How to Secure Your WHMCS Directories

Posted on Updated on

Now that we’ve seen how to install WHMCS on our own server, we have to secure our set up to keep it safe from hackers. One of the first steps recommended on the WHMCS site itself is moving the writable directories to a “non-browsable” section of our website. Specifically, three folders included along with the WHMCS installation require full “777” permissions for write access. Since the subfolders within our installation are browsable, it’s advisable to shift these three to a place where other people cannot access them. These three folders are “templates_c”, “attachments”, and “downloads”. If you browse to your WHMCS installation, you’ll find them in the first level itself.

But it’s not as simple as just changing the location. You also need to inform the installation about the location of the new files as well as ensure that the proper permissions are applied. We do this via the configuration.php file that we created during the initial install. Let’s look at how to do this from start to finish.

Moving the Three Folders

Log into your cPanel account, click the “File Manager” icon and select the “public_html” directory as the starting point. From here, navigate to the WHMCS installation folder – in my case, it’s simply called the default “whmcs”. Over here, locate the three directories as shown in the screenshot below.

three folders to move

Let’s start off by checking the permissions on these three. Using the “Ctrl” key, click each one of them and right-click. This will bring up a menu one of whose options will be “Change Permissions”.

right click to change permissions

In the resulting dialog box, make sure that every check box is ticked – those for the User, Group, and World. This should transform the permissions structure into “777”.

777 permissions

Save these permissions, and now we are ready to migrate these folders into the root directory.

Once again with all three folders selected, right-click and choose the “Move” option. For the new location, I’m going to select the root directory, the one just above “public_html”. In the resulting dialog box, enter the path as shown below.

move the folders to root

Since you will already be within the installation directory, you just need to cut off the last level. Once you confirm your selection, the files will be moved to the new location.

Changing the Configuration

While we’ve made the changes to the folder locations manually, WHMCS itself doesn’t know anything about it. It will continue to search for these folders in the default location and throw up an error when it doesn’t find them. We need to specify the new location via the configuration.php file as shown here.

 code editor

With it selected, click the “Code Editor” icon near the top. This will allow us to modify the file on the server itself without having to download it and upload it again. I don’t mind doing this since it’s a minor change. But for bigger ones, you might feel more comfortable taking a backup first. The configuration.php file is simply a list of variables between the standard PHP tags. Just before the closing tag, add the following three lines:

$templates_compiledir = "/home/[bhagwad]/public_html/templates_c/";
$attachments_dir = "/home/[bhagwad]/public_html/attachments/";
$downloads_dir = "/home/[bhagwad]/public_html/downloads/"

Replace the bolded sections above with your cPanel username – the one you used to install WHMCS in the first place. Here’s what my final configuration.php file looks like:

add the new locations

Keep in mind that the instructions are given here are slightly different from the official ones on the WHMCS website, specifically the file paths shown above. You can check if everything is working properly by visiting the WHMCS admin page. If it loads properly, you’re good to go, otherwise something’s wrong.

This is just one of several steps required to secure our WHMCS installation. But it’s one of the important ones. We’ll be looking at more steps in later articles.

Leave a Reply

Your email address will not be published. Required fields are marked *