Jump to content

WHMCS with WordPress


Auswide

Recommended Posts

Strapping myself in for all the flaming LOL
Still very much a work in progress and have already discovered a few things to change and refine...
I started building my site with WordPress long before looking in to WHMCS. When I discovered this great platform, I wanted to try to blend the two together as best I could.
After researching a lot of posts here and Google (Google is our friend lol) I set about the task.
Main site: https://auswidehosting.com
WHMCS: https://auswidehosting.com/accounts
 

Don't actually need to know the different links as they are both linked via the menu system.

As mentioned.. I know there is still quite a lot to edit and refine as far as my custom CSS goes, and I know there are also pages that can be improved.

But... Happy to hear everyone's thoughts 🙂

Cheers
Paul

Link to comment
Share on other sites

So you have WP and WHMCS on the very same hosting ... bad, very bad.
Keep WP as far as possible from WHMCS.
Different hosting space, different IP, if possible different server too.
Best solution is:
Main site: https://auswidehosting.com
WHMCS: https://accounts.auswidehosting.com

And (mostly important!!!!) never, never, never share the same db!!!!!
Use two different db... and if WP for any reason need to access data from WHMCS, use a third db in which you copy just the data needed from WHMCS, and on which WP has read-only permissions.

Link to comment
Share on other sites

4 hours ago, Remitur said:

So you have WP and WHMCS on the very same hosting ... bad, very bad.
Keep WP as far as possible from WHMCS.
Different hosting space, different IP, if possible different server too.
Best solution is:
Main site: https://auswidehosting.com
WHMCS: https://accounts.auswidehosting.com

And (mostly important!!!!) never, never, never share the same db!!!!!
Use two different db... and if WP for any reason need to access data from WHMCS, use a third db in which you copy just the data needed from WHMCS, and on which WP has read-only permissions.

Hi Remitur,

Constructive feedback is always welcome but could you validate your comments?

Bad in what way?

And if it was that bad, why does practically every tutorial use this very method to install?

And if it's that bad then a sub domain would be no better.

Of course they use totally separate databases.

All I have done is manipulated a copy of the six template / CSS to appear the same as my WordPress install.

Link to comment
Share on other sites

On 11/19/2018 at 5:41 PM, Auswide said:

Bad in what way?

Security.

Having your main site on https://auswidehosting.com and WHMCS on https://auswidehosting.com/accounts means that WP and WHMCS stay in the very same space: WHMCS is just in a subdirectory in which WP is installed.
So, WP has full access to that directory (and to the file configuration.php of WHMCS, where're stored whmcs's db credentials...), and any malicious code may be injected in...

The point is that WP is usually reasonably sure, but it powers (it seems) something like 30% of web sites in the world... so it's a really tasty dish for any cracker in the world.
Thousands of people constantly study how to violate WP or some plugins, and when they finally find a way, then thousands of BOTs are ready to use this new vulnerability...

See, i.e., what's happened few days ago with WP GDPR Compliance plugin:   https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/

In few hours thousands of WP sites have been violated.

Would you have used it for your site,  in the most fortunate hypothesis you would have found both the installations (WP and WHMCS) infected by a BOT.
At worst, however, a human cracker could enter and do whatever he wanted: recover the cpanel or plesk credentials of all your users, inject a script to retrieve the authinfo of all your domains, create a user with a unlimited credit and start registering domains without paying them, and various other nightmares ...

 

Edited by Remitur
Link to comment
Share on other sites

oO

Hi @Remitur please don't forget to unplug yourself from the bad bad Internet 😂

There is almost never 100% protection and this is not due to Wordpress.
Sure it is the most common CMS but to demonize it right away is the wrong way.
There are numerous ways to secure a Wordpress instance. 
Also WHMCS recommends further security precautions and I am sure > 60% have not implemented them.

https://docs.whmcs.com/Further_Security_Steps

No matter if Wordpress or whmcs it is recommended to keep the number of addons to a minimum. 

Just my 5 ct.

Have a nice Day

Christian

 

Link to comment
Share on other sites

22 minutes ago, wp4all said:

oO

Hi @Remitur please don't forget to unplug yourself from the bad bad Internet 😂

There is almost never 100% protection and this is not due to Wordpress.
Sure it is the most common CMS but to demonize it right away is the wrong way.
There are numerous ways to secure a Wordpress instance. 
Also WHMCS recommends further security precautions and I am sure > 60% have not implemented them.

https://docs.whmcs.com/Further_Security_Steps

No matter if Wordpress or whmcs it is recommended to keep the number of addons to a minimum. 

Just my 5 ct.

Have a nice Day

Christian

 

But he's right.

