Difference between revisions of "Security Tab"
(→Auto Generated Password Format) |
(→Auto Generated Password Format) |
||
Line 22: | Line 22: | ||
===Auto Generated Password Format=== | ===Auto Generated Password Format=== | ||
<div class="docs-alert-info"><i class="fa fa-info-circle"></i> This is a feature available in version 7.5 and above</div> | <div class="docs-alert-info"><i class="fa fa-info-circle"></i> This is a feature available in version 7.5 and above</div> | ||
− | This feature allows you to control the complexity of the password generated for provisioning of new services. The default password complexity will consist of 14 characters, containing both lower and uppercase letters, numbers and symbols. If you wish to reduce the complexity of the passwords generated, you can do so by setting this feature to generate passwords containing a combination of letters and numbers only | + | This feature allows you to control the complexity of the password generated for provisioning of new services. The default password complexity will consist of 14 characters, containing both lower and uppercase letters, numbers and symbols. If you wish to reduce the complexity of the passwords generated, you can do so by setting this feature to generate passwords containing a combination of letters and numbers only. |
===Failed Admin Login Ban Time=== | ===Failed Admin Login Ban Time=== |
Revision as of 14:45, 18 March 2018
General Tab | Localisation Tab | Ordering Tab | Domains Tab | Mail Tab
Support Tab | Invoices Tab | Credit Tab | Affiliates Tab | Security Tab | Social Tab | Other Tab
Contents
- 1 Email Verification
- 2 Captcha Form Protection
- 3 Required Password Strength
- 4 Auto Generated Password Format
- 5 Failed Admin Login Ban Time
- 6 Whitelisted IPs
- 7 Admin Force SSL Access
- 8 Disable Admin Password Reset
- 9 Disable Credit Card Storage
- 10 Allow Customers CC Delete
- 11 Disable Session IP Check
- 12 Allow Smarty PHP Tags
- 13 Trusted Proxy Settings
- 14 API IP Access Restriction
- 15 Log API Authentication
- 16 CSRF Tokens
- 17 CSRF Tokens: Domain Checker
Email Verification
When enabled, upon creation of a new client account or change of email address, an email is sent to the email address provided asking the user to confirm that they intended to register or make the change of email address. More details are available here.
Captcha Form Protection
Also known as image verification; shows an image containing letters and numbers that only humans can read on the ticket submission, registration and domain checker pages to help prevent automated submissions and spam. You can select whether the image verification is never displayed, always displayed or only displayed to visitors.
Captcha Type
Default Requires GD2 on your server. Shows an image containing 5 characters on a blue stripped background, no further configuration is required. reCAPTCHA Uses Google's reCAPTCHA[1] service. You will need to register for a set of keys to use this service, this can be done here. Once you have your keys, you can enter them in the appropriate boxes on this tab. There are some additional configurations that can be done using the reCAPTCHA option, please see reCAPTCHA for more details.
Required Password Strength
Set to 0 to disable the password strength checker on the order form. Ensure your clients enter strong passwords by setting this to 50; use a higher number to force even more secure client area passwords.
For a password strength of 90 the user would be required to enter at least 3 numbers, 2 lowercase & 3 uppercase letters and 3 special characters. More detailed information can be found by reviewing the /assets/js/PasswordStrength.js file.
Auto Generated Password Format
This feature allows you to control the complexity of the password generated for provisioning of new services. The default password complexity will consist of 14 characters, containing both lower and uppercase letters, numbers and symbols. If you wish to reduce the complexity of the passwords generated, you can do so by setting this feature to generate passwords containing a combination of letters and numbers only.
Failed Admin Login Ban Time
Set to 0 to disable the login ban feature. If someone makes 3 incorrect attempts to login to your WHMCS admin, this is the time in minutes before they can try to login again (dictionary attack protection). How to unban your IP if it becomes blocked.
Whitelisted IPs
The IP addresses listed here will never be banned from accessing the admin area due to login failures. For example you may wish to add your office IP address.
