WHMCS provides a variety of security options that range from beginner to advanced. Here is an overview of the primary security features you can access through the general settings.
- Login to your WHMCS Admin
Hover over Setup and choose General Settings
Choose the Security tab
- Fill in the settings:
Captcha Form Protection: |
Choose how captcha functions |
Captcha Type: |
Select the type you wish to use |
reCAPTCHA Public Key: |
You need to register for reCAPTCHA @ https://www.google.com/recaptcha/admin/create |
reCAPTCHA Private Key: |
You need to register for reCAPTCHA @ https://www.google.com/recaptcha/admin/create |
Required Password Strength: |
Enter the required password strength from 1 to 100 – Enter 0 to Disable |
Failed Admin Login Ban Time: |
Enter the time to ban an IP in minutes after 3 failed login attempts – Enter 0 to Disable |
Whitelisted IPs: |
IP Addresses exempt from being banned for invalid login attempts |
Whitelisted IP Login Failure Notices: |
Tick to send login failure notices for Whitelisted IP addresses |
Admin Force SSL Access: |
Tick this box to force SSL Access for all admin area requests |
Disable Admin Password Reset: |
Tick this box to disable the forgotten password feature on the admin login page |
Disable Credit Card Storage: |
Tick this box to not store customers credit cards in the database (Warning: This will delete any existing stored credit card data) |
Allow Client CC Removal: |
Tick this box to allow customers to delete the credit card details stored on their account |
Disable Session IP Check: |
This is used to protect against cookie/session hijacking but can cause problems for users with dynamic IPs |
Allow Smarty PHP Tags: |
Tick to allow use of the Smarty {php} tag in templates. This is considered a security risk. |
Proxy IP Header: |
Header used by your trusted proxies to relay IP information. Most proxies use “X_FORWARDED_FOR”; that is the default if no value is specified |
Trusted Proxies: |
IP addresses of trusted proxies that forward traffic to WHMCS. Only add addresses that directly proxy requests! |
API IP Access Restriction: |
– IP Addresses allowed to connect to the WHMCS API |
Log API Authentication: |
Tick to record successful API authentications in Admin Log |
CSRF Tokens: General: |
Tick to enable general use of CSRF tokens for all public and clientarea forms (Highly Recommended) |
CSRF Tokens: Domain Checker: |
Tick to enable use of CSRF tokens for the Domain Checker form |
Click Save Changes
Now that you have gone through the Security options you are ready to proceed to the Social tab.