The Problem
WHMCS installations get attacked constantly. Bots scan for vulnerabilities. Hackers try admin logins from sketchy countries. Your server logs fill with garbage traffic.
What Happens Without Protection
Typical attacks on WHMCS:
- Bots scanning for `/wp-admin/`, `/phpmyadmin/` (you don't even run WordPress)
- Automated tools trying `/shell.php`, `/c99.php`, backdoor files
- Dictionary attacks on admin login
- Traffic from compromised servers and botnets
- Version control exposure attempts (`.git/`, `.svn/`)
- Rapid-fire requests overwhelming your server
Your logs show:
103.18.45.22 - GET /wp-admin/ - 404
185.220.101.5 - GET /phpmyadmin/ - 404
34.147.162.8 - GET /shell.php - 404
216.24.57.3 - GET /.git/config - 404None of these are legitimate users. All wasting server resources.
Problems:
- Server resources wasted on bot traffic
- Log files bloated with attacks
- Increased security risk
- No visibility into who's hitting your site
- Admin logins from anywhere in the world
- No automated blocking
Standard WHMCS Has Nothing
WHMCS includes:
- Basic admin IP restriction (manual, painful)
- Nothing else
No country blocking. No bot detection. No threat intelligence. No automated protection.
Failed Workarounds
Server firewall (iptables/firewalld):
- Manual IP blocking
- No WHMCS integration
- Can't see what you're blocking
- No automatic updates
- Blocks entire server, not just WHMCS
CloudFlare/proxy:
- External service
- Monthly fees
- Adds latency
- Can't distinguish WHMCS-specific threats
- Limited free tier
Fail2Ban:
- Requires server access
- Complex regex rules
- No WHMCS visibility
- Blocks SSH/all services together
- High maintenance
ModSecurity:
- Generic web application firewall
- False positives
- Complex tuning
- Not WHMCS-aware
- Overkill for most cases
None integrate with WHMCS. None show you what's happening. None provide WHMCS-specific protection.
The Solution
Access Shield Pro blocks unwanted traffic at the WHMCS level. Country blocking, IP whitelisting/blacklisting, bot detection, honeypot traps, threat intelligence feeds, and admin access control.
How It Works
Multi-layer protection:
Layer 1: Country Blocking
- Select countries to block globally
- Blocks all WHMCS pages for those countries
- Whitelist bypasses country blocks
Layer 2: IP Rules
- Whitelist (always allow)
- Blacklist (block with optional expiration)
- IPv4/IPv6 CIDR support
- Strike tracking for repeat offenders
- Threat intelligence auto-blacklist
Layer 3: Bot/Scanner Detection
- Detects vulnerability scanners
- Blocks suspicious paths and files
- Configurable patterns (regex/wildcards)
- Strike system with escalating bans
- Legitimate bot whitelist (Google, Bing)
Layer 4: Honeypot Traps
- Trap paths that shouldn't be accessed
- Instant permanent blacklist
- Configurable patterns
- Strike tracking
Layer 5: Threat Intelligence
- Daily updates from Blocklist.de, Spamhaus, Emerging Threats
- Automatically blocks known bad IPs
- Updates via WHMCS cron
- Toggle feeds on/off
Layer 6: Admin Access Control
- Restrict admin by country
- Restrict admin by IP/network
- Rate limiting for login attempts
- Custom admin directory path
All layers log access attempts with full visibility.
Real Use Cases
Scenario 1: Bot Traffic
Without Access Shield Pro:
Server logs:
103.18.45.22 - GET /wp-admin/ - 404
103.18.45.22 - GET /phpmyadmin/ - 404
103.18.45.22 - GET /shell.php - 404
103.18.45.22 - GET /.git/config - 404
(repeated 1000 times)You see attacks in server logs but can't block them automatically.
With Access Shield Pro:
- First request to `/wp-admin/` triggers honeypot
- IP instantly blacklisted permanently
- Strike recorded
- Further requests blocked
- Logged with "Honeypot Triggered" action
- Quick action: delete or whitelist if false positive
Scenario 2: Scanner Attacks
Automated scanner probing for vulnerabilities:
34.147.162.8 - GET /config.php.bak
34.147.162.8 - GET /backup.sql
34.147.162.8 - GET /phpinfo.php
34.147.162.8 - GET /.envWithout protection: Server processes all requests, scanner maps your site.
With Access Shield Pro:
- First suspicious path detected
- Strike 1: Temporary ban (1 hour)
- Strike 2: Temporary ban (6 hours)
- Strike 3: Temporary ban (24 hours)
- Strike 4+: Permanent ban
- All logged with details
Scenario 3: Admin Access from Sketchy Country
Admin login attempt from IP in China (you're in Belgium):
Without protection: Login form accessible from anywhere.
With Access Shield Pro:
- Enable admin country restrictions
- Whitelist Belgium, Netherlands, France (or wherever your team is)
- China login attempt blocked
- Logged as "Denied Admin Restricted"
- IP automatically tracked
Scenario 4: Compromised Server
IP appears on threat intelligence feed (Spamhaus/Blocklist.de):
Without protection: Traffic allowed until manual block.
With Access Shield Pro:
- Daily cron updates threat feeds
- Compromised IP automatically blacklisted
- All requests blocked
- Logged as "Threat Intelligence"
- No manual intervention
Scenario 5: Legitimate Customer Accidentally Blocked
Customer's office uses VPN that triggers scanner detection:
Without protection: Can't unblock easily.
With Access Shield Pro:
- View access logs
- Find customer's IP
- Click "Mark as Customer" quick action
- IP whitelisted
- Access restored immediately
- All from logs interface
Installation
- Purchase from [ArkHost Store](https://arkhost.com/store/whmcs-modules/access-shield-pro)
- Upload to `/modules/addons/access_shield_pro/`
- Activate in Setup → Addon Modules
- Enter license key
- Configure admin permissions
- Done
Module starts protecting immediately with default settings.
Configuration
Country Blocking
Settings → Country Blocking
Select countries to block globally:
- Blocks all WHMCS pages
- Whitelisted IPs bypass
- Useful for blocking high-risk countries
Example: Block Russia, China, North Korea if you only serve EU customers.
IP Rules
Settings → IP Rules
Add whitelist or blacklist rules:
Whitelist (always allow):
- Your office IP
- Customer IPs
- Partners/vendors
- Bypasses all other blocks
Blacklist (block):
- Known bad IPs
- Repeat offenders
- Optional expiration date
- Strike tracking
- Ban duration selection
Formats:
- Single IP: `192.168.1.1`
- IPv4 CIDR: `192.168.1.0/24`
- IPv6: `2001:db8::/32`
Strike system:
- Tracks how many times IP blocked
- Shows in IP Rules table
- Useful for identifying persistent attackers
Scanner Protection
Settings → Scanner Protection
Enable bot/scanner detection:
Auto-ban threshold: Number of scanner attempts before permanent ban (default: 3)
Scanner detection patterns (textarea):
One pattern per line, supports:
- Exact paths: `/phpinfo.php`, `/.git/`
- Wildcards: `*.bak`, `/uploads/*.php`
- Regex: `^/[0-9]+\.php$`, `\.(php|asp)\.(bak|old)$`
- Comments: `# This is a comment`
Load defaults button populates common patterns:
/phpinfo.php
/.git/
/.env
/shell.php
/c99.php
/r57.php
*.bak
*.old
*.sql
/backup*Strike detection patterns:
If pattern matches, issue strike:
- 4 patterns = exact paths, simple wildcards
- 8 patterns = regex patterns
Requests per allowed limit: Max requests before rate limiting (default: 60)
Block scanner attempts: Temporary ban duration for strikes (default: 15 minutes)
Legitimate bot whitelist:
Googlebot, Bingbot, etc. bypass scanner protection.
Honeypot Protection
Settings → Honeypot Protection
Enable honeypot trap paths for instant blacklisting:
Honeypot paths (textarea):
One pattern per line:
- Exact: `/wp-admin/`, `/phpmyadmin/`
- Wildcards: `/phpmyadmin/*`
- Regex: `^/backup.*\.(sql|zip)$`
- Comments supported
Load defaults button:
/wp-admin/
/wp-login.php
/phpmyadmin/
/pma/
/mysql/
/admin/
/administrator/Strike escalation:
- How long to ban (default: 4 hours)
- Max strikes before permanent (default: 4)
Trap paths you don't use. Instant permanent blacklist for anyone accessing them.
Threat Intelligence
Settings → Threat Intelligence
Enable automatic blocking from threat feeds:
Sources (toggle on/off):
- **Blocklist.de:** SSH/web attacks, mail abuse
- **Spamhaus DROP:** Hijacked networks
- **Emerging Threats:** Compromised hosts
Updates: Daily via WHMCS cron (automatic)
Select countries to block: Combine threat intelligence with country-level blocking for specific feeds.
Admin Access Control
Settings → Admin Access Control
Restrict who can access WHMCS admin area:
Allowed admin IP/networks:
Enter allowed IPs (one per line):
192.168.1.0/24
10.0.0.5
2001:db8::/32Allowed admin countries:
Select countries where admins are located.
Admin directory path:
Custom admin path (if you renamed /admin/).
Logic:
- Whitelist bypasses restrictions
- If country restrictions enabled: Must be from allowed country
- If IP restrictions enabled: Must be from allowed network
- Both can be used together
Legitimate Bot Whitelist
Settings → Legitimate Bot Whitelist
User agents to bypass scanner protection:
Default list includes:
- Googlebot
- Bingbot
- YandexBot
- Slackbot
- facebookexternalhit
One per line. Case-insensitive.
Rate Limiting
Settings (if available):
- Requests per minute limit
- Block duration for rate limiting
- Protects against rapid-fire attacks
Usage
Viewing Access Logs
Access Logs tab:
Shows all access attempts with:
- Date/time
- IP address
- Country (flag)
- Action taken (Allowed/Blocked/Scanner/Honeypot/etc.)
