Introduction
Welcome to another part of our WHMCS General Settings tutorial. This tutorial will review another tab from the General Settings, namely, the “Security” tab. While performance is regarded as the highest sought-after metric for websites or CRMs - security should not be underestimated. Poor security could lead to problems that affect not only your sales but customers’ welfare. In the “Security” tab, you can configure various settings that will boost both your WHMCS and your customer’s safety, giving you peace of mind when running your web hosting business.
Of course, WHMCS has plenty of configuration choices under the General Settings, and we will examine them in the rest of our WHMCS tutorials in the series.
Getting Started
To access the General Settings, please log inside your WHMCS admin area. After you log in, please point your attention to the top right corner. There you will see the wrench icon. Please click on it, and then click on the "System Settings" option from the revealed icons.
This action will redirect you to the "System Settings" page, where you will see all the available WHMCS settings.
To access the "General Settings," please click on the "General Settings" content box, which will be the first option under the "All Settings" title.
Security Tab
To access the "Security" tab, please click on the "Security" tab on the right side of the "Affiliates" tab. This tab will allow you to set up and configure security-related features for WHMCS.
Let's check out each option separately and figure out what they do.
- Email Verification - Please use this tickbox to enable Email Verifications. This feature will prompt users to verify their email address when they sign up or try when they attempt to change it.
- Captcha Form Protection - Please use this radio button to define the captcha's behavior based on the user's status (logged in or logged out). We recommend selecting the second option, "Off when logged in", as logged-in clients are already verified, and constantly showing captchas could prove tedious.
- Captcha Type - Please use this radio button to select the Captcha type:
- Default (6-Character Verification Code)
- reCAPTCHA v2 (Google's reCAPTCHA system)
- Invisible reCAPTCHA
- Captcha for Select Forms - Please use the available checkboxes to define where you want the captcha to appear for visitors.
- Auto-Generated Password Format - Please use this radio button to set the auto-generated password format:
- Generate passwords containing a combination of letters, numbers, and special characters (Default)
- Generate passwords containing a combination of letters and numbers only
- Minimum User Password Strength - Please use this checkbox to define the minimum password strength a customer can select. We recommend setting this value to at least 50 to ensure strong password generation from your clients.
- Failed Admin Login Ban Time - Please use this tickbox to define the time (in minutes) in which WHMCS will ban a user after three failed login attempts. If the value is 0, this feature will be disabled.
- Whitelisted IPs - Please use this content box to enter the IPs you want to exempt from being blocked by the functionality above.
- Whitelisted IP Login Failure Notices - Please use this checkbox to enable email notices for whitelisted IP login failures. This functionality may indicate that a whitelisted IP has been compromised and is an excellent option.
- Disable Admin Password Reset - Please use this tickbox to disable admin password reset on the admin login form.
- Delete Encrypted Credit Card Data - Please use the red "Delete" button to irreversibly purge all locally-stored credit card encrypted data from the database.
- Delete Encrypted Bank Account Data Delete - Please use the red "Delete" button to irreversibly purge all locally-stored bank account encrypted data from the database.
- Allow Client Pay Method Removal - Please use this checkbox to allow/prevent customers from removing their credit cards from the client area on their own. We highly recommend enabling this option, as clients may get irritated when they cannot find the option to do so.
- Disable Session IP Check - Please use this tickbox to disable/enable IP session checks for logged-in users. This feature is handy for customers that use dynamic IP addresses. If that is the case, they may get logged out regularly due to IP changes, and disabling this setting will prevent such behavior.
- Allow Smarty PHP Tags - Please use this radio button to disable/enable {php} tags. As of WHMCS v6, this is disabled by default for security reasons, but if you require this enabled, you can do so via this option.
- Proxy IP Header - Please use this text field to configure the HTTP header used by WHMCS to find the IP address that is the authoritative IP address for the request.
- Trusted Proxies - Please use the "Add IP" green button corresponding to this setting to add and allow Trusted Proxies. These settings will enable you to enumerate IP addresses or IP ranges for proxies or other forwarding services. That way, WHMCS can accurately determine the IP address of inbound traffic. This functionality is very niche, and we recommend keeping it disabled unless you fully understand it and absolutely need it.
- API IP Access Restriction - Please use the "Add IP" green button corresponding to this setting to add and allow IPs that may use the WHMCS APIs from a remote server.
- Log API Authentication - Please use this checkbox to enable or disable logging for API requests that require authentications from the admin area.
- CSRF Tokens: General - Please use this radio button to enable or disable CSRF tokens. This security feature prevents hackers from fabricating posts and trying to access areas of the website they should not.
- CSRF Tokens: Domain Checker - Please use this radio button to disable or enable CSRF tokens for the domain checker. When enabled, admins can send domain information to WHMCS from external sources. An example is if you have a domain checker functionality on your website.
Once you have chosen the desired settings on this page, please click on the blue “Save Changes” button located at the bottom of the page. Otherwise, please click the grey “Cancel Changes” button on the right side of it to revert them.
This ends our summary of the configuration options under the WHMCS “Security” tab. We hope that our settings overview and suggestions were helpful and you were successful in improving the security of your WHMCS.
Conclusion
Please follow our next tutorial in line, which will go through the “Social” tab. Spreading the word about your service is a very good way of attracting more customers, and social networks are the perfect instrument to do so. The “Social” tab will help you configure various social medial links inside your Client Area.