Having WP and WHMCS on the same hosting package is like shooting yourself in the foot. Here we're not talking about securing WP and WHMCS individually. The question is that if someone manages to upload a backdoor in WP, he can easily navigate to your WHMCS, get your database, domains, servers etc. Here is why you should keep systems separated. This way if someone cracks your WP he can destroy your WP but not WHMCS.

Link to comment
Share on other sites

I don't think that's a question of right or wrong.

3 minutes ago, Kian said:

The question is that if someone manages to upload a backdoor in WP,

And I tried to explain it doesn't matter because if you upload an backdoor by an addon to WHMCS you will have the same effect .

That would be equivalent to don't host more than one customer per server because if the host system got hacked all customers are affected.

The only question is where do you want to start and where do you want to stop.

I think we could have a basic discussion on this from several sides and will never get a consensus opinion.

My next 5ct

Christian

Link to comment
Share on other sites

57 minutes ago, wp4all said:

And I tried to explain it doesn't matter because if you upload an backdoor by an addon to WHMCS you will have the same effect .

WHMCS is slightly more difficult to break than Wordpress, for a number of different reasons:

  • it's much less common than Wordpress (let's say: one WHMCS site for every 10.000 Wordpress sitees?), and so knowledge about it is less common, also in the cracker planet
  • it's encrypted, and so it's not so easy analyze the code looking for vulnerabilities
  • if there's a new exploit on WHMCS, this will be know to a single cracker/hacker, to his victim and to WHMCS's guys. If there's a new exploit on Wordpress, you'll find details about it few hours later using Google

But, if you want, let's assume that WordPress is as safe as WHMCS...
So, you install both of them in same space, and secure both of them independently.
And begin the issues, because you'll need to find a way to insert in the same .htaccess different policies, an d it may be that there will be conflicts... but you study,  waste a lot of time, and find a way to do it.

And, at least, you have WP and WHMCS in the same space.

What's the result?

You spared an hosting account, but have a system which has doubled the possibility to be exploited.

if you install Joomla too, 3x.    😄

The basic rule of security is: keep serveces as separated and as independent as possible.

For WHMCS + WP it's very easy to do so, and very cheap ot no cost at all... and so, what's the real reason to keep them together? To spare a cPanel account?!?!


   

Link to comment
Share on other sites

1 hour ago, Remitur said:

WHMCS is slightly more difficult to break than Wordpress, for a number of different reasons:

  • it's much less common than Wordpress (let's say: one WHMCS site for every 10.000 Wordpress sitees?), and so knowledge about it is less common, also in the cracker planet
  • it's encrypted, and so it's not so easy analyze the code looking for vulnerabilities
  • if there's a new exploit on WHMCS, this will be know to a single cracker/hacker, to his victim and to WHMCS's guys.

Can't say I agree with this.
Though WHMCS is installed on less sites, it's a FAR more valuable target for serious hackers, unless you count using WP to gain access to a server that also has that on it. As for encryption, that's breakable, at least to machine code, so not a full preventative. And as far as the exploit code being known to a single hacker, the victim and WHMCS? Hackers brag. They also sell valuable exploits they've found. If one discovers a way into WHMCS installations, they're going to sell that, and easily. It might not be until it's reasonably widespread that WHMCS learns of it and takes action. 
Thankfully the codebase these days seems to be pretty tight and there don't seem to be any known exploits, but that doesn't mean there isn't one out there someone's found and is quietly using/selling. It's the nature of software, especially once the code gets really large.

Link to comment
Share on other sites

@wp4all Considering that the vast majority of backdoors have been crafted to hack the most popular CMS (eg. Wordpress, Joomla, Drupal...), why should you take this unnecessary risk? I'm not saying that Wordpress sucks regarding security but lamers focus their efforts in hacking the most used and popular system so that they can get more in return. Not to mention that people tend to update their crucial platforms like WHMCS as frequently as possible. Wordpress is not crucial therefore people are more willing to skip updates because who cares? Losing news, blog posts is not a big deal.

That said, since Wordpress installations are intrinsically less secure, what's the point of making your WHMCS bullet-proof when lamers can simply enter from Wordpress skipping all your security measures?

Link to comment
Share on other sites

On 11/22/2018 at 9:55 PM, Remitur said:

To spare a cPanel account?!?!


   

Amongst other reasons... Yes.

Most startup resellers like myself will only have limited resources so using them all for 1 site strangles any chance I have of succeeding.

I have a reseller account with a total of 25 domains so using 2 straight up leaves me with 23 to earn find from.

Link to comment
Share on other sites

Even if I agree with the potential security issues, it's installed... It took me bloody ages to learn all the steps needed to get it running lol.

To move it now means starting again?

Or is it possible to move it to a sub domain without a reinstall? (I doubt it)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated