If you have any kind of head for security, you will have moved your WHMCS admin area to a non-standard directory. I have put this little selection of files together to put in the default directory (domain.tld/whmcs-install/admin). It looks identical to the real admin area (even at source level), the only difference being that it will log login attempts and password requests via the email request link.
Rather than putting these log lines in an obvious file that could be used to detect the fake page, the information is appended to an htaccess file (as a comment). For security purposes, the information that they pass is stored in a base64 encoded state, so if you would like to see what they entered, you will need to decode it (either with your own code or with some tool like this).
I have created each of the php files in the default WHMCS install (thanks touch & echo :-)) which all redirect to the login.php page (yes I could have used the .htaccess for this, but this version is more likely to work on the vast majority of servers, and is much easier to help people when they have problems). Files which contain more complex code are
- login.php – handles reminder system (and logs reminder requests). Displays correct HTML for each error / form etc..
- dologin.php – Logs login attempts
- licenseerror.php – Set up to mimic the original. Even mimics a user trying to change the license key 🙂
- accessdenied.php – For some reason, and user can access this file when not logged in, so I just copied the source over
- logout.php – Logout can be seen by any user, so I’ve just copied the source over again as with accessdenied.php
- Move your WHMCS admin area (Instructions on the WHMCS Documentation here)
- Download the project here
- Unzip the file and upload the admin directory to the root of your WHMCS installation
- Set the .htaccess file to be writeable by your web server (probably 666)
- Done! Take a look at your .htaccess file after trying to login
If you would like to link to this mod, please link to this post (http://ben90.com/2010/06/whmcs-mod-dummy-admin/) and not directly to the file. Please don’t create mirrors either, The latest version will always be available on this page, and I can ensure that the version on this page is not tampered with!!
Disclaimer: I am providing this code free of charge, anyone is welcome to use it, modify it etc. I accept no liability for any damage caused by using it. If anything goes wrong, don’t blame me!
If you have any questions, queries, or would just like to say thanks 🙂 Please leave a comment below!
Update: I’ll start listing feature suggestions below and build them in as and when I have time 🙂 If you have any suggestions, leave a comment!
- Admin module – display details used by hackers & some stats too, possibly build mod to display some overview on the admin homepage – Getting there with this now, teaser: