Difference between revisions of "Security Tab"
| Line 2: | Line 2: | ||
===Email Verification=== | ===Email Verification=== | ||
| − | When | + | |
| + | When you enable this, WHMCS will send an email to new clients on account creation or update. This email requests that the user confirms their intent to register or change of email address. For more information, see [[Client Email Verification]]. | ||
===Captcha Form Protection=== | ===Captcha Form Protection=== | ||
| − | + | ||
| + | This is also known as image verification. It displays an image that contains letters and numbers that only humans can read, and will appear on the ticket submission, registration, and domain checker pages to help prevent automated submissions and spam. You can select whether the image verification is never displayed, always displayed, or only displayed to visitors. | ||
====Captcha Type==== | ====Captcha Type==== | ||
| − | + | ||
| − | + | =====Default===== | |
| − | + | ||
| − | + | This requires GD2 on your server and displays an image with five characters on a blue striped background. No additional configuration is required. | |
| − | For configuration instructions | + | |
| + | =====reCAPTCHA===== | ||
| + | |||
| + | This uses [http://www.google.com/recaptcha Google's reCAPTCHA] service. You must register [https://www.google.com/recaptcha/admin/create here] for a set of keys to use this service. Then, you can enter the keys in the appropriate boxes on this tab. | ||
| + | |||
| + | For configuration instructions, see [[Google_No_CAPTCHA_reCAPTCHA|No CAPTCHA reCAPTCHA]] for more details. | ||
===Required Password Strength=== | ===Required Password Strength=== | ||
| − | |||
| − | For a password strength of 90 the user | + | Set this to <tt>0</tt> to disable the password strength checker on the order form. We recommend that you require strong passwords by setting this to <tt>50</tt> or higher. |
| + | |||
| + | For a password strength of <tt>90</tt>, the user must enter at least: | ||
| + | * Three numbers. | ||
| + | * Two lowercase letters. | ||
| + | * Three uppercase letters. | ||
| + | * Three special characters. | ||
| + | |||
| + | For more detailed information, see the <tt>/assets/js/PasswordStrength.js</tt> file. | ||
===Auto Generated Password Format=== | ===Auto Generated Password Format=== | ||
| − | <div class="docs-alert-info"><i class="fa fa-info-circle"></i> This is | + | |
| − | This feature allows you to control the complexity of the password generated for provisioning of new services. The default password complexity will consist of 14 characters | + | <div class="docs-alert-info"><i class="fa fa-info-circle"></i>This feature is available in version 7.5 and above.</div> |
| + | |||
| + | This feature allows you to control the complexity of the password generated for provisioning of new services. | ||
| + | |||
| + | The default password complexity will consist of 14 characters that contain both lower and uppercase letters, numbers, and symbols. If you wish to reduce the complexity of the passwords generated, you can do so by setting this feature to generate passwords containing a combination of letters and numbers only. | ||
===Failed Admin Login Ban Time=== | ===Failed Admin Login Ban Time=== | ||
| − | + | ||
| + | If someone makes three incorrect attempts to log in to the WHMCS Admin Area, this is the time in minutes before they can try to log in again (dictionary attack protection). To remove the ban on an IP address, see [[FAQs|How to Unban Your IP]]. | ||
| + | |||
| + | Set this to <tt>0</tt> to disable the login ban feature. | ||
===Whitelisted IPs=== | ===Whitelisted IPs=== | ||
| − | The IP addresses | + | |
| + | The IP addresses here will never be banned from accessing the Admin Area due to login failures. For example, you may wish to add your office IP address. | ||
===Whitelisted IP Login Failure Notices=== | ===Whitelisted IP Login Failure Notices=== | ||
| − | When this option is disabled (default) notification emails will be sent to Full Administrator users for failed login attempts from all IP addresses. Enable this option to suppress failure notifications from | + | |
| + | When this option is disabled (default) notification emails will be sent to the Full Administrator users for failed login attempts from all IP addresses. | ||
| + | |||
| + | Enable this option to suppress failure notifications from whitelisted IPs. | ||
===Disable Admin Password Reset=== | ===Disable Admin Password Reset=== | ||
| − | When checked, this will disable the Forgotten Password link on | + | |
| − | [[FAQs|How to | + | When checked, this will disable the '''Forgotten Password''' link on the Admin Area login page. This replaces any previous method of disabling this option. |
