How can we improve WHMCS?

Share, discuss and vote for what you would like to see added to WHMCS

  1. Home
  2. Ideas
  3. Other
  4. Banning clients for failed login attempts (similar to the admin)

Banning clients for failed login attempts (similar to the admin)



57 Votes
Login to Vote
You may notice many failed login attempts to your clients and we would like to protect them from being hacked or something like that by banning clients for failed login attempts (similar to the admin) this feature is important and useful.

[u]Vote for it.[/u]
Merged Ideas
    Client Area Brute Force Protection
    I wonder how WHMCS didn't implement brute force protection for client users till now,Every one can use simple brute force methods to hack in our clients passwords.Please implement this simple feature ASAP.

14 Comments

Login to post a comment.

nonet67 commented 4 weeks ago
I want much more of this. Thanks for the info! Your page has excellent information, therefore I saved it. https://retrogamesfree.com
Marc Dawson commented 26th June
Oh I feel like that's too harsh. Instead, give them the opportunity to log in another way. https://baldigames.com
scysys commented 15th May 18
That's not good. There are users who never know there passwords. They will try it and try it and try it. Until they found their Password.

2FA and Strong Passwords are enough security. Those Systems where Users banned for an time of 15 Minutes or so on are very unresponsive and makes customers angry.
Mike Q commented 3rd May 18
This is a basic, universal standard practice utilized and expected by just about any serious website or software with a login system. Even some legacy CRM systems some of my IT clients run that were made in the late 90's and early 2000's have this basic measure built in.

Is there any reason for WHMCS *not* to implement this?
Official Response
WHMCS commented 18th January 17
Hi,

Thanks for taking the time to submit this idea and for everyone's votes.

I'd just like to take a moment to speak about the benefits of Two Factor Authentication. With two factor authentication enabled, a malicious actor cannot access a client's account - even with the genuine password. Two factor can be made mandatory for clients to login via Setup > Staff Management > Two-Factor Authentication > Force Clients option.

If using DuoSecurity for two-factor authentication, you can even temporarily prevent further authentication attempts after a certain number of failures.

Please do continue to vote and comment on this suggestion.
Mitch commented 18th January 17
Clients cannot be expected to enable 2-Factor Authentication, nor should it really be enforced for clients. This is not a solution to the issue. I still don't understand why something so basic hasn't been implemented yet.
Mitch commented 18th January 17
If you're not going to add this - maybe add a PreLogin hook where developers can fail a login under certain circumstances. This would mean a developer can implement this themselves, but also bring many other possibilities at the same time.
Amir Zano commented 18th January 17
Hey John,
You can't force all clients to use 2-Factor Authentication why? simply not all clients using smartphones :)
So if we added this feature like the admin area it would be very good step and i think it's very easy to include it in a future update this will prevent anonymous clients accounts login attempts.
Nick williams commented 16th December 16
Needed!
Hamed Khoramyar commented 10th December 16
If CLEF is integrated, it can work with both admin and client area, and bruteforce is out the window automatically: https://requests.whmcs.com/topic/clef-login-module
Mitch commented 22nd November 16
As far as I'm aware this hasn't been added yet. This needs some attention.
Mark Railton commented 17th June 16
Adding a vote for this, had actually opened a support request to have this added or a hook point we could use in order to implement this ourselves.
abdul jabar commented 13th March 16
must need this option
Alex commented 24th March 15
+++