DEV Community: Mourad Ilyes Mlik The latest articles on DEV Community by Mourad Ilyes Mlik (@mmitech). https://dev.to/mmitech https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3857242%2Fac656add-32df-4565-b66a-2497120288af.png DEV Community: Mourad Ilyes Mlik https://dev.to/mmitech en Locking Down WHMCS: Nginx, Fail2ban, and What Nobody Tells You Mourad Ilyes Mlik Thu, 02 Apr 2026 09:16:16 +0000 https://dev.to/mmitech/locking-down-whmcs-nginx-fail2ban-and-what-nobody-tells-you-1kl9 https://dev.to/mmitech/locking-down-whmcs-nginx-fail2ban-and-what-nobody-tells-you-1kl9 <p>If you run a hosting business on WHMCS, your admin panel is one of the most targeted endpoints on your entire infrastructure. Credential stuffing, brute force attempts, script scanners probing for known path, it never stops.</p> <p>I run <a href="https://mmitech.si" rel="noopener noreferrer">MMITech</a>, a hosting provider in Slovenia, and our WHMCS instance sits behind Nginx serving seven language variants across multiple European markets. After watching the access logs for a while, I decided to properly harden the setup. Here's what I did and the gotchas I ran into along the way.</p> <h2> Step 1: Move the Admin Path </h2> <p>WHMCS ships with <code>/admin</code> as the default admin directory. Every scanner on the internet knows this. The first step is renaming it to something non-obvious.</p> <p>In WHMCS, rename the admin directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mv</span> /var/www/whmcs/admin /var/www/whmcs/your-secret-path </code></pre> </div> <p>Then update <code>configuration.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$customadminpath</span> <span class="o">=</span> <span class="s1">'your-secret-path'</span><span class="p">;</span> </code></pre> </div> <p>This doesn't make you secure it just reduces noise. Security through obscurity is not security, but it does cut down on 99% of automated scans hitting your admin login.</p> <h2> Step 2: Restrict Admin Access by IP in Nginx </h2> <p>The real protection is restricting your admin path to known IP addresses at the web server level. Even if someone knows the path and has valid credentials, they can't reach it from an unauthorized IP.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">location</span> <span class="n">/your-secret-path/</span> <span class="p">{</span> <span class="kn">allow</span> <span class="mf">203.0</span><span class="s">.113.10</span><span class="p">;</span> <span class="c1"># Your office IP</span> <span class="kn">allow</span> <span class="mf">198.51</span><span class="s">.100.0/24</span><span class="p">;</span> <span class="c1"># VPN range</span> <span class="kn">deny</span> <span class="s">all</span><span class="p">;</span> <span class="kn">try_files</span> <span class="nv">$uri</span> <span class="nv">$uri</span><span class="n">/</span> <span class="n">/your-secret-path/index.php?</span><span class="nv">$query_string</span><span class="p">;</span> <span class="kn">location</span> <span class="p">~</span> <span class="sr">\.php$</span> <span class="p">{</span> <span class="kn">fastcgi_pass</span> <span class="s">unix:/run/php/php8.3-fpm.sock</span><span class="p">;</span> <span class="kn">fastcgi_param</span> <span class="s">SCRIPT_FILENAME</span> <span class="nv">$document_root$fastcgi_script_name</span><span class="p">;</span> <span class="kn">include</span> <span class="s">fastcgi_params</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>After adding this, test from a non-whitelisted IP. You should get a 403 immediately. If you get a 200, your location block isn't matching, more on that below.</p> <h2> Step 3: Lock Down configuration.php </h2> <p>WHMCS stores database credentials, API keys, and license info in <code>configuration.php</code>. This file should never be served by the web server under any circumstances.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">location</span> <span class="p">~</span><span class="sr">*</span> <span class="s">configuration</span><span class="err">\</span><span class="s">.php</span>$ <span class="p">{</span> <span class="kn">deny</span> <span class="s">all</span><span class="p">;</span> <span class="kn">return</span> <span class="mi">404</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Put this <strong>before</strong> your general PHP location block. Nginx processes location blocks in a specific order, exact matches first, then regex. If your general <code>\.php$</code> block catches it first, the deny never triggers.