How to Configure Security Settings in WHMCS

Posted on May 2, 2016 by

Date: May 2, 2016           2 Minutes, 3 Seconds to Read

WHMCS provides a variety of security options that range from beginner to advanced. Here is an overview of the primary security features you can access through the general settings.

  1. Login to your WHMCS Admin

  2. Hover over Setup and choose General Settings

  3. Choose the Security tab

  4. Fill in the settings:
    Captcha Form Protection: Choose how captcha functions
    Captcha Type: Select the type you wish to use
    reCAPTCHA Public Key: You need to register for reCAPTCHA @ https://www.google.com/recaptcha/admin/create
    reCAPTCHA Private Key: You need to register for reCAPTCHA @ https://www.google.com/recaptcha/admin/create
    Required Password Strength: Enter the required password strength from 1 to 100 – Enter 0 to Disable
    Failed Admin Login Ban Time: Enter the time to ban an IP in minutes after 3 failed login attempts – Enter 0 to Disable
    Whitelisted IPs: IP Addresses exempt from being banned for invalid login attempts
    Whitelisted IP Login Failure Notices: Tick to send login failure notices for Whitelisted IP addresses
    Admin Force SSL Access: Tick this box to force SSL Access for all admin area requests
    Disable Admin Password Reset: Tick this box to disable the forgotten password feature on the admin login page
    Disable Credit Card Storage: Tick this box to not store customers credit cards in the database (Warning: This will delete any existing stored credit card data)
    Allow Client CC Removal: Tick this box to allow customers to delete the credit card details stored on their account
    Disable Session IP Check: This is used to protect against cookie/session hijacking but can cause problems for users with dynamic IPs
    Allow Smarty PHP Tags: Tick to allow use of the Smarty {php} tag in templates. This is considered a security risk.
    Proxy IP Header: Header used by your trusted proxies to relay IP information. Most proxies use “X_FORWARDED_FOR”; that is the default if no value is specified
    Trusted Proxies: IP addresses of trusted proxies that forward traffic to WHMCS. Only add addresses that directly proxy requests!
    API IP Access Restriction: – IP Addresses allowed to connect to the WHMCS API
    Log API Authentication: Tick to record successful API authentications in Admin Log
    CSRF Tokens: General: Tick to enable general use of CSRF tokens for all public and clientarea forms (Highly Recommended)
    CSRF Tokens: Domain Checker: Tick to enable use of CSRF tokens for the Domain Checker form

  5. Click Save Changes

Now that you have gone through the Security options you are ready to proceed to the Social tab.

Was this article helpful? Let us know!

Need More Help?

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com

Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!