Feature Requests
Share ideas, discuss and vote on requests from other users in community
 

Refactor Powered By WHMCS

WHMCS Chris shared this idea 6 years ago
Currently Declined

Originally Posted on the forums by: kurieuo

Here:http://forums.whmcs.com/showthread.php?66951-Is-the-quot-powered-by-whmcompletesolution-quot-text-a-hacking-risk

I find that I get a few visits to my website using the query "powered by whmcompletesolution" - for example:"powered by whmcompletesolution" "quality" inurl:cartcart.php whmcompletesolutionclientarea.php "powered by whmcompletesolution"intext:" powered by whmcompletesolution "+ inurl:cart.php?intext:"powered by whmcompletesolution"intext:powered by whmcompletesolution inurl:".*/*/submitticket.php"intext:powered by whmcompletesolution inurl:cart.php?a=viewinurl:"cart.php?a" intext:"powered by whmcompletesolution"inurl:"cart.php?a=" intext:"powered by whmcompletesolution"inurl:submitticket.php "powered by whmcompletesolution"...These are either people looking for samples of WHMCS sites or looking for sites using WHMCS that they can try hack into.WHMCS team: are you aware of this?We don't mind promoting WHMCS as our billing system so that's why we didn't get the non-branded version, but just dislike that it attracts this sort of traffic. So I was thinking... maybe if the "powered by whmcompletesolution" bit were an image rather than text, maybe it would be harder for hackers to find WHMCS sites. I guess, they could use Google image search to find the sites still... d'oh... or how about if the powered by was written with javascript? smileAnyone else have ideas?

Best Answer
photo

Hello,

The "Powered By..", while can be searched directly for via Google, is not the sole way to identify a WHMCS installation against other platforms - or custom built. Refactoring this would not disable the ability for someone to look up WHMCS installations, but instead require them to use an alternate search term that is just as effective.

In aims to security, ensuring that your WHMCS installation is always up to date as WHMCS continues to focus on security both internally, and working with security agencies. Additionally, focusing on the security of the Server itself, including but not limited to ensuring PHP/Apache is hardened, and care is taken into the access you allow to the server where WHMCS is installed.

Comments (5)

photo
2

Buy unbranded?

Also WHMCS could use this to there advantage by changing the anchor text to something more valueable like billing system or something.

photo
2

I brought Unbranded monthly simply because I wanted the website design to look neat and not all over my pages. But powered by WHMCS is fair in my opinion.

photo
1

There is no way to redo the powered by line, unless WHMCS allows for the image to be defined admin side along with any alt/title attributes which defeates the purpose, Also add to the fact its a url that cant be changed because its whmcs own website it links to. no matter what we did admin side to alter the image, alt/title the page would still contain a link which can be found.

As soon as the line is changed in such a way as it cant be unique then the would be "hackers" would simply change there method to match the new factoring.

There are also other for want of a better way, "give-aways" that whmcs is being used that could be used instead. I wont go into them im not commenting to hand out ideas, but lets just say no matter whether you are branded or not and whether you are customised or not, the whmcs installation is very easily identified by other means than the link.

This just means in my view that security, patching and pre-consideration when developing are of higher importance than the branding.

photo
1

Hello,

The "Powered By..", while can be searched directly for via Google, is not the sole way to identify a WHMCS installation against other platforms - or custom built. Refactoring this would not disable the ability for someone to look up WHMCS installations, but instead require them to use an alternate search term that is just as effective.

In aims to security, ensuring that your WHMCS installation is always up to date as WHMCS continues to focus on security both internally, and working with security agencies. Additionally, focusing on the security of the Server itself, including but not limited to ensuring PHP/Apache is hardened, and care is taken into the access you allow to the server where WHMCS is installed.

photo
1

The "Power by WHMCS" needs to be an image with the image name that is randomly generated after a WHMCS install.

This way there is no way to do a simple search of

"Power by WHMCS"

Chris: "Refactoring this would not disable the ability for someone to look up
WHMCS installations, but instead require them to use an alternate search
term that is just as effective. "

Those other alternate search terms also needs to be disabled. Changing the names of common files with an option to change them after install would help solve this issue.
Maybe have some file that list all of the files and have a way to change the name and using the file to reference the file names that were changed.
Have to also have a way to protect that file too.
Hackers are lazy generally and uses Google to find their exploit sites.

If a hacker can not find your site using Google there is a 95% chance you will not get hacked.

They will simply go with sites they can find on Google, they don't go out of the way normally to find random WHMCS sites.

Also WHMCS installs needs to have robot.txt files in there to help prevent Google and other search engines from indexing senitive files in the first place.