WHMCS provides a variety of security options that range from beginner to advanced. Here is an overview of the primary security features you can access through the general settings.
- Login to your WHMCS Admin
Hover over Setup and choose General Settings
Choose the Security tab
- Fill in the settings:
Captcha Form Protection: Choose how captcha functions Captcha Type: Select the type you wish to use reCAPTCHA Public Key: You need to register for reCAPTCHA @ https://www.google.com/recaptcha/admin/create reCAPTCHA Private Key: You need to register for reCAPTCHA @ https://www.google.com/recaptcha/admin/create Required Password Strength: Enter the required password strength from 1 to 100 – Enter 0 to Disable Failed Admin Login Ban Time: Enter the time to ban an IP in minutes after 3 failed login attempts – Enter 0 to Disable Whitelisted IPs: IP Addresses exempt from being banned for invalid login attempts Whitelisted IP Login Failure Notices: Tick to send login failure notices for Whitelisted IP addresses Admin Force SSL Access: Tick this box to force SSL Access for all admin area requests Disable Admin Password Reset: Tick this box to disable the forgotten password feature on the admin login page Disable Credit Card Storage: Tick this box to not store customers credit cards in the database (Warning: This will delete any existing stored credit card data) Allow Client CC Removal: Tick this box to allow customers to delete the credit card details stored on their account Disable Session IP Check: This is used to protect against cookie/session hijacking but can cause problems for users with dynamic IPs Allow Smarty PHP Tags: Tick to allow use of the Smarty {php} tag in templates. This is considered a security risk. Proxy IP Header: Header used by your trusted proxies to relay IP information. Most proxies use “X_FORWARDED_FOR”; that is the default if no value is specified Trusted Proxies: IP addresses of trusted proxies that forward traffic to WHMCS. Only add addresses that directly proxy requests! API IP Access Restriction: – IP Addresses allowed to connect to the WHMCS API Log API Authentication: Tick to record successful API authentications in Admin Log CSRF Tokens: General: Tick to enable general use of CSRF tokens for all public and clientarea forms (Highly Recommended) CSRF Tokens: Domain Checker: Tick to enable use of CSRF tokens for the Domain Checker form Click Save Changes
Now that you have gone through the Security options you are ready to proceed to the Social tab.