Difference between revisions of "Security Tab"

From WHMCS Documentation

(Captcha Form Protection)
(Required Password Strength)
Line 4: Line 4:
 
===Required Password Strength===
 
===Required Password Strength===
 
Set to 0 to disable the password strength checker on the order form. Ensure your clients enter strong passwords by setting this to 50; use a higher number to force even more secure client area passwords.
 
Set to 0 to disable the password strength checker on the order form. Ensure your clients enter strong passwords by setting this to 50; use a higher number to force even more secure client area passwords.
 +
 +
For a password strength of 90 the user would be required to enter at least 3 numbers, 2 lowercase & 3 uppercase letters and 3 special characters. More detailed information can be found by reviewing the includes/jscript/pwstrength.js file.
  
 
===Failed Admin Login Ban Time===
 
===Failed Admin Login Ban Time===

Revision as of 17:57, 9 December 2010

Captcha Form Protection

Requires GD2 on your server. Also known as image verification; shows an image containing 5 characters that your clients will be required to enter to register or submit a support ticket when enabled. Helps prevents automated submissions and spam.

Required Password Strength

Set to 0 to disable the password strength checker on the order form. Ensure your clients enter strong passwords by setting this to 50; use a higher number to force even more secure client area passwords.

For a password strength of 90 the user would be required to enter at least 3 numbers, 2 lowercase & 3 uppercase letters and 3 special characters. More detailed information can be found by reviewing the includes/jscript/pwstrength.js file.

Failed Admin Login Ban Time

Set to 0 to disable the login ban feature. If someone makes 3 incorrect attempts to login to your WHMCS admin, this is the time in minutes before they can try to login again (dictionary attack protection).

Disable Credit Card Storage

By default a client's credit card number is encrypted and stored in your database. Enabling this option means the number will not be stored and clients will need to re-enter their number for each invoice they pay.

Allow Customers CC Delete

When unticked only admins can remove credit card details from a client's account. When ticked, an option will appear in the client area for the same.

Disable MD5 Clients Password

For security client area passwords are irreversibly encrypted and cannot be viewed by admins, enabling this option will switch to reversible encryption allowing admins to view the password. When switching from irreversible to reversible clients will all be assigned a new password and will need to use password recovery.

Disable Session IP Check

This is used to protect against cookie/session hijacking and ideally should remain unticked. However it can cause problems for users with dynamic IPs or using mobile devices (iPhones etc) so can be disabled by ticking the checkbox.

API IP Access Restriction

Advanced. If using the WHMCS API from an off-server location, you must specify the IP address here, otherwise access will be denied.