indtg

Make sure you also update the link for your cronjob. See Configuration > Automation Settings for the updated link.

I don't think the wiki is listed in the clients area or in the manual so.... it happens.

Good catch guys. I knew there was something else I was missing.

The benevolent wiki strikes again. Good stuff.

BionHostStan, Post #13 has an example screenshot from the fake admin website.

LOL Ben, you're not the only one getting those emails....

How do you have it coded? Are you setting $ip=getenv(REMOTE_ADDR);? Have you disabled the getenv command in php.ini? (I ran into that issue earlier.)

Nick makes a point since the mobile version is not included by default. You may be able to limit access to the mobile site by checking User-Agent with .htaccess. And before I get any more hate mail, if you change the name of your admin directory, you will have to reissue your WHMCS license file. Renaming the admin folder does not "completely hose" your WHMCS installation. Read the wiki or ask before you accuse. You are responsible for your WHMCS installation... I am not.

We had to do this when we first installed WHMCS. The procedure we used was a little lengthy but was something to the effect of: First, add a new client in WHMCS ( Admin website --> Clients | Add New Client) Next, Go to Orders | Place New Order. Select your new client and check both "Don't Send Order Confirmation Email" and "Don't Generate Invoice", click Continue, and create the order. The order should be created and put into a pending state (depend on your config). Go to the pending order and uncheck the options (if present): Send to Registrar Send Confirmation Email Create Account Send Welcome Email If it is a hosting account, set the server, username, and password (if known). Then click Accept Order and you should get a "The order has now been successfully activated" message. Then we went into Clients, selected the client and went to Products/Services. There we adjusted the payment and billing cycle info to match up with our client's next due date. Make sure to "Save Changes". Adjustments were also made to the domain dates, payment, and billing cycle. It took a while but we initially only had 15 clients to move. Someone else may have a better/automated way.

In the admin website under Configuration | Products/Services, find and edit your hosting package. Make sure on the Pricing tab you have "Customers will be billed regularly for this item" selected and you have "Recurring" table filled out: e.g. Monthly Setup Fee: 10 Monthly Price: 3.95 Annually Setup Fee: 10 Annually Price: 47.40 (= 3.95 x 12 months - WHMCS does not automatically calculate this)

Very nice joe123! Can you add any type of error handling in case you are not able to get a proper ip to country match? Just for kicks, I tried your demo with proxify.com (remove all scripts unchecked) and both the state/region and country fields were blank. It works if you don't use an anonymous proxy though. I think this is just a result of there not being an ip to country match for whichever IP address proxify.com was using at the time. Looks and works great though.

In theory, a mobile version would follow the same principle. I can't speak to changing the folder of the mobile version since I haven't purchased that option (yet...) but I don't see why it wouldn't work. There might be a configuration option that needs to be added (see post #16 in this thread) but I don't know. The whole concept of the fake/spoofed admin website follows the principle that as long as the output to the browser is bang on, an automated script or person wouldn't know the difference* between the real admin site and the spoofed one. In a way, this is all security by obscurity but hey, if it keeps the "bad guys" busy and prevents a headache for me, it's all worth it. (*In theory at the moment)

Ben, I did a quick diff on the html output and there is a single line in login.php that needs to be changed to make the fake login.php match the legitimate one. Can you remove the "?saving=1" from line 35: <form method="post" action="dologin.php?saving=1" name="frmlogin">

Personal preference is mod_rewrite but I'll compromise. Add to .htaccess: ErrorDocument 404 https://www.yourdomain.com/PathToFakeAdmin/login.php :-D

Oh man, way too much work.... HAHA