Enforced

Im building a module that will do all this automatically, while do it by yourself step by step..
Whatever whmcs core that owning not know security vulnerabilities, we will deal with small ± os tips ensure the maximum our whmcs , almost paranoid levels

Regardless of the core of WHMCS That owning not know security vulnerabilities, we will deal with small tips to Ensure the most of our WHMCS , almost paranoid levels.

'''You do not have time or desire and wish we can do all this and leave your full protected whmcs for only 15 dollars and you will chat support by experts in whmcs in Spanish or English. Ticket me here'''

1 - Protect your configuration.php
Considering that :


 * 1) 99% of the company value is the database, not whmcs itself, (customers, invoices, etc. are in mysql) must prevent that if someone violates our server and can access the ftp or webfiles , not accessible to get mysql data access
 * 2) Once installed whmcs, no need to edit the configuration.php

What we should do?
Once you change all obfuscate or encrypt configurations = configuration.php so no one has access to except our own whmcs mysql already operational. You can do with ioncube, zend or free online ofuscators

Example not ofuscated
<?php $license = 'Leased-583a5ca69768173b549c'; $db_host = 'localhost'; $db_username = 'cpaneluser_12335'; $db_password = '9876543231';........

Quite simple to get your database dropped

Example ofuscated
<?php // ENCODED eval(gzinflate(base64_decode(' s7fjsrEvyCjg5VLJyUxOzStOVbBVUPdJTSxOTdE1 tTBONE1ONLM0N7MwNDdOMjWxTFa3BipNSYrPyC8u ASnNyU........

So your evil hacker can not get your database details...

2 - protect admin folder paranoid levels

 * Add in configuration.php to the new folder is this for example: $ customadminpath = " 4234K23423K3 ", only letters and numbers without symbols
 * Add in the . htaccess a redirect from a fictitious name to that folder, eg real name and code would misectoradmin should look like:

/ / 301 Redirect Entire Directory misectoradmin RedirectMatch 301 ( . * ) 4234K23423K3 / $ 1


 * rename the admin folder by misectoradmin
 * admin create a folder
 * create an index.php file with a special file in case anyone who wants to enter the whmcs the direct autobanarea.

3 - Change also the templates folders, attachments and downloads

Add / modify these lines in configuration.php

$ templates_compiledir = "/ home / username / templates_c / ' ; $ attachments_dir = "/ home / username / attachments / " ; $ downloads_dir = "/ home / username / downloads /";

4 5 and 6 - Protection level . htacess in Admin folder

 * Level 1 . After changing the folder can also protect letting ips only from your company.
 * Level 2 . A more serious level despite entering from the IP of the company, must enter a unique username and password for the entire company.
 * Level 3 . Prevents hotlinking and much more .. do here http://www.htaccessredirect.net/

7 - At root level . htacess in root
Protect your templates or tpl files by this instruction.

8 - A level or equivalent cpanel server

 * Disable completely
 * 1) anonymous ftp
 * 2) ssh access
 * 3) close mysql port from outside server
 * 4) Please purchase a SSL certificate and Forcen all ssl connections forever.
 * 5) If your whmcs is just for your customer, block robots to spider with a robots.txt, this will remove your from this list -> Link

9 to 20 - Within whmcs

 * 1) Should configure a user with admin levels and use that regularly.
 * 2) stop using the fulladministrator to work every day, and leave only when you have to install modules or similar.
 * 3) Verify that the apartment not let upload support vulnerable in ticket
 * 4) Check the ips permitted by security partly api
 * 5) If you want to have clients who have not delete the file register.php services so they can not register customers
 * 6) ... to be continued...