Remove or cut access to registrar, gateway etc. modules that are not used.
A typic user uses less that 3% of whmcs standard modules. Considering the past security vulnerabilities it makes no sense to have thoses php files publically accessible.
You should download and/or place them only if they are actually used.
This applies for any other piece of code that is not used by default by everyone.