- Page requested
- User agent
Filter logs:
- Search by IP, country, action
- Date range
- Action type dropdown
Quick actions (per log entry):
- ✓ Whitelist (mark as customer)
- ✗ Blacklist (block immediately)
- ???? Mark as Customer (whitelist with note)
Bulk operations:
- Select multiple IPs
- Apply whitelist/blacklist to all
- Useful for blocking multiple related IPs
Export:
- CSV export
- JSON export
- For analysis or reporting
Pagination: 50 entries per page (configurable)
Understanding Log Actions
Security blocks:
- **Access Denied:** Country blocking or general restriction
- **Blocked IP:** Manually blacklisted IP
- **Threat Intelligence:** IP from threat feed
- **Scanner Blocked:** Bot/scanner detected
- **Honeypot Triggered:** Accessed trap path (instant blacklist)
- **Rate Limited:** Too many requests
Admin access (blocked):
- **Blocked IP Admin:** Blacklisted IP trying admin
- **Denied Admin Restricted:** Admin blocked by country/IP restrictions
- **Denied Admin:** Admin blocked by country blocking
- **Denied Admin Session:** Existing session terminated (rare)
Allowed access:
- **Allowed:** Normal access
- **Whitelisted:** Whitelist bypass
- **Allowed Admin:** Admin access granted
- **Allowed Admin Whitelist:** Admin via whitelist
Admin session termination:
Rare because it only happens when:
- Admin logs in from allowed IP
- IP changes or restrictions change mid-session
- Next admin page access terminates session
Most admin blocks are login attempts, not session terminations.
Managing IP Rules
IP Rules tab:
View all current rules:
- IP/network
- Rule type (Whitelist/Blacklist/Threat Intel)
- Comment
- Expires (for blacklist)
- Strikes (repeat offender count)
- Date added
- Actions (delete)
Add new rule:
- Enter IP/network (CIDR supported)
- Select rule type
- For blacklist: Set expiration and ban duration
- Add comment (optional)
- Save
Bulk operations:
- Select multiple rules
- Delete all selected
- Useful for cleanup
Auto-cleanup:
- Expired bans removed automatically every 5 minutes
- Daily maintenance cleanup
- Keeps database lean
Strike System
How strikes work:
Scanner detection:
- Strike 1: Temporary ban (configurable duration)
- Strike 2: Longer temporary ban
- Strike 3: Even longer ban
- Strike 4+: Permanent ban
Honeypot:
- Configurable max strikes before permanent
- Each honeypot hit = strike
- Escalating ban durations
- Permanent after threshold
Strike tracking:
- Visible in IP Rules table
- Shows repeat offender patterns
- Helps identify persistent threats
High-severity threats:
Certain patterns trigger instant permanent ban:
- Known backdoor files
- Critical security paths
- Immediate threat indicators
Dashboard Statistics
Module dashboard shows:
- Blocked countries count
- Total access attempts
- Today's attempts
- Total IP rules count
Real-time metrics for quick security overview.
Performance
Multi-tier caching:
- IP rules cached (1 hour TTL)
- Country lookups cached (1 hour TTL)
- Settings cached (5 minutes TTL)
- Dashboard stats cached
Response time:
- Under 1ms when cached
- Minimal WHMCS overhead
- Automatic cache cleanup
- Size limits prevent bloat
Database optimization:
- Indexed tables
- Automatic cleanup (expired rules, old logs)
- Pagination prevents memory issues
Threat Intelligence Details
Blocklist.de:
- SSH brute force attacks
- Web application attacks
- Mail server abuse
- Apache attacks
Spamhaus DROP:
- Hijacked network ranges
- Legitimate organizations with compromised infrastructure
- Should not be routing traffic
Emerging Threats:
- Compromised hosts
- Command & control servers
- Botnet participants
Update frequency: Daily via WHMCS cron
Manual updates: Not needed, fully automatic
Security Considerations
Whitelist your office:
Add your office/home IP to whitelist before enabling strict restrictions. Prevents lockout.
Test admin restrictions:
Use VPN or mobile to test admin country/IP restrictions before enforcing.
Monitor logs regularly:
Check for false positives (legitimate users blocked).
Honeypot paths:
Only add paths you DON'T use. Don't add /admin/ if you use default WHMCS admin path.
Scanner patterns:
Be careful with regex. Test patterns before deploying to avoid blocking legitimate traffic.
Backup before updates:
Backup WHMCS before updating module (standard practice).
Troubleshooting
Can't access WHMCS:
- You blocked your country/IP
- Check whitelist includes your IP
- Access via different IP/VPN
- Check server access logs for your IP
- Disable module via FTP if locked out
Admin can't log in:
- Check admin access control settings
- Verify admin's country/IP allowed
- Check whitelist
- Review access logs for admin IP
Legitimate traffic blocked:
- Check access logs
- Find blocked IP
- Use "Mark as Customer" quick action
- Or add to whitelist manually
Scanner detection false positive:
- