There are additional precautions you can take to secure your installation of WHMCS. While we recommend additional layers of security to protect your server and website, we can only offer these suggestions to point you in the right direction. For technical support regarding these extra security measures, see the WHMCS website.
Malicious users who visit your Website and recognize a WHMCS installation might know that they can try logging into your admin area through the /admin/ directory path. To protect against this, you can rename the admin directory. If you do this, add the following line to your configuration.php file:
NOTE: If you have already created a cron job, you need to update the path on the cron command as well. For example,
php -q /home/username/public_html/whmcs/myadminfoldername/cron.php
(where username is your Reseller Hosting User Name, and myadminfoldername is the new admin directory name).
The attachments, downloads, and templates_c folders need to be writeable by WHMCS, and therefore require the permissions 777 (writeable by all). When folders have this permission level it is safer to place the folders outside of the publicly accessible folder tree on your website.
If you choose to move the folders, then you must tell WHMCS where they are located by adding the following lines to the configuration.php file:
In the above example, username is the Reseller Hosting username and the three folders are located in the home directory — above the public_html directory.
Add a second layer of protection to the admin directory by setting up .htaccess password protection. You can do this with the Password Protect Directories option in cPanel. Remember to keep your .htaccess username and password distinct and unique. You can use the Random Password Generation feature in cPanel to help.