TeleMagic Posted September 19, 2013 Share Posted September 19, 2013 Hi guys. I have today noticed that a large part of the whmcs site is availabel to download from my server if anyone knows the url. For instance any of my template files can be accessed and same for my modules. This poses a security issue, especially if a hacker can download and view the code for part of my site. Any idea? Can I put .htaccess which denies access to all but the root directory? or would this stop the site from working? Regards 0 Quote Link to comment Share on other sites More sharing options...
arhost Posted September 20, 2013 Share Posted September 20, 2013 Move your download folder to outside of the public accessible folder tree on your account. See: Further Security Steps http://docs.whmcs.com/Further_Security_Steps 0 Quote Link to comment Share on other sites More sharing options...
TeleMagic Posted September 20, 2013 Author Share Posted September 20, 2013 I have had a look at this page, however I am unsure how any of that will stop files in the modules and templates directory being readable? Regards 0 Quote Link to comment Share on other sites More sharing options...
SoluteDNS Posted September 20, 2013 Share Posted September 20, 2013 On which access level are your files set? (chmod) Folder should not exceed 755 and files should not exceed 644. 0 Quote Link to comment Share on other sites More sharing options...
chrismfz Posted September 20, 2013 Share Posted September 20, 2013 Use this in your .htaccess for your template files <Files ~ "\.tpl$"> Order allow,deny Deny from all </Files> <FilesMatch "configuration.php"> Order allow,deny Deny from all </FilesMatch> For attachments, templates cache (template_c) and downloads this is enough http://docs.whmcs.com/Further_Security_Steps 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.