There have been some pretty nasty WHMCS hacks lately with hackers being able to compromise various aspects of the admin area. For this reason, security steps like we've already covered involving moving the browsable directories, changing the admin folder name, and ensuring that only a few addresses can access the admin area are critical. But there is one final vulnerability we need to patch - the cron job folder.
The cron jobs are where the automated actions of WHMCS are carried out on a regular basis. You may recall setting one up to run automatically after the initial WHMCS install. One example of a crucial cron job is domain synchronization. What this means is that your database of domains registered with your customers always needs to show the updated expiry dates and status. Say for example, one of your customers renews their domain for another two years. How will that information be reflected in your accounts automatically? The answer lies in what is known as a "Domain Synchronization File" which you need to run periodically.
Unfortunately, the crons folder containing this file is browsable - and we need to rectify that somehow. The recommended solution is to move the crons folder out of the WHMCS installation folder to a more secure directory, change the location parameters of the installation, and update all existing cron jobs. Here's how we go about it.
Crons Folder Location
Login to cPanel with the account you used to install WHMCS and fire up the file explorer. Navigate to your installation directory and you should come across the "crons" folder sitting in plain sight. It contains two files, one of which is the domain synchronization file we mentioned below:
In the main file explorer window, right click the "crons" folder and select "move". In the resulting dialogue box, enter the new "non-browsable" location. It's exactly the same procedure as the one we followed when we moved the three initial directories out of the installation folder. Only this time, we're not going to display the new "crons" folder location in the configuration file, but we'll do the reverse - we have to indicate the WHMCS location instead!
Once the folder is safely out of the way, right click on "config.php" inside the "crons" folder and open it up for editing. It's a PHP file with just one line - the definition of the "$whmcspath" variable. By default, it's set to indicate just one folder level above the current one. We have to change this to either an absolute or relative path depending on our preference.
In this demonstration example, I simply took the folder and dumped into my root. You probably have another location in mind. In which case, change the $whmcspath variable to the new location. For me, this is my modified path:
$whmcspath = '/home/bhagwad/public_html/whmcs/';
Save the file, and you should be done. Your "crons" folder is now secure.
Modifying Existing Cron Jobs
While you've successfully protected your crons folder, any existing cron jobs you have referencing it need to be changed. For example, if you've already set up domain synchronization, you have to make the necessary modifications so that they can continue running without a hitch. In the "Advanced" section of cPanel, find the "Cron Jobs" icon as shown below:
In the resulting screen, scroll down to find the existing cron jobs. Click the "Edit" link next to the one you want to change, and a new "Command" text field will appear lower down. Change the path so that it's consistent with the new location of the "crons" folder.
Hit "Edit Line" to save your changes and you're done! This process combined with the other security measure outlined in the previous articles completes the "hardening" of WHMCS. Your admin area should now be rock solid and protected from malicious attackers. Time to get started on WHMCS configuration next!