7 proven ways to secure WHMCS from hackers, malware and vulnerabilities
Bobcares.com provides outsourced hosting support to web hosts. Part of our services involve hardening critical web hosting apps such as WHMCS to prevent hacking, malware infection and vulnerability exploits.
Over the past 10 years we’ve seen several WHMCS exploits that steal sensitive customer data, redirect payment accounts, and more. Today, we’ll go through the top 7 security practices that helped us secure WHMCS against all these attacks in our customer servers.
1. Prevent exploits by lightning fast security patching
Security researchers constantly find vulnerabilities in every popular software. WHMCS is no exception. So, we monitor security channels round the clock, so that we immediately become aware of a new WHMCS vulnerability or exploit.
When a new vulnerability is found, we patch WHMCS within a few minutes by:
- Applying the official patch (if available), or
- Using a web server work-around (eg. mod_sec rule) that blocks the execution of the vulnerability.
The key here is speed. Most mass exploits happen via automated means. It’ll take botnet masters a few hours to build a deploy a mass exploit solution. So, we make it a point to update our customer’s severs within that time, so that exploits will fail.
2. Block attacks by using a web application firewall (WAF)
WHMCS exploits usually employ common attack methods such as SQL injection, Remote File Inclusion, etc.
It is possible to detect and block an attack by checking if a site visit matches any of the common attack behaviors. For this, we use Web Application Firewalls (or WAFs) such as mod_security, NAXSI, etc. We use it to:
- Block common attack methods like directory traversal, remote file inclusion, and more.
- Write custom rules that block HTTP requests that try to exploit a vulnerable function.
To be effective, the WAF database should be constantly updated with the latest attack signatures from Comodo, OWASP, etc.. However, some of these signatures could block legitimate users. So, we periodically review new rules from these channels, test them for proper functioning, and update the rules database.
3. Defuse exploits by changing default WHMCS settings
Almost all WHMCS attacks are automated, where hackers use a central attack server to send exploits to thousands of WHMCS sites simultaneously.
These attacks assume the default WHMCS settings to run their exploits.
So, an easy solution we use is to change all critical default settings in WHMCS. Some of these are:
- Change the name of the admin directory from “admin” to something else.
- Limit the database user’s pemissions to DELETE, INSERT, SELECT, UPDATE and LOCK TABLES.
- Limit the IPs that can access admin area to only staff IPs.
- Write protect the configuration file, and move it a location outside public_html.
- Move attachment, downloads and templates directories to outside public_html.
- Auto-scan new file uploads for malware using anti-virus such as ClamScan, LMD, etc.