How to fix “Insecure Permissions Check” warning in WHMCS
Maintaining business systems can be really hard.
When it comes to billing software like WHMCS, security is a crucial aspect. You can’t take risk with sensitive information like customer data, credit card data, etc.
At Bobcares, our Dedicated Server Engineers periodically review and update all critical software to secure the information stored in it.
“Insecure Permissions Check” is one such security warning that we often fix when auditing WHMCS software.
Based on our experience in managing servers and providing support to web hosting providers, we’ve found that this error can occur mainly in cases such as
- WHMCS upgrade
- License updates
- WHMCS migration
- New WHMCS install
Today, let’s see what this error means and how we fix this.
What is “Insecure Permissions Check” warning in WHMCS?
During server audits, we use “System Health Status” tool to perform a series of security and configuration checks.
“Insecure Permissions Check” is one such security check that verifies the ownership and permission of WHMCS files.
If any mismatch found, a warning message will pop up.
For example, let’s take the below warning message.
Insecure Permissions Check Your configuration file is writable. This can be a security risk. We recommend setting the permissions to read only. The following directories are owned by a different user from that which is executing WHMCS. This indicates a potentially insecure configuration: /home/username/public_html/crons
This warning shows that the file “configuration.php” is writable and WHMCS couldn’t locate the “crons” directory.
Therefore, this is identified as a potentially insecure configuration.
How to fix “Insecure Permissions Check” warning in WHMCS?
Now, let’s see how our Support Engineers fix this “Insecure Permissions Check” warning.
1. Correct the permission of configuration.php
The “configuration.php” file stores sensitive information like WHMCS license key, database logins, credit card encryption hash, etc.
The ideal permission for this file should be 400.
As a result, the system can only read this file, preventing others from reading, modifying or executing this file.
Our server admins check the permission of the file “configuration.php“. If higher permissions are noted, we correct them with the command:
chmod 400 configuration.php
Some systems require the permission to be 440 or 444 based on the server configuration.
In this case, we’ll first cross-check the server configuration and then assign the permissions accordingly.
2. Correct the cron directory location
The files within the directory “crons” must know where your WHMCS installation is located.
Similarly, the WHMCS installation must also know where to find the directory “crons”.
This process involves editing 2 files.
1. Open the file “config.php” in the directory “crons” and comment out the line “whmcspath“. Enter the complete path to your WHMCS installation.
$whmcspath = '/home/username/public_html/whmcs/';
The above example assumes cPanel is being used. Replace “username” with the username of your account and “whmcs” with your WHMCS installation root directory.
2. Open the file “configuration.php” in your WHMCS installation root directory and add the following line at the end of the file.
$crons_dir = '/home/username/whmcs_crons/';
Replace “username” with the username of your account and “whmcs_crons” with your custom cron directory.
WHMCS can now locate the custom cron directory .
Then, refresh your System health status page in WHMCS.
WHMCS performs a series of security and configuration checks. “Insecure Permissions Check” is one such check. This checks the permission and ownership of WHMCS core files. If any mismatch found, users will see a warning message in the System Health Status page. Today, we’ve seen the causes for this warning and how our Dedicated Server Engineers fix it.