</p> <p>Test it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-I</span> https://yourdomain.com/configuration.php <span class="c"># Should return 404</span> </code></pre> </div> <h2> Step 4: Fail2ban Jails for WHMCS </h2> <p>This is where it gets interesting. WHMCS logs failed login attempts, but its log format doesn't match any of fail2ban's built-in filters. You need custom jails.</p> <h3> The Nginx Log Format Problem </h3> <p>If you use a non-standard Nginx log format (which many WHMCS setups do because of reverse proxies or load balancers), fail2ban's default <code>nginx-http-auth</code> filter won't work. You need to write <code>failregex</code> patterns that match your actual log format.</p> <p>Here's what our log lines look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight apache"><code>203.0.113.55 - - [15/Mar/2026:14:22:31 +0100] "POST /dologin.php HTTP/1.1" 302 0 "https://example.com/login.php" "Mozilla/5.0..." </code></pre> </div> <p>A failed WHMCS login returns a 302 redirect back to the login page. A successful login also returns a 302 but redirects to the client area. The differentiator is the referer and the POST target.</p> <h3> Jail: WHMCS Client Login Brute Force </h3> <p>Create <code>/etc/fail2ban/filter.d/whmcs-login.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Definition]</span> <span class="py">failregex</span> <span class="p">=</span> <span class="s">^&lt;HOST&gt; .* "POST /dologin</span><span class="se">\.</span><span class="s">php HTTP/.*" 302</span> <span class="py">ignoreregex</span> <span class="p">=</span> </code></pre> </div> <p>And the jail in <code>/etc/fail2ban/jail.local</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[whmcs-login]</span> <span class="py">enabled</span> <span class="p">=</span> <span class="s">true</span> <span class="py">port</span> <span class="p">=</span> <span class="s">http,https</span> <span class="py">filter</span> <span class="p">=</span> <span class="s">whmcs-login</span> <span class="py">logpath</span> <span class="p">=</span> <span class="s">/var/log/nginx/access.log</span> <span class="py">maxretry</span> <span class="p">=</span> <span class="s">5</span> <span class="py">findtime</span> <span class="p">=</span> <span class="s">300</span> <span class="py">bantime</span> <span class="p">=</span> <span class="s">3600</span> </code></pre> </div> <p>This bans any IP that makes 5 failed login attempts within 5 minutes for 1 hour.</p> <h3> Jail: Admin Login Brute Force </h3> <p>Same concept but for the admin path, with a lower threshold:</p> <p>Create <code>/etc/fail2ban/filter.d/whmcs-admin.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Definition]</span> <span class="py">failregex</span> <span class="p">=</span> <span class="s">^&lt;HOST&gt; .* "POST /your-secret-path/dologin</span><span class="se">\.</span><span class="s">php HTTP/.*" 302</span> <span class="py">ignoreregex</span> <span class="p">=</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[whmcs-admin]</span> <span class="py">enabled</span> <span class="p">=</span> <span class="s">true</span> <span class="py">port</span> <span class="p">=</span> <span class="s">http,https</span> <span class="py">filter</span> <span class="p">=</span> <span class="s">whmcs-admin</span> <span class="py">logpath</span> <span class="p">=</span> <span class="s">/var/log/nginx/access.log</span> <span class="py">maxretry</span> <span class="p">=</span> <span class="s">3</span> <span class="py">findtime</span> <span class="p">=</span> <span class="s">300</span> <span class="py">bantime</span> <span class="p">=</span> <span class="s">86400</span> </code></pre> </div> <p>3 failed attempts and you're banned for 24 hours. Aggressive, but nobody legitimate fails admin login 3 times in 5 minutes.</p> <h3> Jail: Script Scanners </h3> <p>Bots constantly probe for paths like <code>/wp-login.php</code>, <code>/xmlrpc.php</code>, <code>/phpmyadmin</code>, etc. These are instant giveaways that the request is malicious:</p> <p>Create <code>/etc/fail2ban/filter.d/nginx-script-unknown.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Definition]</span> <span class="py">failregex</span> <span class="p">=</span> <span class="s">^&lt;HOST&gt; .* "(GET|POST) /(wp-login|wp-admin|xmlrpc|phpmyadmin|pma|myadmin|administrator|</span><span class="se">\.</span><span class="s">env|</span><span class="se">\.</span><span class="s">git).*" (404|403)</span> <span class="py">ignoreregex</span> <span class="p">=</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[nginx-script-unknown]</span> <span class="py">enabled</span> <span class="p">=</span> <span class="s">true</span> <span class="py">port</span> <span class="p">=</span> <span class="s">http,https</span> <span class="py">filter</span> <span class="p">=</span> <span class="s">nginx-script-unknown</span> <span class="py">logpath</span> <span class="p">=</span> <span class="s">/var/log/nginx/access.log</span> <span class="py">maxretry</span> <span class="p">=</span> <span class="s">2</span> <span class="py">findtime</span> <span class="p">=</span> <span class="s">300</span> <span class="py">bantime</span> <span class="p">=</span> <span class="s">86400</span> </code></pre> </div> <h3> Jail: Recidive (Repeat Offenders) </h3> <p>The recidive jail catches IPs that keep getting banned and gives them a longer ban:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[recidive]</span> <span class="py">enabled</span> <span class="p">=</span> <span class="s">true</span> <span class="py">logpath</span> <span class="p">=</span> <span class="s">/var/log/fail2ban.log</span> <span class="py">banaction</span> <span class="p">=</span> <span class="s">%(banaction_allports)s</span> <span class="py">bantime</span> <span class="p">=</span> <span class="s">604800</span> <span class="py">findtime</span> <span class="p">=</span> <span class="s">86400</span> <span class="py">maxretry</span> <span class="p">=</span> <span class="s">3</span> </code></pre> </div> <p>If an IP gets banned 3 times in 24 hours across any jail, they're blocked for a week on all ports.</p> <h3> Test Your Filters </h3> <p>Always test before deploying:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/whmcs-login.conf </code></pre> </div> <p>This shows you exactly how many lines match. If it returns 0 matches on a log that you know has failed login attempts, your regex is wrong.</p> <h2> Step 5: Security Headers (Watch the Inheritance) </h2> <p>This is the gotcha that cost me the most time. Nginx has a counterintuitive behavior with <code>add_header</code>: if you add <strong>any</strong> <code>add_header</code> directive in a child block, it <strong>completely overrides</strong> all <code>add_header</code> directives from the parent block.</p> <p>Example of what goes wrong:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">add_header</span> <span class="s">X-Frame-Options</span> <span class="s">"SAMEORIGIN"</span> <span class="s">always</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-Content-Type-Options</span> <span class="s">"nosniff"</span> <span class="s">always</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-XSS-Protection</span> <span class="s">"1</span><span class="p">;</span> <span class="kn">mode=block"</span> <span class="s">always</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/your-secret-path/</span> <span class="p">{</span> <span class="kn">add_header</span> <span class="s">X-Robots-Tag</span> <span class="s">"noindex,</span> <span class="s">nofollow"</span> <span class="s">always</span><span class="p">;</span> <span class="c1"># BUG: The three headers above are now GONE for this location</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The fix is to repeat all headers in every location block that adds its own headers. Or use the <code>ngx_http_headers_more_module</code> which has <code>more_set_headers</code> that doesn't have this inheritance problem.</p> <p>Our approach repeat the base headers using an include file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># /etc/nginx/snippets/security-headers.conf</span> <span class="k">add_header</span> <span class="s">X-Frame-Options</span> <span class="s">"SAMEORIGIN"</span> <span class="s">always</span><span class="p">;</span> <span class="k">add_header</span> <span class="s">X-Content-Type-Options</span> <span class="s">"nosniff"</span> <span class="s">always</span><span class="p">;</span> <span class="k">add_header</span> <span class="s">X-XSS-Protection</span> <span class="s">"1</span><span class="p">;</span> <span class="k">mode=block"</span> <span class="s">always</span><span class="p">;</span> <span class="k">add_header</span> <span class="s">Referrer-Policy</span> <span class="s">"strict-origin-when-cross-origin"</span> <span class="s">always</span><span class="p">;</span> <span class="k">add_header</span> <span class="s">Permissions-Policy</span> <span class="s">"camera=(),</span> <span class="s">microphone=(),</span> <span class="s">geolocation=()"</span> <span class="s">always</span><span class="p">;</span> </code></pre> </div> <p>Then include it everywhere:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">include</span> <span class="n">/etc/nginx/snippets/security-headers.conf</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/your-secret-path/</span> <span class="p">{</span> <span class="kn">include</span> <span class="n">/etc/nginx/snippets/security-headers.conf</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-Robots-Tag</span> <span class="s">"noindex,</span> <span class="s">nofollow"</span> <span class="s">always</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Verify with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-I</span> https://yourdomain.com/ curl <span class="nt">-I</span> https://yourdomain.com/your-secret-path/ </code></pre> </div> <p>Both should show the full set of security headers.</p> <h2> Step 6: Rate Limiting the Login Endpoint </h2> <p>On top of fail2ban, add Nginx-level rate limiting as a first line of defense:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># In the http block</span> <span class="k">limit_req_zone</span> <span class="nv">$binary_remote_addr</span> <span class="s">zone=whmcs_login:10m</span> <span class="s">rate=5r/m</span><span class="p">;</span> <span class="c1"># In the server block</span> <span class="k">location</span> <span class="p">=</span> <span class="n">/dologin.php</span> <span class="p">{</span> <span class="kn">limit_req</span> <span class="s">zone=whmcs_login</span> <span class="s">burst=3</span> <span class="s">nodelay</span><span class="p">;</span> <span class="kn">limit_req_status</span> <span class="mi">429</span><span class="p">;</span> <span class="kn">fastcgi_pass</span> <span class="s">unix:/run/php/php8.3-fpm.sock</span><span class="p">;</span> <span class="kn">fastcgi_param</span> <span class="s">SCRIPT_FILENAME</span> <span class="nv">$document_root$fastcgi_script_name</span><span class="p">;</span> <span class="kn">include</span> <span class="s">fastcgi_params</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This limits login attempts to 5 per minute per IP, with a burst allowance of 3. Anything beyond that gets a 429 response before it even hits PHP, saving server resources.</p> <h2> The Result </h2> <p>After deploying all of this, our daily failed login noise dropped from hundreds of attempts to effectively zero reaching the application. The combination works in layers:</p> <ol> <li> <strong>Non-default admin path</strong>: eliminates automated scanners</li> <li> <strong>IP restriction on admin</strong>: blocks everyone except authorized IPs</li> <li> <strong>Rate limiting on login</strong>: throttles brute force at the Nginx level</li> <li> <strong>Fail2ban jails</strong>: bans persistent offenders at the firewall level</li> <li> <strong>Recidive jail</strong>: escalates bans for repeat offenders</li> <li> <strong>Security headers</strong>: prevents clickjacking and XSS</li> <li> <strong>configuration.php blocked</strong>: protects credentials from direct access</li> </ol> <p>None of these individually is sufficient. Together, they create enough friction that attackers move on to easier targets.</p> <p><em>I'm Mourad, founder of <a href="https://mmitech.si" rel="noopener noreferrer">MMITech</a> a hosting provider based in Kranj, Slovenia. We run Cloud VPS on Proxmox/Ceph, AMD VPS on Ryzen 9/NVMe, Nextcloud storage, and dedicated servers. If you have questions about this setup or want to compare notes, drop a comment or reach out at <a href="mailto:hello@mmitech.si">hello@mmitech.si</a>.</em></p> security nginx sysadmin webdev