How can we improve WHMCS?

Share, discuss and vote for what you would like to see added to WHMCS

Banning clients for failed login attempts (similar to the admin)

You may notice many failed login attempts to your clients and we would like to protect them from being hacked or something like that by banning clients for failed login attempts (similar to the admin) this feature is important and useful.

[u]Vote for it.[/u]
Merged Ideas
    Client Area Brute Force Protection
    I wonder how WHMCS didn't implement brute force protection for client users till now,Every one can use simple brute force methods to hack in our clients passwords.Please implement this simple feature ASAP.


Login to post a comment.

Oh I feel like that's too harsh. Instead, give them the opportunity to log in another way.
That's not good. There are users who never know there passwords. They will try it and try it and try it. Until they found their Password.

2FA and Strong Passwords are enough security. Those Systems where Users banned for an time of 15 Minutes or so on are very unresponsive and makes customers angry.
This is a basic, universal standard practice utilized and expected by just about any serious website or software with a login system. Even some legacy CRM systems some of my IT clients run that were made in the late 90's and early 2000's have this basic measure built in.

Is there any reason for WHMCS *not* to implement this?

Thanks for taking the time to submit this idea and for everyone's votes.

I'd just like to take a moment to speak about the benefits of Two Factor Authentication. With two factor authentication enabled, a malicious actor cannot access a client's account - even with the genuine password. Two factor can be made mandatory for clients to login via Setup > Staff Management > Two-Factor Authentication > Force Clients option.

If using DuoSecurity for two-factor authentication, you can even temporarily prevent further authentication attempts after a certain number of failures.

Please do continue to vote and comment on this suggestion.
Clients cannot be expected to enable 2-Factor Authentication, nor should it really be enforced for clients. This is not a solution to the issue. I still don't understand why something so basic hasn't been implemented yet.
If you're not going to add this - maybe add a PreLogin hook where developers can fail a login under certain circumstances. This would mean a developer can implement this themselves, but also bring many other possibilities at the same time.
Hey John,
You can't force all clients to use 2-Factor Authentication why? simply not all clients using smartphones :)
So if we added this feature like the admin area it would be very good step and i think it's very easy to include it in a future update this will prevent anonymous clients accounts login attempts.
If CLEF is integrated, it can work with both admin and client area, and bruteforce is out the window automatically:
As far as I'm aware this hasn't been added yet. This needs some attention.
Adding a vote for this, had actually opened a support request to have this added or a hook point we could use in order to implement this ourselves.
must need this option