How to Configure Security Settings in WHMCS

WHMCS provides a variety of security options that range from beginner to advanced. Here is an overview of the primary security features you can access through the general settings.

  1. Login to your WHMCS Admin
  2. General Settings under Setup

    Hover over Setup and choose General Settings

  3. Security tab

    Choose the Security tab

  4. Fill in the settings:
    Captcha Form Protection:Choose how captcha functions
    Captcha Type:Select the type you wish to use
    reCAPTCHA Public Key:You need to register for reCAPTCHA @
    reCAPTCHA Private Key:You need to register for reCAPTCHA @
    Required Password Strength:Enter the required password strength from 1 to 100 – Enter 0 to Disable
    Failed Admin Login Ban Time:Enter the time to ban an IP in minutes after 3 failed login attempts – Enter 0 to Disable
    Whitelisted IPs: IP Addresses exempt from being banned for invalid login attempts
    Whitelisted IP Login Failure Notices:Tick to send login failure notices for Whitelisted IP addresses
    Admin Force SSL Access:Tick this box to force SSL Access for all admin area requests
    Disable Admin Password Reset:Tick this box to disable the forgotten password feature on the admin login page
    Disable Credit Card Storage:Tick this box to not store customers credit cards in the database (Warning: This will delete any existing stored credit card data)
    Allow Client CC Removal:Tick this box to allow customers to delete the credit card details stored on their account
    Disable Session IP Check:This is used to protect against cookie/session hijacking but can cause problems for users with dynamic IPs
    Allow Smarty PHP Tags:Tick to allow use of the Smarty {php} tag in templates. This is considered a security risk.
    Proxy IP Header: Header used by your trusted proxies to relay IP information. Most proxies use “X_FORWARDED_FOR”; that is the default if no value is specified
    Trusted Proxies: IP addresses of trusted proxies that forward traffic to WHMCS. Only add addresses that directly proxy requests!
    API IP Access Restriction:– IP Addresses allowed to connect to the WHMCS API
    Log API Authentication:Tick to record successful API authentications in Admin Log
    CSRF Tokens: General:Tick to enable general use of CSRF tokens for all public and clientarea forms (Highly Recommended)
    CSRF Tokens: Domain Checker:Tick to enable use of CSRF tokens for the Domain Checker form
  5. Blue Save Button

    Click Save Changes

Now that you have gone through the Security options you are ready to proceed to the Social tab.

Christopher Maiorana Content Writer II

Christopher Maiorana joined the InMotion community team in 2015 and regularly dispenses tips and tricks in the Support Center, Community Q&A, and the InMotion Hosting Blog.

More Articles by Christopher

Was this article helpful? Join the conversation!