We all are aware that hackers sell personal data stolen from different users, including usernames, passwords, and payment details, which can be misused. Similarly, they may target your WHMCS account to steal and exploit data.

Protecting this information is crucial if you run WHMCS (Web Host Manager Complete Solution), which stores sensitive customer data.

Below is a detailed guide on securing your WHMCS users’ data and preventing it from being leaked online.

 

Enable Strong Security Measures

This prevents hackers from accessing accounts even if they obtain login credentials.

  • Enforce Strong Passwords & Two-Factor Authentication (2FA)

    • Ensure that all admin and user accounts follow a strong password policy.
    • Use a password manager to generate and store complex passwords.
    • Enforce Two-Factor Authentication (2FA) for all admin and client accounts in WHMCS.

  • Restrict Admin Access

    • Limit admin access to untrusted IP addresses using WHMCS IP restrictions.
    • Assign role-based permissions to ensure only authorized persons can access sensitive data.
 

Secure Writable Directories

  • Remove directories from the root folder.

    • By default, /home/username/ will be located inside the public_html directory.
    • Any file placed inside public_html is publicly accessible to anyone that knows the URL.
    • Moving sensitive directories outside this folder ensures they are not directly accessible via a browser and prevents unauthorized access.
    • You can move the directories to the new folder of your choice, like whmcs_data, as below:

Good: /home/username/whmcs_data/attachments/

Bad: /home/username/public_html/attachments/

Similarly, you can move other important directories like uploads, downloads, temp, etc.

  • Restrict permissions to the Owner

    • To restrict the access to the owner, you can use chmod 750. This gives the owner full access (read, write, execute), the group read and execute access, and others no access. Here is an example of using this command:
 
chmod 750/home/username/whmcs_data/attachments/
 

Similarly, you can set permissions for other important directories like uploads, downloads, temp, etc.

 

Keep Your WHMCS & Server Updated

  • Regularly Update WHMCS & Plugins

    • WHMCS releases security patches regularly, so always use the latest version to prevent vulnerabilities.
    • Avoid using outdated or unverified third-party plugins, as they can be entry points for hackers.

You can also enable auto-updates using WHMCS’s built-in automatic update feature.

 

Enable Auto Updates in WHMCS Admin

✅ WHMCS provides an automatic update system (available in WHMCS 7.8+).

 

Steps:

1. Login to WHMCS Admin

2. Go to Utilities → Update WHMCS

3. Click Configure Update Settings

4. Enable Automatic Updates

5. Save Changes.

  • Keep Server Software Updated

    • Ensure PHP, MySQL/MariaDB, Apache/Nginx, and cPanel/DirectAdmin are up to date.
 

Encrypt User Data

  • Enable SSL/TLS for Secure Data Transmission

    • Always use HTTPS by installing a valid SSL/TLS certificate on your WHMCS website.
    • This ensures that all data transmitted between users and your server is encrypted.

  • Encrypt Sensitive Data in WHMCS

    • WHMCS provides data encryption tools to secure user information. Use WHMCS Hashing API to store encrypted data rather than plaintext.
    • Never store complete credit card details unless PCI-DSS compliance is ensured.
 

Implement a Web Application Firewall (WAF)

A Web Application Firewall (WAF) protects WHMCS from:

✅ SQL Injection

✅ Cross-Site Scripting (XSS)

✅ DDoS & Brute Force Attacks

  • Use a Trusted WAF Provider

    • Use Cloudflare WAF, Mod security, or any other WAF to filter malicious traffic.
    • Configure firewall rules to block suspicious login attempts.

  • Block Unauthorized API & Admin Access

    • Restrict API endpoints and admin login pages to specific IPs using .htaccess or server firewall rules.
    • Edit or create the .htaccess file in your WHMCS directory.
    • Add the following rules:

      <Files "api.php">

          Order Deny,Allow

          Deny from all

          Allow from 192.168.1.1 203.0.113.2  

      </Files>

This ensures that only specific IPs can access api.php

  • Implement Rate Limiting

    • API rate limiting is a mechanism that restricts the number of API requests a user or system can make within a specific period. This helps prevent abuse, DDoS attacks, and excessive resource consumption and ensures fair usage among users.
    • Steps:

      Add the following rules for Apache(via mod_ratelimit):

      <Location "/api/">

          SetOutputFilter RATE_LIMIT

          SetEnv rate-limit 500

      </Location>

      • Save the file.
 

Regular Security Audits & Vulnerability Scans

  • Conduct Routine Security Audits

    • Regularly review WHMCS logs to detect unusual activity.
    • Monitor for multiple failed login attempts that indicate brute-force attacks.

  • Use Security Scanning Tools

    • Use OpenVAS, Nessus, or other genuine tools to check for vulnerabilities.
    • Scan your WHMCS site for malware, outdated scripts, and misconfigurations.
 

Secure Server & Database

  • Restrict Database Access

    • Ensure MySQL/MariaDB databases are not exposed to the public internet.
    • Use a dedicated database user with limited privileges for WHMCS.
    • Disable remote database access unless required.

  • Regularly Backup Data

    • Create automated encrypted backups to an offsite location (e.g., Google Drive or locally secured storage).
    • Keep multiple copies of backups in case of ransomware attacks.
 

Monitor the Dark Web for Leaked Data

  • Use Dark Web Monitoring Services

    • Check if your users' credentials have been leaked using tools like:

      🔹 Have I Been Pwned

      🔹 SpyCloud or Dark Web ID

  • Act Immediately if Data is Found

    • If any WHMCS user credentials are found on the dark web, force password resets immediately.
    • Notify affected users and advise them to enable 2FA.
 

Educate Users & Staff on Security Practices

  • Train Employees to Prevent Phishing Attacks

    • Cybercriminals often trick employees into revealing admin login credentials.
    • Conduct regular training sessions to educate staff on identifying phishing emails, fake login pages, and suspicious attachments.

  • Inform Users About Account Security

    • Encourage customers to use strong passwords and 2FA.
    • Provide a security awareness section in WHMCS where users can learn best practices.
 

Respond to Data Breaches Immediately

  • Identify the Source – Check WHMCS logs to determine how the breach occurred.
  • Reset Admin & User Credentials – Force a password reset for all affected accounts.
  • Notify Users & Authorities—If user data is compromised, inform affected customers and comply with GDPR/PCI-DSS.
  • Patch Vulnerabilities – Apply security updates and additional protections to prevent future attacks.
  • Monitor for Further Threats – Monitor dark web reports to ensure leaked data is not being misused.

A dynamic security strategy is required to secure WHMCS users' personal information from Hackers and the dark web. Implementing these steps will ensure that your WHMCS system remains secure, reliable, and compliant with modern data protection standards.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

Open relays in RBLs :: SPAM databases

Open Relays in RBLs i.e. SPAM databases Open relays are email servers that are configured to...
How to reset FTP user password in cPanel?

You can change the FTP password from cPanel using the following steps: Step 1: Log in to cPanel....
How do I suspend/unsuspend a cPanel account via root SSH?

Suspending an account means the associated website is no longer visible online. Instead, visitors...
How to enable cPanel password reset in WHM?

The WHM control panel allows individual users to reset their cPanel password without logging into...
How to download MySQL database backup from cPanel?

You can download the compressed MySQL database backup from cPanel. You will need to perform the...