We need to talk about the "security warning" during an upgrade, WHMCS...

[DennisHermannsen]

I'm currently upgrading our last WHMCS installation to WHMCS 8.1.3. It's taking quite some time because of the changes to the tblemail table.
During all of the time (a period of 30+ minutes), everyone accessing our website is met with this message:

Since I've enabled maintanance before starting the upgrade, I surely wouldn't expect WHMCS to show anything but the maintanance message.
Also, why is WHMCS even broadcasting to every visitor that there's a /install folder present on the website? Everyone can access it by default (it requires no login) and thus everyone could mess everything up.

[xyzulu]

Isn't that message only shown on the admin page?

[DennisHermannsen]

No, it's shown for everyone accessing the site.

[Evolve Web Hosting]

Good points. For the time being, maybe update your .htaccess file to restrict access to the site to your IP only? Then remove the rule after the upgrade is completed and the install folder has been deleted. Not the best solution but it's something in the short term.

[steven99]

6 hours ago, evolve hosting said:

Good points. For the time being, maybe update your .htaccess file to restrict access to the site to your IP only? Then remove the rule after the upgrade is completed and the install folder has been deleted. Not the best solution but it's something in the short term.

Expanding on that, using rewrites to check the IP and rewrite to a maintenance file would allow access without a forbidden error shown to clients. 

RewriteEngine on
RewriteCond %{REMOTE_ADDR} !=1.2.3.4
RewriteRule ^(.*)$ /maintenance.html [R=301,L]

 

[bear]

You sure a 301 (permanently moved) redirect is the desired choice there? 302 would be temporary. 😉

[steven99]

Well, depends how long the maintenance window is. 😉

[DennisHermannsen]

We did end up disabling it through .htaccess - but my main concern is that WHMCS doesn't use the maintanance warning instead, and that they basically scream "HEY, THIS WEBSITE IS INSECURE!!! TRY GOING TO /INSTALL TO SEE FOR YOURSELF"... That could be handled a lot more nice.
Imagine if WHMCS also put up a public warning for each website that used en EOL version of PHP... 😅

Edited March 5, 2021 by DennisHermannsen

[brian!]

6 hours ago, DennisHermannsen said:

Imagine if WHMCS also put up a public warning for each website that used en EOL version of PHP... 😅

don't be giving them ideas... 😲

"thank you for contacting support - you'll either need to pay us $9.99 USD to remove the banner from your public site for 12 months... or alternatively, you can upgrade your version to a newer supported release." 🤑

[DennisHermannsen]

20 minutes ago, brian! said:

don't be giving them ideas... 😲

I'm fairly certain they're out of ideas already. In a month or so, there's going to be a new post to this thread with a message looking like this:
 

Quote

Hi @DennisHermannsen,

That is not something we have planned for WHMCS 8.x

However we welcome requests for new API commands online at http://requests.whmcs.com
Feel free to suggest this as a new idea for comment and voting upon by other WHMCS users.

The more votes an idea receives, the more likely it is to be considered by our development team for potential inclusion in a future feature update.

I can then see that the request get 1 or 2 upvotes because nobody uses that system unless they're referred to it... 😆

I don't get why everything has to be a feature request. Fixing something that's clearly broken shouldn't have to be requested.
But someone at WHMCS will obviously argue that it's by design 🤯

[yggdrasil]

This is why I always upload the installation folder last, then quickly do the upgrade and delete it. But at least in version 7.x this is not shown to visitors, only when you try to access the admin area.

Edited March 6, 2021 by yggdrasil