My clients can use any password to login

[BobSterner]

I am running WHMCS 6.3.1 and the problem I am seeing with my installation is that my clients can login with any arbitrary string of text as the password. I am gone through all the security measures suggested and even reinstalled WHMCS multiple times and on different hosting providers, but the issue still persists. What should I do to prevent this?

[brian!]

are you already logged into the Admin Area and then trying to login to the client area as the client ? if so, what you're seeing is normal... admins can do this.

 

however, if you're not logged in as an admin and when trying to log into the client area, you can just use any password string, then this isn't correct - and you should probably open a ticket with support to investigate.

[steven99]

Since you mention your clients can do this, it sounds like there might be a loginshare hook being fired that is returning a "true" value to allow the login. What happens when you give an invalid user name? http://docs.whmcs.com/Hooks:ClientLoginShare Check modules for any that may use the loginshare and any hooks in include/hooks. If this is not the case, then open a support ticket with WHMCS.