---
title: "How to Configure Security Settings in WHMCS"
description: "WHMCS provides a variety of security options that range from beginner to advanced. Here is an overview of the primary security features you can access through the general settings. Login to your..."
url: https://www.inmotionhosting.com/support/edu/whm/how-to-configure-security-settings-in-whmcs/
date: 2016-05-02
modified: 2023-06-08
author: "Christopher Maiorana"
categories: ["Security", "WebHost Manager (WHM)"]
type: post
lang: en
---

# How to Configure Security Settings in WHMCS

WHMCS provides a variety of security options that range from beginner to advanced. Here is an overview of the primary security features you can access through the general settings.

1. [Login to your WHMCS Admin](/support/edu/whm/login-to-whmcs/)
2. [![General Settings under Setup](/support/images/stories/reseller/general-settings-whmcs/Tooltip_043.png)](/support/images/stories/reseller/general-settings-whmcs/Tooltip_043.png) Hover over *Setup* and choose *General Settings*
3. [![Security tab](/support/images/stories/reseller/general-settings-whmcs/Selection53.png)](/support/images/stories/reseller/general-settings-whmcs/Selection53.png) Choose the *Security* tab
4. Fill in the settings: Captcha Form Protection: Choose how captcha functions Captcha Type: Select the type you wish to use reCAPTCHA Public Key: You need to register for reCAPTCHA @ https://www.google.com/recaptcha/admin/create reCAPTCHA Private Key: You need to register for reCAPTCHA @ https://www.google.com/recaptcha/admin/create Required Password Strength: Enter the required password strength from 1 to 100 – Enter 0 to Disable Failed Admin Login Ban Time: Enter the time to ban an IP in minutes after 3 failed login attempts – Enter 0 to Disable Whitelisted IPs: IP Addresses exempt from being banned for invalid login attempts Whitelisted IP Login Failure Notices: Tick to send login failure notices for Whitelisted IP addresses Admin Force SSL Access: Tick this box to force SSL Access for all admin area requests Disable Admin Password Reset: Tick this box to disable the forgotten password feature on the admin login page Disable Credit Card Storage: Tick this box to not store customers credit cards in the database (Warning: This will delete any existing stored credit card data) Allow Client CC Removal: Tick this box to allow customers to delete the credit card details stored on their account Disable Session IP Check: This is used to protect against cookie/session hijacking but can cause problems for users with dynamic IPs Allow Smarty PHP Tags: Tick to allow use of the Smarty {php} tag in templates. This is considered a security risk. Proxy IP Header: Header used by your trusted proxies to relay IP information. Most proxies use “X_FORWARDED_FOR”; that is the default if no value is specified Trusted Proxies: IP addresses of trusted proxies that forward traffic to WHMCS. Only add addresses that directly proxy requests! API IP Access Restriction: – IP Addresses allowed to connect to the WHMCS API Log API Authentication: Tick to record successful API authentications in Admin Log CSRF Tokens: General: Tick to enable general use of CSRF tokens for all public and clientarea forms (Highly Recommended) CSRF Tokens: Domain Checker: Tick to enable use of CSRF tokens for the Domain Checker form
5. [![Blue Save Button](/support/images/stories/reseller/general-settings-whmcs/savechanges1.png)](/support/images/stories/reseller/general-settings-whmcs/savechanges1.png) Click **Save Changes**

Now that you have gone through the Security options you are ready to proceed to the [Social](/support/edu/whm/how-to-configure-social-settings-in-whmcs/) tab.
