jeds Posted May 21, 2009 Share Posted May 21, 2009 Hi, After upgrading to 4.0, I have reviewed the steps for securing a new installation, bringing forth some questions: From "securing your new installation" (or similar title): 1. Rename the file configuration.php.new to configuration.php The upgraded installation has a blank configuration.php.new, while configuration.php has the entries from old installation per below. Should configuration.php.new be deleted? 2. chmod /configuration.php /attachments /downloads /templates_c to 777 (unless your php is suPHP or PHPSuExec) and move three folders "attachments", "downloads" and "templates_c" outside Public accesible folder tree The new install has placed new copies back inside the whmcs, but the old ones still exist in the location I moved them to and have been chmod'd. As well, the new config file contains the paths as originally edited Do I delete the new ones? Finally, Also at my host's forum it has been mentioned to password protect the admin folder from the control panel. It is password protected by default, is this necessary? 0 Quote Link to comment Share on other sites More sharing options...
hightekhosting Posted May 21, 2009 Share Posted May 21, 2009 jeds, You can safely remove the configuration.php.new and the 3 folders from the install package that you download (in other words, don't worry about uploading them) WHMCS won't even know the difference. Cheers, Dale 0 Quote Link to comment Share on other sites More sharing options...
merlinpa1969 Posted May 21, 2009 Share Posted May 21, 2009 as far as securing the admin 1 rename the admin 2 use htaccess deny all and then only allow the ip addresses of personal allowed in the admin 0 Quote Link to comment Share on other sites More sharing options...
HostBizLng Posted May 22, 2009 Share Posted May 22, 2009 (edited) merlinpa1969, If I would use .htaccess to deny all and allow only IPs of admins/staff allowed in the admin, then why would even bother renaming admin folder if only allowed IPs would be allowed in the admin? I understand that it is an extra step toward insuring security, (and personally I wouldn't mind mind to take all possible steps) but I would appreciate any thoughts about my question above. Sincerely, Serg Edited May 22, 2009 by HostBizLng 0 Quote Link to comment Share on other sites More sharing options...
merlinpa1969 Posted May 22, 2009 Share Posted May 22, 2009 any level of security you can add is never a bad thing, Yes renaming the admin looks like overkill but we actually have a dummy admin that tracks and emails us anytime someone tries to access it 0 Quote Link to comment Share on other sites More sharing options...
Jeren Posted May 22, 2009 Share Posted May 22, 2009 any level of security you can add is never a bad thing, Yes renaming the admin looks like overkill but we actually have a dummy admin that tracks and emails us anytime someone tries to access it Does the dummy admin page look like a normal WHMCS admin login? I'm interested to see how you have that set up. 0 Quote Link to comment Share on other sites More sharing options...
HostBizLng Posted May 22, 2009 Share Posted May 22, 2009 merlinpa1969, Haha, that's so clever. I would definitely will implement it into our system. Does someone have any other interesting security measures? Hmm ... this forum thread can be very interesting Sincerely, Serg 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.