WHMCS Security Audit

Security audit for WHMCS installations including file permissions, database exposure, admin access, payment configuration and update status.

WHMCS handles customer data, payment processing and server provisioning — making it one of the most sensitive applications in a hosting operation. A WHMCS security audit reviews the installation for misconfigurations, exposed interfaces and operational risks that could lead to data breach or financial loss.

What We Review

Our audit examines the full WHMCS installation and its operational context:

  • Installation path — public vs non-public placement, directory indexing, access restrictions
  • File permissions — configuration.php, attachments directory, templates, cron scripts, log files
  • Database access — credentials storage, database user privileges, remote access restrictions, backup exposure
  • Admin panel exposure — admin directory location, IP restrictions, brute-force protection, session security
  • Payment gateway configuration — gateway module settings, callback URL security, token storage, PCI considerations
  • API security — API access controls, allowed IPs, credential scope, unused API credentials
  • Update status — WHMCS version, known vulnerabilities in current version, update path
  • Storage paths — downloads, attachments, template cache and log file locations relative to web root
  • Cron configuration — cron job user, execution frequency, output handling, error logging
  • Two-factor authentication — admin enforcement, client availability, recovery options
  • Module security — provisioning module configuration, server credentials storage, unused modules
  • Email templates — sensitive data in templates, client-facing information exposure

Risks of Misconfigured WHMCS

WHMCS is a frequent target for attackers because a single compromise can yield:

  • Customer databases — names, addresses, email addresses, service details
  • Payment information — depending on gateway configuration, stored tokens or transaction data
  • Server credentials — provisioning modules often store root or API credentials for connected servers
  • Business disruption — manipulated invoices, unauthorized service provisioning, data deletion

Common findings in WHMCS audits include:

  • Configuration file readable due to incorrect permissions
  • Admin panel accessible from any IP without two-factor authentication
  • Database user with full privileges instead of minimum required
  • WHMCS running several versions behind with known security patches missing
  • Attachment and download directories inside the web root
  • API credentials with excessive scope or no IP restriction
  • Cron job running as root instead of a limited user

What You Receive

  • Detailed findings report — each issue documented with evidence, severity rating and specific fix
  • Hardening checklist — a step-by-step guide to securing your WHMCS installation
  • Priority remediation plan — issues ranked by risk and effort
  • Configuration recommendations — specific settings and file permission targets for your environment

Secure your billing and automation platform. Contact us to discuss your WHMCS audit, or review our pricing.

Need a different audit scope?

We tailor every engagement to your infrastructure. Tell us what you need.

Request an audit View sample report