Difference between revisions of "Security Tab"

From WHMCS Documentation

(Disable Credit Card Storage)
(Allow Smarty PHP Tags)
 
(26 intermediate revisions by 5 users not shown)
Line 1: Line 1:
<br/><br/>{{General Settings}}
+
{{General Settings}}<br/>
 +
 
 +
The '''Security''' tab allows you to configure security-related features in WHMCS.
 +
 
 +
You can access this tab at '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings > [[General Settings]]''' or, prior to WHMCS 8.0, '''Setup > General Settings'''.
  
 
===Email Verification===
 
===Email Verification===
When enabled, upon creation of a new client account or change of email address, an email is sent to the email address provided asking the user to confirm that they intended to register or make the change of email address. More details [[Client_Email_Verification|are available here]].
+
 
 +
When you enable this, WHMCS will send an email verification notice each time a user or admin creates a new client and each time an existing client email address changes. The client must use the verification link in the email to confirm the new email address.
 +
 
 +
For more information, see [[Client Email Verification]].
  
 
===Captcha Form Protection===
 
===Captcha Form Protection===
Also known as image verification; shows an image containing letters and numbers that only humans can read on the ticket submission, registration and domain checker pages to help prevent automated submissions and spam. You can select whether the image verification is never displayed, always displayed or only displayed to visitors.
+
 
 +
This is also known as image verification. It displays an image that contains letters and numbers that only humans can read, and will appear on the ticket submission, registration, and domain checker pages to help prevent automated submissions and spam. You can select whether the image verification is never displayed, always displayed, or only displayed to visitors.
  
 
====Captcha Type====
 
====Captcha Type====
  
'''Default'''
+
=====Default=====
Requires GD2 on your server. Shows an image containing 5 characters on a blue stripped background, no further configuration is required.
+
 
'''reCAPTCHA'''
+
This requires GD2 on your server and displays an image with five characters on a blue striped background. No additional configuration is required.
Uses Google's reCAPTCHA[http://www.google.com/recaptcha] service. You will need to register for a set of keys to use this service, this can be done [https://www.google.com/recaptcha/admin/create here]. Once you have your keys, you can enter them in the appropriate boxes on this tab.
+
 
There are some additional configurations that can be done using the reCAPTCHA option, please see [[Google_reCAPTCHA|reCAPTCHA]] for more details.
+
=====reCAPTCHA and Invisible reCAPTCHA=====
 +
 
 +
These options use [http://www.google.com/recaptcha Google's reCAPTCHA] service. You must register [https://www.google.com/recaptcha/admin/create here] for a set of keys to use this service. Then, you can enter the keys in the appropriate boxes on this tab.
 +
* When you select one of these options, the '''Captcha for Select Forms''' checkboxes and '''reCAPTCHA Site Key''' and '''reCAPTCHA Secret Key''' text boxes will appear.
 +
* For full configuration instructions, see [[Google reCAPTCHA]].
  
 
===Required Password Strength===
 
===Required Password Strength===
Set to 0 to disable the password strength checker on the order form. Ensure your clients enter strong passwords by setting this to 50; use a higher number to force even more secure client area passwords.
 
  
For a password strength of 90 the user would be required to enter at least 3 numbers, 2 lowercase & 3 uppercase letters and 3 special characters. More detailed information can be found by reviewing the /assets/js/PasswordStrength.js file.
+
Set this to <tt>0</tt> to disable the password strength checker on the order form. For a password strength of <tt>100</tt>, the user should enter a password that meets all three conditions:
 +
 
 +
* Five characters in length.
 +
* Contains one symbol.
 +
* Contains one one uppercase letter or one number.
 +
 
 +
For more detailed information, see the <tt>/assets/js/PasswordStrength.js</tt> file.
 +
 
 +
===Auto Generated Password Format===
 +
 
 +
<div class="docs-alert-info"><i class="fa fa-info-circle"></i>This feature is available in version 7.5 and above.</div>
 +
 
 +
This feature allows you to control the complexity of the password generated for provisioning of new services.
 +
 
 +
The default password complexity will consist of 14 characters that contain both lower and uppercase letters, numbers, and symbols. If you wish to reduce the complexity of the passwords generated, you can do so by setting this feature to generate passwords containing a combination of letters and numbers only.
  
 
===Failed Admin Login Ban Time===
 
===Failed Admin Login Ban Time===
Set to 0 to disable the login ban feature. If someone makes 3 incorrect attempts to login to your WHMCS admin, this is the time in minutes before they can try to login again (dictionary attack protection). [[FAQs|How to unban your IP]] if it becomes blocked.
+
 
 +
By default, WHMCS blocks any user IP addresses that attempt to log in to the admin area with a valid username and incorrect password three or more times. The length of this ban, by default, is 15 minutes. This helps to prevent hackers from endlessly trying different password combinations in order to gain access to your admin area.
 +
 
 +
Use this setting to specify this number of minutes before the user can try again. This provides dictionary attack protection.
 +
 
 +
* Set this to <tt>0</tt> to disable the login ban feature. The system will never attempt to ban IP addresses and the user will be able to continue to attempt to log in endlessly.
 +
* We recommend a minimum value of <tt>1</tt>.
 +
 
 +
To remove the ban on an IP address, see [[Removing an IP Address Ban]].
  
 
===Whitelisted IPs===
 
===Whitelisted IPs===
The IP addresses listed here will never be banned from accessing the admin area due to login failures. For example you may wish to add your office IP address.
 
  
===Admin Force SSL Access===
+
The IP addresses here will never be banned from accessing the Admin Area due to login failures. For example, you may wish to add your office IP address.
When unticked the administration area can be access via both http and https connections. Ticking this option forces all connections to use https for increased security.
+
 
 +
===Whitelisted IP Login Failure Notices===
 +
 
 +
When this option is disabled (default) notification emails will be sent to the Full Administrator users for failed login attempts from all IP addresses.  
 +
 
 +
Enable this option to suppress failure notifications from whitelisted IPs.
  
 
===Disable Admin Password Reset===
 
===Disable Admin Password Reset===
When checked, this will disable the Forgotten Password link on your Admin Login page. This replaces any previous method of disabling this option.<br />
 
[[FAQs|How to reset the admin password]] with this option disabled.
 
  
===Disable Credit Card Storage===
+
When checked, this will disable the '''Forgotten Password''' link on the Admin Area login page. This replaces any previous method of disabling this option.
By default a client's credit card number is encrypted and stored in your database. Enabling this option means the number will not be stored and clients will need to re-enter their number for each invoice they pay.
 
  
<div class="docs-alert-warning">
+
For more information, see [[FAQs|How to Reset the Admin Password]].
<span class="title">Note</span><br />
+
 
If credit card information is currently stored inside your WHMCS database, ticking this option will clear all existing credit card details from the system, including the gateway id (used by tokanisation gateways).</div>
+
===Delete Encrypted Credit Card Data===
 +
 
 +
Click '''Delete''' to delete all locally-stored credit cards encrypted data from the database. This action is irreversible. Remote gateway tokens (for example, from Auth.net CIM or Stripe) are not deleted.
 +
 
 +
===Delete Encrypted Bank Account Data===
 +
 
 +
Click '''Delete''' to delete all locally-stored bank account encrypted data from the database. This action is irreversible.
 +
 
 +
===Allow Client Pay Method Removal===
  
<div class="docs-alert-info">
+
When this is unchecked, only admins can remove credit card details from a client's account.
<span class="title">Note</span><br />
 
Enabling this option will prevent the following [[Payment_Gateways#Supported_Gateway_Modules|tokanisation gateway modules]] from functioning:
 
* [[PayPal_Website_Payments_Pro#Reference_Payments|PayPal Website Payments Pro Reference]]
 
* [[Quantum_Vault|Quantum Vault]]
 
* [[WorldPay#FuturePay_Specific_Items|Worldpay Future]]
 
* [[EWay_Tokens|eWay Tokens]]
 
  
It can be enabled without negative impact on the following [[Payment_Gateways#Supported_Gateway_Modules|tokanisation gateway modules]]:
+
When this is checked, an option will appear in the Shopping Cart and Client Area to allow them to choose to store the payment details they are entering as a saved Pay Method for faster checkouts in future.
* [[Authorize.net_CIM|Authorize.net CIM]]
 
*[[BluePay#BluePay_Remote|BluePay Remote]]
 
* eOnlineData
 
* [[Moneris#Moneris_Vault|Moneris Vault]]
 
* [[SagePay#SagePay_Tokens|SagePay Tokens]]
 
* [[Stripe]]
 
</div>
 
  
===Allow Customers CC Delete===
+
We recommend enabling this option.
When unticked only admins can remove credit card details from a client's account. When ticked, an option will appear in the client area for the same.
 
  
 
===Disable Session IP Check===
 
===Disable Session IP Check===
This is used to protect against cookie/session hijacking and ideally should remain unticked. However it can cause problems for users with dynamic IPs or using mobile devices (iPhones etc) so can be disabled by ticking the checkbox.
+
 
 +
This is used to protect against cookie/session hijacking and ideally should remain unchecked. However, it can cause problems for users with dynamic IP addresses or using mobile devices, which may require you to disable it by checking this.
  
 
===Allow Smarty PHP Tags===
 
===Allow Smarty PHP Tags===
The use of {php} tags is depreciated in WHMCS v6 and above, but legacy support can be enabled here during a transition period. We recommend keeping this option disabled unless specifically required. For more information refer to [[Templates and Custom PHP Logic]].  
+
 +
<div class="docs-alert-warning">
 +
We deprecated legacy Smarty tags in WHMCS 6.0, deprecated backwards compatibility in WHMCS 8.7, and will remove support entirely in WHMCS 9.0.
 +
 +
* Because of this change, this setting will not display for new WHMCS installations on WHMCS 8.7 and later.
 +
* You '''must''' remove these tags from your custom themes and templates.
 +
 +
For more information, see [[Eliminating Legacy Smarty Tags]].
 +
</div>
 +
 +
Smarty 3 removed support for Smarty <tt>{php}</tt> tags. In WHMCS 6.0 through 8.7, this setting enables backwards compatibility that allows you to continue using these tags in your custom themes and templates. We '''strongly''' recommend disabling it.
 +
 +
For more information, see [[Templates and Custom PHP Logic]].
  
 
===Trusted Proxy Settings===
 
===Trusted Proxy Settings===
The Trusted Proxies setting allows you to itemize IP addresses or IP ranges for proxies or other forwarding services so that WHMCS can accurately determine the IP address of inbound traffic.
 
  
You may find it necessary to utilize the Trusted Proxy settings if your WHMCS installation:
+
The '''Trusted Proxies''' setting allows you to itemize IP addresses or IP ranges for proxies or other forwarding services so that WHMCS can accurately determine the IP address of inbound traffic.
 +
 
 +
You may find it necessary to configure these if your WHMCS installation:
 +
 
 +
* is behind a proxy you control.
 +
* is behind a load balancer or firewall that modifies HTTP requests.
 +
* receives HTTP requests from a proxy or DDOS protection service like CloudFlare or BlackLotus.
 +
* is behind infrastructure that can modify the information in the link layer of a request.
  
* is behind a proxy you control
+
These types of deployment setups will alter the value from the originating IP address to their own IP address. This is expected behaviour because it is part of standard network specifications.  
* is behind a load balancer or firewall that modifies HTTP requests
 
* receives HTTP requests from a proxy or DDOS protection service, such as CloudFlare, BlackLotus, etc
 
* is behind most any infrastructure which has the responsibility of modifying the information the link layer of a request.
 
  
These types of deployment setups will alter the value from the originating IP address to their own IP. This is expected behaviour as it is part of standard network specifications. Unfortunately there’s a side effect; it makes it look as if your client logins, admin logins, and orders are all coming from the proxy instead of the real location. When this happens, the location is masked from your inspection, be it for logging, access authorization, fraud detection, or any other IP related purposes. To counteract this, the details of your proxy service can be entered into these fields. [[Trusted_Proxy_Settings|Further Reading >>]]
+
Unfortunately, this also makes it look as if your client logins, admin logins, and orders are all coming from the proxy instead of the real location. When this happens, the location is masked for logging, access authorization, fraud detection, or other IP address-related purposes.  
 +
 
 +
Using these settings can help to mitigate these issues. For more information, see [[Trusted Proxy Settings]].
  
 
<div class="docs-alert-warning">
 
<div class="docs-alert-warning">
<span class="title">Cloudflare Users</span><br />
+
<span class="title">Cloudflare® Users</span><br />
Some of Cloudflare's features are not compatible with WHMCS. Please ensure that both '''Script Minimisation''' and '''Rocket Loader''' are be disabled for the domain on which WHMCS is installed.
+
Some of Cloudflare's features are not compatible with WHMCS. Make sure that '''Script Minimisation''' and '''Rocket Loader''' are disabled for the WHMCS installation domain.
 
</div>
 
</div>
  
 
====Proxy IP Header====
 
====Proxy IP Header====
The Proxy Header field allows you to configure the HTTP header WHMCS will use to figure out which IP address is the authoritative IP address for the request.
 
  
Most proxies use "X_FORWARDED_FOR" and so the field can be left blank. Only change this value if you are sure your proxy uses a different header, as putting the wrong header into this field can cause improper recording of IP addresses.
+
The '''Proxy Header''' field allows you to configure the HTTP header WHMCS will use to find the IP address that is the authoritative IP address for the request.
 +
 
 +
Most proxies use <tt>X_FORWARDED_FOR</tt>, allowing you to leave the field blank. Only change this value if you are sure your proxy uses a different header; putting the wrong header into this field can cause improper recording of IP addresses.
  
 
====Trusted Proxies====
 
====Trusted Proxies====
[[File:TrustedProxiesWithData.png|thumb|Sample Trusted Proxies]]Use this field to add and remove IP Addresses and IP Address CIDR ranges of trusted proxies. WHMCS will check the header configured to discover the actual canonical request IP address.
+
 
 +
[[File:TrustedProxiesWithData.png|thumb]]
 +
 
 +
This list contains the IP addresses and IP address CIDR ranges of trusted proxies. WHMCS will check the header to discover the actual canonical request IP address.
 +
 
 +
* To add an IP address or IP address range, click '''Add IP''', enter the address or range and any notes, and click '''Add IP'''.
 +
* To remove an IP address or IP address range, select the desired list item and click '''Remove Selected'''. To remove multiple addresses, press Control (for Windows) or Command (for Mac) and single click the proxies you want to remove.
  
 
===API IP Access Restriction===
 
===API IP Access Restriction===
Advanced. If using the WHMCS API from an off-server location, you must specify the IP address here, otherwise access will be denied.
+
 
 +
This is an advanced setting.  
 +
 
 +
If you use the WHMCS API from an off-server location, you '''must''' enter the IP address here to preserve your access.
  
 
===Log API Authentication===
 
===Log API Authentication===
By default successful authentications made via the API are not recorded, but ticking this option will record them with admin area authentications under Utilities > Logs > Admin Log. This might be useful for recording logins from your staff using our mobile apps.
+
 
 +
By default, successful authentications made via the API are not recorded. Checking this option will record them with Admin Area authentications in the '''Admin Log''' at '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > [[System Logs]]''' or, prior to WHMCS 8.0, '''Utilities > Logs'''. This might be useful for recording logins from your staff using our mobile apps.
  
 
===CSRF Tokens===
 
===CSRF Tokens===
This additional security feature prevents malicious visitors to your website forging form posts to try and access parts of the software they should not. This option is set to "Enabled" by default and we recommend keeping it on unless specifically advised otherwise by a member of WHMCS staff.
+
 
 +
This additional security feature prevents malicious visitors to your website from forging form posts to try and access parts of the software they should not. This option is set to '''Enabled''' by default and we recommend always enabling it unless specifically advised otherwise by a member of WHMCS staff.
  
 
===CSRF Tokens: Domain Checker===
 
===CSRF Tokens: Domain Checker===
  
By default CSRF tokens are disabled for the domain checker. This allows you to send domain information to WHMCS from an external page. Eg. using the Domain Checker Integration Code on your website.
+
By default, CSRF tokens are disabled for the domain checker. This allows you to send domain information to WHMCS from an external page (for example, using the domain checker integration code on your website).
  
However if you are not using the integration code, you can enable this option and visitors will only be able to use the built-in domain checker pages.
+
If you are not using the integration code, you can enable this option and visitors will only be able to use the built-in domain checker pages.

Latest revision as of 21:49, 26 January 2023


The Security tab allows you to configure security-related features in WHMCS.

You can access this tab at Configuration () > System Settings > General Settings or, prior to WHMCS 8.0, Setup > General Settings.

Email Verification

When you enable this, WHMCS will send an email verification notice each time a user or admin creates a new client and each time an existing client email address changes. The client must use the verification link in the email to confirm the new email address.

For more information, see Client Email Verification.

Captcha Form Protection

This is also known as image verification. It displays an image that contains letters and numbers that only humans can read, and will appear on the ticket submission, registration, and domain checker pages to help prevent automated submissions and spam. You can select whether the image verification is never displayed, always displayed, or only displayed to visitors.

Captcha Type

Default

This requires GD2 on your server and displays an image with five characters on a blue striped background. No additional configuration is required.

reCAPTCHA and Invisible reCAPTCHA

These options use Google's reCAPTCHA service. You must register here for a set of keys to use this service. Then, you can enter the keys in the appropriate boxes on this tab.

  • When you select one of these options, the Captcha for Select Forms checkboxes and reCAPTCHA Site Key and reCAPTCHA Secret Key text boxes will appear.
  • For full configuration instructions, see Google reCAPTCHA.

Required Password Strength

Set this to 0 to disable the password strength checker on the order form. For a password strength of 100, the user should enter a password that meets all three conditions:

  • Five characters in length.
  • Contains one symbol.
  • Contains one one uppercase letter or one number.

For more detailed information, see the /assets/js/PasswordStrength.js file.

Auto Generated Password Format

This feature is available in version 7.5 and above.

This feature allows you to control the complexity of the password generated for provisioning of new services.

The default password complexity will consist of 14 characters that contain both lower and uppercase letters, numbers, and symbols. If you wish to reduce the complexity of the passwords generated, you can do so by setting this feature to generate passwords containing a combination of letters and numbers only.

Failed Admin Login Ban Time

By default, WHMCS blocks any user IP addresses that attempt to log in to the admin area with a valid username and incorrect password three or more times. The length of this ban, by default, is 15 minutes. This helps to prevent hackers from endlessly trying different password combinations in order to gain access to your admin area.

Use this setting to specify this number of minutes before the user can try again. This provides dictionary attack protection.

  • Set this to 0 to disable the login ban feature. The system will never attempt to ban IP addresses and the user will be able to continue to attempt to log in endlessly.
  • We recommend a minimum value of 1.

To remove the ban on an IP address, see Removing an IP Address Ban.

Whitelisted IPs

The IP addresses here will never be banned from accessing the Admin Area due to login failures. For example, you may wish to add your office IP address.

Whitelisted IP Login Failure Notices

When this option is disabled (default) notification emails will be sent to the Full Administrator users for failed login attempts from all IP addresses.

Enable this option to suppress failure notifications from whitelisted IPs.

Disable Admin Password Reset

When checked, this will disable the Forgotten Password link on the Admin Area login page. This replaces any previous method of disabling this option.

For more information, see How to Reset the Admin Password.

Delete Encrypted Credit Card Data

Click Delete to delete all locally-stored credit cards encrypted data from the database. This action is irreversible. Remote gateway tokens (for example, from Auth.net CIM or Stripe) are not deleted.

Delete Encrypted Bank Account Data

Click Delete to delete all locally-stored bank account encrypted data from the database. This action is irreversible.

Allow Client Pay Method Removal

When this is unchecked, only admins can remove credit card details from a client's account.

When this is checked, an option will appear in the Shopping Cart and Client Area to allow them to choose to store the payment details they are entering as a saved Pay Method for faster checkouts in future.

We recommend enabling this option.

Disable Session IP Check

This is used to protect against cookie/session hijacking and ideally should remain unchecked. However, it can cause problems for users with dynamic IP addresses or using mobile devices, which may require you to disable it by checking this.

Allow Smarty PHP Tags

We deprecated legacy Smarty tags in WHMCS 6.0, deprecated backwards compatibility in WHMCS 8.7, and will remove support entirely in WHMCS 9.0.

  • Because of this change, this setting will not display for new WHMCS installations on WHMCS 8.7 and later.
  • You must remove these tags from your custom themes and templates.

For more information, see Eliminating Legacy Smarty Tags.

Smarty 3 removed support for Smarty {php} tags. In WHMCS 6.0 through 8.7, this setting enables backwards compatibility that allows you to continue using these tags in your custom themes and templates. We strongly recommend disabling it.

For more information, see Templates and Custom PHP Logic.

Trusted Proxy Settings

The Trusted Proxies setting allows you to itemize IP addresses or IP ranges for proxies or other forwarding services so that WHMCS can accurately determine the IP address of inbound traffic.

You may find it necessary to configure these if your WHMCS installation:

  • is behind a proxy you control.
  • is behind a load balancer or firewall that modifies HTTP requests.
  • receives HTTP requests from a proxy or DDOS protection service like CloudFlare or BlackLotus.
  • is behind infrastructure that can modify the information in the link layer of a request.

These types of deployment setups will alter the value from the originating IP address to their own IP address. This is expected behaviour because it is part of standard network specifications.

Unfortunately, this also makes it look as if your client logins, admin logins, and orders are all coming from the proxy instead of the real location. When this happens, the location is masked for logging, access authorization, fraud detection, or other IP address-related purposes.

Using these settings can help to mitigate these issues. For more information, see Trusted Proxy Settings.

Cloudflare® Users
Some of Cloudflare's features are not compatible with WHMCS. Make sure that Script Minimisation and Rocket Loader are disabled for the WHMCS installation domain.

Proxy IP Header

The Proxy Header field allows you to configure the HTTP header WHMCS will use to find the IP address that is the authoritative IP address for the request.

Most proxies use X_FORWARDED_FOR, allowing you to leave the field blank. Only change this value if you are sure your proxy uses a different header; putting the wrong header into this field can cause improper recording of IP addresses.

Trusted Proxies

TrustedProxiesWithData.png

This list contains the IP addresses and IP address CIDR ranges of trusted proxies. WHMCS will check the header to discover the actual canonical request IP address.

  • To add an IP address or IP address range, click Add IP, enter the address or range and any notes, and click Add IP.
  • To remove an IP address or IP address range, select the desired list item and click Remove Selected. To remove multiple addresses, press Control (for Windows) or Command (for Mac) and single click the proxies you want to remove.

API IP Access Restriction

This is an advanced setting.

If you use the WHMCS API from an off-server location, you must enter the IP address here to preserve your access.

Log API Authentication

By default, successful authentications made via the API are not recorded. Checking this option will record them with Admin Area authentications in the Admin Log at Configuration () > System Logs or, prior to WHMCS 8.0, Utilities > Logs. This might be useful for recording logins from your staff using our mobile apps.

CSRF Tokens

This additional security feature prevents malicious visitors to your website from forging form posts to try and access parts of the software they should not. This option is set to Enabled by default and we recommend always enabling it unless specifically advised otherwise by a member of WHMCS staff.

CSRF Tokens: Domain Checker

By default, CSRF tokens are disabled for the domain checker. This allows you to send domain information to WHMCS from an external page (for example, using the domain checker integration code on your website).

If you are not using the integration code, you can enable this option and visitors will only be able to use the built-in domain checker pages.