| + | |||
| + | For more information, see [[FAQs|How to Reset the Admin Password]]. | ||
===Delete Encrypted Credit Card Data=== | ===Delete Encrypted Credit Card Data=== | ||
| − | Click | + | |
| + | Click '''Delete''' to delete all locally-stored credit cards encrypted data from the database. This action is irreversible. Remote gateway tokens (for example, from Auth.net CIM or Stripe) are not deleted. | ||
===Allow Customers CC Delete=== | ===Allow Customers CC Delete=== | ||
| − | When | + | |
| + | When this is unchecked, only admins can remove credit card details from a client's account. | ||
| + | |||
| + | When this is checked, an option will appear in the Client Area for the same. | ||
===Disable Session IP Check=== | ===Disable Session IP Check=== | ||
| − | This is used to protect against cookie/session hijacking and ideally should remain | + | |
| + | This is used to protect against cookie/session hijacking and ideally should remain unchecked. However, it can cause problems for users with dynamic IP addresses or using mobile devices, which may require you to disable it by checking this. | ||
===Allow Smarty PHP Tags=== | ===Allow Smarty PHP Tags=== | ||
| − | The use of {php} tags is depreciated in WHMCS v6 and above, but legacy support can be enabled here during a transition period. We recommend keeping this option disabled unless specifically | + | |
| + | The use of {php} tags is depreciated in WHMCS v6 and above, but legacy support can be enabled here during a transition period. We recommend keeping this option disabled unless you specifically require it. For more information, see [[Templates and Custom PHP Logic]]. | ||
===Trusted Proxy Settings=== | ===Trusted Proxy Settings=== | ||
| − | |||
| − | You may find it necessary to utilize the | + | The '''Trusted Proxies''' setting allows you to itemize IP addresses or IP ranges for proxies or other forwarding services so that WHMCS can accurately determine the IP address of inbound traffic. |
| + | |||
| + | You may find it necessary to utilize the trusted proxy settings if your WHMCS installation: | ||
| − | * is behind a proxy you control | + | * is behind a proxy you control. |
| − | * is behind a load balancer or firewall that modifies HTTP requests | + | * is behind a load balancer or firewall that modifies HTTP requests. |
| − | * receives HTTP requests from a proxy or DDOS protection service | + | * receives HTTP requests from a proxy or DDOS protection service like CloudFlare or BlackLotus. |
| − | * is behind | + | * is behind infrastructure that can modify the information in the link layer of a request. |
| − | These types of deployment setups will alter the value from the originating IP address to their own IP. This is expected behaviour | + | These types of deployment setups will alter the value from the originating IP address to their own IP address. This is expected behaviour because it is part of standard network specifications. |
| + | |||
| + | Unfortunately, this also makes it look as if your client logins, admin logins, and orders are all coming from the proxy instead of the real location. When this happens, the location is masked for logging, access authorization, fraud detection, or other IP address-related purposes. | ||
| + | |||
| + | To counteract this, the details of your proxy service [[Trusted_Proxy_Settings|can be entered into these fields]]. | ||
<div class="docs-alert-warning"> | <div class="docs-alert-warning"> | ||
| − | <span class="title"> | + | <span class="title">Cloudflare® Users</span><br /> |
| − | Some of Cloudflare's features are not compatible with WHMCS. | + | Some of Cloudflare's features are not compatible with WHMCS. Make sure that '''Script Minimisation''' and '''Rocket Loader''' are disabled for the WHMCS installation domain. |
</div> | </div> | ||
====Proxy IP Header==== | ====Proxy IP Header==== | ||
| − | |||
| − | Most proxies use | + | The '''Proxy Header''' field allows you to configure the HTTP header WHMCS will use to find the IP address that is the authoritative IP address for the request. |
| + | |||
| + | Most proxies use <tt>X_FORWARDED_FOR</tt>, allowing you to leave the field blank. Only change this value if you are sure your proxy uses a different header; putting the wrong header into this field can cause improper recording of IP addresses. | ||
====Trusted Proxies==== | ====Trusted Proxies==== | ||
| − | [[File:TrustedProxiesWithData.png|thumb|Sample Trusted Proxies]]Use this field to add and remove IP | + | |
| + | [[File:TrustedProxiesWithData.png|thumb|Sample Trusted Proxies]] | ||
| + | |||
| + | Use this field to add and remove IP addresses and IP address CIDR ranges of trusted proxies. WHMCS will check the header to discover the actual canonical request IP address. | ||
===API IP Access Restriction=== | ===API IP Access Restriction=== | ||
| − | + | ||
| + | This is an advanced setting. | ||
| + | |||
| + | If you use the WHMCS API from an off-server location, you '''must''' enter the IP address here to preserve your access. | ||
===Log API Authentication=== | ===Log API Authentication=== | ||
| − | By default successful authentications made via the API are not recorded | + | |
| + | By default, successful authentications made via the API are not recorded. Checking this option will record them with Admin Area authentications under '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Logs > Admin Log''' or, prior to WHMCS 8.0, '''Utilities > Logs > Admin Log'''. This might be useful for recording logins from your staff using our mobile apps. | ||
===CSRF Tokens=== | ===CSRF Tokens=== | ||
| − | This additional security feature prevents malicious visitors to your website forging form posts to try and access parts of the software they should not. This option is set to | + | |
| + | This additional security feature prevents malicious visitors to your website from forging form posts to try and access parts of the software they should not. This option is set to '''Enabled''' by default and we recommend always enabling it unless specifically advised otherwise by a member of WHMCS staff. | ||
===CSRF Tokens: Domain Checker=== | ===CSRF Tokens: Domain Checker=== | ||
| − | By default CSRF tokens are disabled for the domain checker. This allows you to send domain information to WHMCS from an external page | + | By default, CSRF tokens are disabled for the domain checker. This allows you to send domain information to WHMCS from an external page (for example, using the domain checker integration code on your website). |
| − | + | If you are not using the integration code, you can enable this option and visitors will only be able to use the built-in domain checker pages. | |
Revision as of 15:25, 13 September 2021
General Tab | Localisation Tab | Ordering Tab | Domains Tab | Mail Tab
Support Tab | Invoices Tab | Credit Tab | Affiliates Tab | Security Tab | Social Tab | Other Tab
Contents
- 1 Email Verification
- 2 Captcha Form Protection
- 3 Required Password Strength
- 4 Auto Generated Password Format
- 5 Failed Admin Login Ban Time
- 6 Whitelisted IPs
- 7 Whitelisted IP Login Failure Notices
- 8 Disable Admin Password Reset
- 9 Delete Encrypted Credit Card Data
- 10 Allow Customers CC Delete
- 11 Disable Session IP Check
- 12 Allow Smarty PHP Tags
- 13 Trusted Proxy Settings
- 14 API IP Access Restriction
- 15 Log API Authentication
- 16 CSRF Tokens
- 17 CSRF Tokens: Domain Checker
Email Verification
When you enable this, WHMCS will send an email to new clients on account creation or update. This email requests that the user confirms their intent to register or change of email address. For more information, see Client Email Verification.
Captcha Form Protection
This is also known as image verification. It displays an image that contains letters and numbers that only humans can read, and will appear on the ticket submission, registration, and domain checker pages to help prevent automated submissions and spam. You can select whether the image verification is never displayed, always displayed, or only displayed to visitors.
Captcha Type
Default
This requires GD2 on your server and displays an image with five characters on a blue striped background. No additional configuration is required.
reCAPTCHA
This uses Google's reCAPTCHA service. You must register here for a set of keys to use this service. Then, you can enter the keys in the appropriate boxes on this tab.
For configuration instructions, see No CAPTCHA reCAPTCHA for more details.
Required Password Strength
Set this to 0 to disable the password strength checker on the order form. We recommend that you require strong passwords by setting this to 50 or higher.
For a password strength of 90, the user must enter at least:
- Three numbers.
- Two lowercase letters.
- Three uppercase letters.
- Three special characters.
For more detailed information, see the /assets/js/PasswordStrength.js file.
Auto Generated Password Format
This feature allows you to control the complexity of the password generated for provisioning of new services.
The default password complexity will consist of 14 characters that contain both lower and uppercase letters, numbers, and symbols. If you wish to reduce the complexity of the passwords generated, you can do so by setting this feature to generate passwords containing a combination of letters and numbers only.
Failed Admin Login Ban Time
If someone makes three incorrect attempts to log in to the WHMCS Admin Area, this is the time in minutes before they can try to log in again (dictionary attack protection). To remove the ban on an IP address, see How to Unban Your IP.
Set this to 0 to disable the login ban feature.
Whitelisted IPs
The IP addresses here will never be banned from accessing the Admin Area due to login failures. For example, you may wish to add your office IP address.
Whitelisted IP Login Failure Notices
When this option is disabled (default) notification emails will be sent to the Full Administrator users for failed login attempts from all IP addresses.
Enable this option to suppress failure notifications from whitelisted IPs.
Disable Admin Password Reset
When checked, this will disable the Forgotten Password link on the Admin Area login page. This replaces any previous method of disabling this option.
For more information, see How to Reset the Admin Password.
Delete Encrypted Credit Card Data
Click Delete to delete all locally-stored credit cards encrypted data from the database. This action is irreversible. Remote gateway tokens (for example, from Auth.net CIM or Stripe) are not deleted.
Allow Customers CC Delete
When this is unchecked, only admins can remove credit card details from a client's account.
When this is checked, an option will appear in the Client Area for the same.
Disable Session IP Check
This is used to protect against cookie/session hijacking and ideally should remain unchecked. However, it can cause problems for users with dynamic IP addresses or using mobile devices, which may require you to disable it by checking this.
Allow Smarty PHP Tags
The use of {php} tags is depreciated in WHMCS v6 and above, but legacy support can be enabled here during a transition period. We recommend keeping this option disabled unless you specifically require it. For more information, see Templates and Custom PHP Logic.
Trusted Proxy Settings
The Trusted Proxies setting allows you to itemize IP addresses or IP ranges for proxies or other forwarding services so that WHMCS can accurately determine the IP address of inbound traffic.
You may find it necessary to utilize the trusted proxy settings if your WHMCS installation:
- is behind a proxy you control.
- is behind a load balancer or firewall that modifies HTTP requests.
- receives HTTP requests from a proxy or DDOS protection service like CloudFlare or BlackLotus.
- is behind infrastructure that can modify the information in the link layer of a request.
These types of deployment setups will alter the value from the originating IP address to their own IP address. This is expected behaviour because it is part of standard network specifications.
Unfortunately, this also makes it look as if your client logins, admin logins, and orders are all coming from the proxy instead of the real location. When this happens, the location is masked for logging, access authorization, fraud detection, or other IP address-related purposes.
To counteract this, the details of your proxy service can be entered into these fields.
Cloudflare® Users
Some of Cloudflare's features are not compatible with WHMCS. Make sure that Script Minimisation and Rocket Loader are disabled for the WHMCS installation domain.
Proxy IP Header
The Proxy Header field allows you to configure the HTTP header WHMCS will use to find the IP address that is the authoritative IP address for the request.
Most proxies use X_FORWARDED_FOR, allowing you to leave the field blank. Only change this value if you are sure your proxy uses a different header; putting the wrong header into this field can cause improper recording of IP addresses.
Trusted Proxies
Use this field to add and remove IP addresses and IP address CIDR ranges of trusted proxies. WHMCS will check the header to discover the actual canonical request IP address.
API IP Access Restriction
This is an advanced setting.
If you use the WHMCS API from an off-server location, you must enter the IP address here to preserve your access.
Log API Authentication
By default, successful authentications made via the API are not recorded. Checking this option will record them with Admin Area authentications under Configuration () > System Logs > Admin Log or, prior to WHMCS 8.0, Utilities > Logs > Admin Log. This might be useful for recording logins from your staff using our mobile apps.
CSRF Tokens
This additional security feature prevents malicious visitors to your website from forging form posts to try and access parts of the software they should not. This option is set to Enabled by default and we recommend always enabling it unless specifically advised otherwise by a member of WHMCS staff.
CSRF Tokens: Domain Checker
By default, CSRF tokens are disabled for the domain checker. This allows you to send domain information to WHMCS from an external page (for example, using the domain checker integration code on your website).
If you are not using the integration code, you can enable this option and visitors will only be able to use the built-in domain checker pages.