How to Configure Security Settings in WHMCS

Updated on August 16, 2021 by Christopher Maiorana

2 Minutes, 3 Seconds to Read

WHMCS provides a variety of security options that range from beginner to advanced. Here is an overview of the primary security features you can access through the general settings.

  1. Login to your WHMCS Admin
  2. Tooltip 043

    Hover over Setup and choose General Settings

  3. Selection53

    Choose the Security tab

  4. Fill in the settings:
    Captcha Form Protection: Choose how captcha functions
    Captcha Type: Select the type you wish to use
    reCAPTCHA Public Key: You need to register for reCAPTCHA @ https://www.google.com/recaptcha/admin/create
    reCAPTCHA Private Key: You need to register for reCAPTCHA @ https://www.google.com/recaptcha/admin/create
    Required Password Strength: Enter the required password strength from 1 to 100 – Enter 0 to Disable
    Failed Admin Login Ban Time: Enter the time to ban an IP in minutes after 3 failed login attempts – Enter 0 to Disable
    Whitelisted IPs: IP Addresses exempt from being banned for invalid login attempts
    Whitelisted IP Login Failure Notices: Tick to send login failure notices for Whitelisted IP addresses
    Admin Force SSL Access: Tick this box to force SSL Access for all admin area requests
    Disable Admin Password Reset: Tick this box to disable the forgotten password feature on the admin login page
    Disable Credit Card Storage: Tick this box to not store customers credit cards in the database (Warning: This will delete any existing stored credit card data)
    Allow Client CC Removal: Tick this box to allow customers to delete the credit card details stored on their account
    Disable Session IP Check: This is used to protect against cookie/session hijacking but can cause problems for users with dynamic IPs
    Allow Smarty PHP Tags: Tick to allow use of the Smarty {php} tag in templates. This is considered a security risk.
    Proxy IP Header: Header used by your trusted proxies to relay IP information. Most proxies use “X_FORWARDED_FOR”; that is the default if no value is specified
    Trusted Proxies: IP addresses of trusted proxies that forward traffic to WHMCS. Only add addresses that directly proxy requests!
    API IP Access Restriction: – IP Addresses allowed to connect to the WHMCS API
    Log API Authentication: Tick to record successful API authentications in Admin Log
    CSRF Tokens: General: Tick to enable general use of CSRF tokens for all public and clientarea forms (Highly Recommended)
    CSRF Tokens: Domain Checker: Tick to enable use of CSRF tokens for the Domain Checker form
  5. savechanges1

    Click Save Changes

Now that you have gone through the Security options you are ready to proceed to the Social tab.

CM
Christopher Maiorana Content Writer II

Christopher Maiorana joined the InMotion community team in 2015 and regularly dispenses tips and tricks in the Support Center, Community Q&A, and the InMotion Hosting Blog.

More Articles by Christopher

Was this article helpful? Let us know!

Need More Help?

Current Customers

Chat: Chat with Support
Email: [email protected]
Call: 888-321-HOST (4678) x2
Ticket: Submit a Support Ticket

Get Reliable Web Hosting

Chat: Chat with Sales
Email: [email protected]
Call: 888-321-HOST (4678) x1

Get web hosting from a company that is here to help. Sign up today!