Further Security Steps

Secure the Writeable Directories

We recommend further enhancing the security of WHMCS by making sure sensetive files have restrictive permissions or are moved to non-public locaitons. Our documentation regarding Further Security Steps can be found here.

This walkthrough covers this process when using a cPanel web server.

Move Writable Directories

We recommend moving all writable directories to a non-public location to prevent web based access. There are three writable directories required for WHMCS to function, they are: attachmentsdownloads and templates_c. WHMCS needs to be given the new location of the writable directories to function.

First, open cPanel's File Manager and navigate to your WHMCS installation path.

Perform the following actions for each of the folders.

  1. Right click on each of the above folders and choose Move.
  2. Specify the new path which should be above the public_html directory - in this example, we are leaving the box blank
  3. Click Move File(s)

Once completed you will see the moved folders appear in the left-side navigation pane.

Make note of these folder paths. They are needed to complete the next steps

Navigate back to the WHMCS installation path within the File Manager. Right click configuration.php and choose Edit.

Modify the $templates_compiledir path to be the full path to the new location of the templates_c folder. In our example, we will change this to: /home/whmcshelp/templates_c

Press Save Changes once complete.

Once this is completed we now have to set the paths for the Attachments and Downloads directories. This is done via the WHMCS Admin Area.

Login to the WHMCS Admin area and navigate to Setup >> Storage Settings

On the Storage Settings screen, choose the Configurations tab

In the Add New Configuration box, select the Local Storage option.

Click the + icon

A popup window with open. Specify the path to the attachments directory you noted from earlier.

Press Save Changes

Repeat this step for the Downloads Directory

Change to the Settings tab.

  1. For each of the dropdowns shown, choose the newly-configured folder you would like to use.
  2. Press the Switch button

Since we moved the various folders, it is safe to use the Switch button. If you created new folders and did not move the old ones, utilize the Migrate button instead. The Migrate button will copy the files within the old folder to the newly created folder.

Once all of the dropdowns show the new folder paths, you are all done!

Securing the Configuration File

We recommend adjusting the permissions set for the configuration.php file located in your WHMCS installation's directory. This file contains sensitive data that cannot be recovered without a backup of the file. To avoid accidentally overwriting, editing or deleting the file, change the permission setting of this file to `400`. This provides read only access to the file by the system and prevents anyone else from reading, editing or executing the file.

First, open cPanel's File Manager and navigate to your WHMCS installation path.

Perform the following actions:

  1. Right click on the configuration.php file and choose Change Permissions.
  2. Change the Permissions as shown to set the permissions to 400
  3. Click Change Permissions

Should you need to ever update your license key, you must set the permissions on this file to 755 to allow the system to edit the file. Once the key is updated, you can revert the permissions to 400.

Some systems may require you to set the permission to 440 or 444 depending on how the server is configured. For most, 400 should suffice, but if you encounter an error loading the application after setting the permission to 400, try 440 and then 444.

Moving the Crons Directory

The crons directory should also be moved outside of your web root to prevent web based access.

First, open cPanel's File Manager and navigate to your WHMCS installation path.

Perform the following actions:

  1. Right click on the crons directory and choose Move.
  2. Specify the new path which should be above the public_html directory - in this example, we are leaving the box blank
  3. Press Move File(s)

Once completed you will see the recently moved crons folders appear in the left-side navigation pane.

Click on this folder name

Make note of this folder path. It is needed to complete the next steps.

  1. Right click on config.php.new and select Rename.
  2. In the popup window, change this to config.php
  3. Click Rename

Right click and choose Edit on the newly renamed config.php file

We need to now specify the path to your main WHMCS installation. Enter this on the $whmcspath line, making sure to remove the comment marks shown below.

Navigate back to the WHMCS installation path within the File Manager. Right click configuration.php and choose Edit.

Add a new line with the contents: $crons_dir = '/home/whmcshelp/crons/'; as shown below. Substitute the path shown in the example for the correct path for your installation.

Navigate to the cPanel's Cron Jobs page

  1. Choose Edit on the existing Cron Job for the cron.php file.
  2. Update the Command to the correct new path
  3. Click Edit Line

Now your installation is setup and secured, the next page of this guide covers connecting WHMCS to your web servers: