Jump to content

Further security steps understanding VENDOR directory

Recommended Posts

Hello there

There is one Further security steps that I do not understand well.... 


Vendor Directory

WHMCS is distributed with a vendor directory ("/vendor"). This is a common directory for advanced scripts and applications, such as WHMCS, and is comprised of various common libraries. However, web servers should not serve file requests directly from this path. Only the controlling script or application should load these libraries in order to ensure appropriate context and prevent unexpected behavior.

Apache is the recommended web server software platform on which to run WHMCS. If you are using Apache, the .htaccess distributed by WHMCS in the /vendor directory should suffice. If you are running Apache and files remain accessible, then you will want to investigate if your Apache configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.

While other web server technologies are not officially supported, we understand that some users do wish to run WHMCS in environments other than Apache. For those that do, you must ensure that files within the /vendor directory are not served based on your web server configuration.

If you are using NGINX as your web server, we have put together a general guideline to assist you and your system administrator here: Nginx Directory Access Restriction


My question is do I need to upload my existing used on admin folder .htaccess file to vendor directory too ? PS: I am not a developer of modules or neither using any others development API system, but if I just upload my .htaccess to there keep me safe, good, will do that even if do not understanding how it helps. My restriction by IP block admin access to all IP outside my country, and there is no available VPN out-there giving you access to my public country IP.


Link to comment
Share on other sites


In most cases you should not need to make any changes. Only using certain servers/configurations will require you to make changes.

Whatever you do, don't replace or edit the .htaccess file found in whmcs_path/vendor/.htaccess

This file will block access to any directory or file within /vendor/

The .htaccess should contain:

Deny from all

Don't replace it with any file or edit the file as it would make your installation insecure.

To test whether your /vendor/ directory is secure as per WHMCS's default setup you should try and visit a directory and file using your browser e.g:



You should see a 403 forbidden error when visiting the above URLs (replaced with your domain/WHMCS path).  If you don't I would recommend submitting a ticket to WHMCS.

Link to comment
Share on other sites

1 hour ago, zitu4life said:

Many thanks @zomex it now get clear😊

I did not changed it, and I got that message.


So now I understand all Further security steps, and also have off them implemented.👍


Happy to help.

But I would double check your URL, the 404 error is not what would be expected. If in doubt it would be best to submit a ticket to WHMCS and have them verify that your vendor access is correctly restricted.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated