Difference between revisions of "Security Tab"
Line 19: | Line 19: | ||
===Failed Admin Login Ban Time=== | ===Failed Admin Login Ban Time=== | ||
Set to 0 to disable the login ban feature. If someone makes 3 incorrect attempts to login to your WHMCS admin, this is the time in minutes before they can try to login again (dictionary attack protection). [[FAQs|How to unban your IP]] if it becomes blocked. | Set to 0 to disable the login ban feature. If someone makes 3 incorrect attempts to login to your WHMCS admin, this is the time in minutes before they can try to login again (dictionary attack protection). [[FAQs|How to unban your IP]] if it becomes blocked. | ||
+ | |||
+ | ===Whitelisted IPs=== | ||
+ | The IP addresses listed here will never be banned from accessing the admin area due to login failures. For example you may wish to add your office IP address. | ||
===Admin Force SSL Access=== | ===Admin Force SSL Access=== |
Revision as of 10:03, 15 November 2013
Contents
- 1 Captcha Form Protection
- 2 Required Password Strength
- 3 Failed Admin Login Ban Time
- 4 Whitelisted IPs
- 5 Admin Force SSL Access
- 6 Disable Admin Password Reset
- 7 Disable Credit Card Storage
- 8 Allow Customers CC Delete
- 9 Disable MD5 Clients Password
- 10 Disable Session IP Check
- 11 API IP Access Restriction
- 12 CSRF Tokens
Captcha Form Protection
Also known as image verification; shows an image containing letters and numbers that only humans can read on the ticket submission, registration and domain checker pages to help prevents automated submissions and spam. You can select whether the image verification is never displayed, always displayed or only displayed to visitors.
Captcha Type
Default Requires GD2 on your server. Shows an image containing 5 characters on a blue stripped background, no further configuration is required. reCAPTCHA Uses Google's reCAPTCHA[1] service. You will need to register for a set of keys to use this service, this can be done here. Once you have your keys, you can enter them in the appropriate boxes on this tab. There are some additional configurations that can be done using the reCAPTCHA option, please see reCAPTCHA for more details.
Required Password Strength
Set to 0 to disable the password strength checker on the order form. Ensure your clients enter strong passwords by setting this to 50; use a higher number to force even more secure client area passwords.
For a password strength of 90 the user would be required to enter at least 3 numbers, 2 lowercase & 3 uppercase letters and 3 special characters. More detailed information can be found by reviewing the includes/jscript/pwstrength.js file.
Failed Admin Login Ban Time
Set to 0 to disable the login ban feature. If someone makes 3 incorrect attempts to login to your WHMCS admin, this is the time in minutes before they can try to login again (dictionary attack protection). How to unban your IP if it becomes blocked.
Whitelisted IPs
The IP addresses listed here will never be banned from accessing the admin area due to login failures. For example you may wish to add your office IP address.
Admin Force SSL Access
When unticked the administration area can be access via both http and https connections. Ticking this option forces all connections to use https for increased security.
Disable Admin Password Reset
When checked, this will disable the Forgotten Password link on your Admin Login page. This replaces any previous method of disabling this option.
How to reset the admin password with this option disabled.
Disable Credit Card Storage
By default a client's credit card number is encrypted and stored in your database. Enabling this option means the number will not be stored and clients will need to re-enter their number for each invoice they pay.
Note: When using a tokanisation payment gateway type this option should remain unticked so the card details are stored on the remote server. The full card details will not be stored on your server.
Allow Customers CC Delete
When unticked only admins can remove credit card details from a client's account. When ticked, an option will appear in the client area for the same.
Disable MD5 Clients Password
For security client area passwords are irreversibly encrypted and cannot be viewed by admins, enabling this option will switch to reversible encryption allowing admins to view the password. When switching from irreversible to reversible clients will all be assigned a new password and will need to use password recovery.
Disable Session IP Check
This is used to protect against cookie/session hijacking and ideally should remain unticked. However it can cause problems for users with dynamic IPs or using mobile devices (iPhones etc) so can be disabled by ticking the checkbox.
API IP Access Restriction
Advanced. If using the WHMCS API from an off-server location, you must specify the IP address here, otherwise access will be denied.
CSRF Tokens
This additional security feature prevents malicious visitors to your website forging form posts to try and access parts of the software they should not. This option is set to "Enabled" by default and we recommend keeping it on, unless specifically advised otherwise my a member of WHMCS staff.