Increase your WHMCS security now

[zitu4life]

Hello

I was thinking a manner to increase WHMCS website security, find on google some tips for web security:

1- KEEP YOUR SOFTWARE UP-TO-DATE
2- ENFORCE A STRONG PASSWORD POLICY
3- ENCRYPT YOUR LOGIN PAGES - use SSL
4- USE A SECURE HOST Microsoft, google, amazon are technically capable to run WHMCS?
5- KEEP YOUR WEBSITE CLEAN (delete plugins, old modules that are not in use or uot of date)
5- BACKUP YOUR DATA
6- SCAN YOUR WEBSITE FOR VULNERABILITIES
7- HIRE A SECURITY EXPERT

Some of those advice's we all do, but I was thinking a way if WHMCS could be run on those cloud system like Amazon AWS or Microsoft Azure, or Google Computing to INCREASE SECURITY, or any other Advice shared from other in this community?

 

 

 

[Kian]

8- Further Security Steps
9- Auto-scan checksums but that's complicated

Edited August 29, 2019 by Kian

[brian!]

14 hours ago, zitu4life said:

1- KEEP YOUR SOFTWARE UP-TO-DATE

but don't rush to install a major version in it's first few days after release... *coughs*

give it a little time and test against your current setup thoroughly before updating a production server.

[zitu4life]

1 hour ago, brian! said:

but don't rush to install a major version in it's first few days after release... *coughs*

Sure!!! I learned with that mistake, it was first time I did that, wound not do that again!! ☺️ now i have my dev license to test
This community is helpful, I have learned a lot every day...reading all posts and also past years thread.

It is great has members able to help. I haven't opened any WHMCS ticket for some months, as soon as I started using this community.

Once again, appreciate all your help and advice's 😉

Edited August 30, 2019 by zitu4life

[DennisHermannsen]

3 hours ago, brian! said:

but don't rush to install a major version in it's first few days after release... *coughs*

We've learnt this the hard way yesterday...

My boss kept mentioning PSD2, so I quickly updated when I could. Now the cron job no longer completes - instead it keeps capturing credit card payments, but doesn't add it to WHMCS. We've already spent a good amount on refund fees 🤦‍♂️

 

[brian!]

1 hour ago, DennisMidjord said:

We've learnt this the hard way yesterday...

I warned users in July that this would happen (it does after every major v7 release)...

Edited August 30, 2019 by brian!

[zitu4life]

29 minutes ago, DennisMidjord said:

We've learnt this the hard way yesterday...

My boss kept mentioning PSD2, so I quickly updated when I could. Now the cron job no longer completes - instead it keeps capturing credit card payments, but doesn't add it to WHMCS. We've already spent a good amount on refund fees 🤦‍♂️

I guess WHMCS 7.8 comes with news complex futures at once, and some of them especially related to sensitive importance...I was comparing timeline regarding other WHMCS versions releases and you can see 7.8 is on average winning (overdue)...I guess they are working very hard, and we are on summer... not helps a lot, staff vocation, etc etc... 

For users it is great to have new wanted futures so it makes us, to update quickly...hope you overpass your issue soon...I guess they should delivered RC2 before general availability because we saw some amount of important post during pre-production. I am using v7.8 now, but not all sensitive future that released, so for now everything looks fine, actually there was a third module I am waiting v7.8, but i can leave without that until updates comes.

Edited August 30, 2019 by zitu4life

[zomex]

12 hours ago, brian! said:

but don't rush to install a major version in it's first few days after release... *coughs*

give it a little time and test against your current setup thoroughly before updating a production server.

Always good advice.  That's one thing I learned over time, to be patient and not rush to update as tempting as it is.

[Jafar Muhammed]

17 hours ago, brian! said:

but don't rush to install a major version in it's first few days after release... *coughs*

7.8 had something that pushed me to update.

I may not be doing this in future unless it is too needed to run my box.

[PatriaCo]

In 2014 a hacker broke into our cPanel on the server were we had WHMCS.  Worst two weeks of my hosting / network admin career!  We moved to AWS and set up a redundant architecture.  No more cPanel and no more unscheduled down-time.  🙂  I like sleeping at night.  😉  This year we took it up a level and now have WHMCS auto-scaling on AWS elastic beanstalk.  It does require some planning to make it work, but it is worth it.

[zitu4life]

21 hours ago, PatriaCo said:

In 2014 a hacker broke into our cPanel on the server were we had WHMCS.  Worst two weeks of my hosting / network admin career!  We moved to AWS and set up a redundant architecture.  No more cPanel and no more unscheduled down-time.  🙂  I like sleeping at night.  😉  This year we took it up a level and now have WHMCS auto-scaling on AWS elastic beanstalk.  It does require some planning to make it work, but it is worth it.

Hello  @PatriaCo can you please  explain more how you have WHMCS installed on AWS. I have past post  asking if we could have WHMCS on microsoft azure or google plataform, but no ones says a word.  
What is the way to have WHMCS  running on those platforms instead of cpanel?

[PatriaCo]

2 hours ago, zitu4life said:

Hello  @PatriaCo can you please  explain more how you have WHMCS installed on AWS. I have past post  asking if we could have WHMCS on microsoft azure or google plataform, but no ones says a word.  
What is the way to have WHMCS  running on those platforms instead of cpanel?

How familiar are you with AWS?  Are you interested in a redundant setup?  As a side note, Azure is much more expensive for smaller set ups.  We are Microsoft Partners and use Azure also.  I am not familiar with Google Cloud.  AWS has worked great for us for our WHMCS website.

Edited October 4, 2019 by PatriaCo
forgot a point

[zitu4life]

On 10/4/2019 at 1:34 PM, PatriaCo said:

How familiar are you with AWS?  Are you interested in a redundant setup?  As a side note, Azure is much more expensive for smaller set ups.  We are Microsoft Partners and use Azure also.  I am not familiar with Google Cloud.  AWS has worked great for us for our WHMCS website.

I have tested AWS free days and also when WHMCS introduces storage Amazon S3 I star using remote storage S3.

I just want my WHMCS running on  AWS. not all clients cpanel.

Your help could be just pointing the way, I will investigate more further.

Amazon has:

- Amazon VPC

- Amazon EC2

- Amazon RDS (database)

- Amazon S3

If there is a direct migration possible feel free to share too, or some website tutorial.

Thank youfor your time and help.

[string]

A web application firewall like mod_security is a must have. It can save your ass, especially with security holes in addons.
I've seen the simplest vulnerabilities in addons too many times, like LFI / RFI. A WAF can help block such attacks.