For many providers, WHMCS is their crown jewels: all customer info is there, payment mechanisms and gateways, provisioning links and administrative keys, etc.
Having WHMCS hacked is their worst nightmare. If compromised, an attacker can
- sell your customer list, market to it, and ruin your reputation
- change or destroy all systems that WHMCS had admin links to (i.e., your hosts and VMs)
- learn the structure of your company – who the admins are, for example
- embarrass you by sharing details from your tickets
- compromise your customers by gaining access to all of their personal info. For example, some providers require photo ID to provision services, and this is typically submitted as WHMCS attachments.
- even if nothing is done directly in the WHMCS penetration, the information can be leveraged. Social hacks, for example, are much easier when someone comes armed with a galaxy of information.
Etcetera and there are many etceteras. So how can you protect yourself?
Just Move Off WHMCS
Just Move Off WHMCSSo let’s get this one out of the way because trolls will inevitably bring it up.
Yes, you can move off WHMCS and then your WHMCS will never be hacked.
But seriously…first, you have to run something and that something has the same risk.
Second, moving your CRM is not easy! And as a customer, I have zero tolerance for it. Don’t ask me to re-register, or read some KB article. As a customer, I don’t like friction and your job is to reduce friction.
OK, So You’re Staying on WHMCS. What To Do? First, the Basics
Patch/Upgrade: Keep your installation up to date. You’re paying for maintenance, so use it! Don’t be that guy who gets hacked over a bug WHMCS fixed two versions back. And keep in mind that WHMCS fixes bugs all the time. Just because the latest patch doesn’t mention anything about security doesn’t mean there aren’t issues fixed that WHMCS has discovered, or issues that no one has discovered yet.
Backups: Backups can’t prevent your data from going out if you’re hacked, but it can at least make sure you still have a copy yourself. And they also help protect you in the event of non-hacking issues like server failures, admin mistakes, and bugs. Pro Tip: try a restore now, before you need it.
Choose Good Passwords, and Change Them: I mean, duh on the first point. And on the second, if you have an admin on your team leave, change passwords.
Now That Those Are Done, Some More Advanced Tips
Change the Admin Location: Don’t have your admin set to www.example.com/whcms/admin. Pick something different, ideally a random string of letters or a UUID. But even ‘staffonly’ is better. You don’t want a new 0-day WHMCS bug to come out and your WHMCS admin to be automatically scanned and attacked. Yes, to some extent this is security by obscurity, but it reduces the amount of attacks you get so it’s a good thing.
Use Multi-Factor Authentication (MFA/2FA): Yes, ZRneENePy8@qx4L*xLab8x!M8bB2J*K4 is sure a great password, but if I’m reading everything you type via my keyboard sniffer, it’s no longer a great password. Two-factor is table stakes in 2024.
Avoid Third Party Templates and Modules: There are some great template artisans who make WHMCS look beautiful. And there are modules you can add that will make WHMCS do nearly anything you want. However, be aware that when you install a third-party code, you’re trusting that publisher with your enterprise. Don’t believe me? Check this story.
Consider a WAF: A Web Application Firewall sits between WHMCS and web browsers, filtering what gets in and out. WAFs can filter types of HTTP requests and the request bodies. Maybe there’s no good reason to POST to a particular URL, to submit certain data to another, or to request a URL that has a bunch of control characters in the path. I’ll quote LowEndTalk legend @FatGrizzly:
Cloudflare Pro helps(free is fine too, but Advin found out that free one didn’t block the Lagom attack which happened a few months earlier in his tests.)
You can also use modsecurity(owasp might be too strict for whmcs, try out comodo), blocking incoming post requests with “< questionmark p h p” ignore space and replace word, got triggered by cf could also help.
WHMCS is too serious to not demand serious security attention. Anything else you’d recommend?
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
- Hey Providers – Want Some FREE Advertising During the SuperBowl? - November 14, 2024
- Inception Hosting is Closing Its Doors - November 12, 2024
- How Will the 2024 Election Results Affect Tech? - November 11, 2024
Leave a Reply