Storage. Then, click the + icon.

In the window that appears, enter the new path to the attachments directory and click Save Changes.

Repeat this step for the downloads directory.

Click on the Settings tab.

For each of the menus, choose the newly-configured folder you would like to use, and then click Switch.

Since we moved the various folders, it is safe to use the Switch button. If you created new folders and did not move the old ones, use the Migrate button instead. The Migrate button will copy the files within the old folder to the newly-created folder.

All of the menus should now display the new folder paths.

Securing the Configuration File

We recommend adjusting the permissions for the configuration.php file in your WHMCS installation's directory. This file contains sensitive data that you can't recover without a backup. To avoid accidentally overwriting, editing, or deleting the file, change the permission setting of this file to 400. This provides read-only access to the file to the system and prevents anyone else from reading, editing, or executing the file.

First, open cPanel's File Manager interface and navigate to your WHMCS installation path.

Then, perform the following actions:

  1. Right-click on the configuration.php file and choose Change Permissions.
  2. Change the permissions to 400.
  3. Click Change Permissions.

If you ever update your license key, you must set the permissions on this file to 755 to allow the system to edit the file. After you update the key, you can revert the permissions to 400.

Some systems may require you to set the permission to 440 or 444, depending on your server configuration. Usually, 400 should suffice, but if you encounter an error loading the application after setting the permission to 400, try 440 and then 444.

Moving the Crons Directory

You should also move the crons directory outside of your document root directory, to prevent web-based access.

First, open cPanel's File Manager interface and navigate to your WHMCS installation path.

Perform the following actions:

  1. Right click on the crons directory and choose Move.
  2. Specify the new path, which should be above the public_html directory.
  3. Click Move File(s).

After moving the files, you will see the recently-moved crons folder appear in the left-side navigation pane.

Click on the folder name.

Note the path for this folder. You will need it in future steps.

You will need to rename your config.php.new file. To do this:

  1. Right click on config.php.new and select Rename.
  2. In the window that appears, change this to config.php.
  3. Click Rename.

Right-click on the newly-renamed config.php file and choose Edit.

Next, specify the path to your main WHMCS installation. Enter this on the $whmcspath line, making sure to remove the comment marks below:

Navigate back to the WHMCS installation path within the File Manager interface. Right-click configuration.php and choose Edit.

Add a new line with the contents $crons_dir = '/home/whmcshelp/crons/'; as in the example below. Substitute the path in the example for the correct path for your installation.

Go to cPanel's Cron Jobs interface.

To update your cron job:

  1. Choose Edit on the existing cron job for the cron.php file.
  2. Update the command to the correct new path.
  3. Click Edit Line.

 Next, you will need to connect WHMCS to your web servers.