Admin Force SSL Access
When unticked the administration area can be access via both http and https connections. Ticking this option forces all connections to use https for increased security.
Disable Admin Password Reset
When checked, this will disable the Forgotten Password link on your Admin Login page. This replaces any previous method of disabling this option.
How to reset the admin password with this option disabled.
Disable Credit Card Storage
By default a client's credit card number is encrypted and stored in your database. Enabling this option means the number will not be stored and clients will need to re-enter their number for each invoice they pay.
Note
Note
Enabling this option will prevent the following tokanisation gateway modules from functioning:
It can be enabled without negative impact on the following tokanisation gateway modules:
- Authorize.net CIM
- BluePay Remote
- eOnlineData
- Moneris Vault
- SagePay Tokens
- Stripe
Allow Customers CC Delete
When unticked only admins can remove credit card details from a client's account. When ticked, an option will appear in the client area for the same.
Disable Session IP Check
This is used to protect against cookie/session hijacking and ideally should remain unticked. However it can cause problems for users with dynamic IPs or using mobile devices (iPhones etc) so can be disabled by ticking the checkbox.
Allow Smarty PHP Tags
The use of {php} tags is depreciated in WHMCS v6 and above, but legacy support can be enabled here during a transition period. We recommend keeping this option disabled unless specifically required. For more information refer to Templates and Custom PHP Logic.
Trusted Proxy Settings
The Trusted Proxies setting allows you to itemize IP addresses or IP ranges for proxies or other forwarding services so that WHMCS can accurately determine the IP address of inbound traffic.
You may find it necessary to utilize the Trusted Proxy settings if your WHMCS installation:
- is behind a proxy you control
- is behind a load balancer or firewall that modifies HTTP requests
- receives HTTP requests from a proxy or DDOS protection service, such as CloudFlare, BlackLotus, etc
- is behind most any infrastructure which has the responsibility of modifying the information the link layer of a request.
These types of deployment setups will alter the value from the originating IP address to their own IP. This is expected behaviour as it is part of standard network specifications. Unfortunately there’s a side effect; it makes it look as if your client logins, admin logins, and orders are all coming from the proxy instead of the real location. When this happens, the location is masked from your inspection, be it for logging, access authorization, fraud detection, or any other IP related purposes. To counteract this, the details of your proxy service can be entered into these fields. Further Reading >>
Cloudflare Users
Some of Cloudflare's features are not compatible with WHMCS. Please ensure that both Script Minimisation and Rocket Loader are be disabled for the domain on which WHMCS is installed.
Proxy IP Header
The Proxy Header field allows you to configure the HTTP header WHMCS will use to figure out which IP address is the authoritative IP address for the request.
Most proxies use "X_FORWARDED_FOR" and so the field can be left blank. Only change this value if you are sure your proxy uses a different header, as putting the wrong header into this field can cause improper recording of IP addresses.
Trusted Proxies
Use this field to add and remove IP Addresses and IP Address CIDR ranges of trusted proxies. WHMCS will check the header configured to discover the actual canonical request IP address.API IP Access Restriction
Advanced. If using the WHMCS API from an off-server location, you must specify the IP address here, otherwise access will be denied.
Log API Authentication
By default successful authentications made via the API are not recorded, but ticking this option will record them with admin area authentications under Utilities > Logs > Admin Log. This might be useful for recording logins from your staff using our mobile apps.
CSRF Tokens
This additional security feature prevents malicious visitors to your website forging form posts to try and access parts of the software they should not. This option is set to "Enabled" by default and we recommend keeping it on unless specifically advised otherwise by a member of WHMCS staff.
CSRF Tokens: Domain Checker
By default CSRF tokens are disabled for the domain checker. This allows you to send domain information to WHMCS from an external page. Eg. using the Domain Checker Integration Code on your website.
However if you are not using the integration code, you can enable this option and visitors will only be able to use the built-in domain checker pages.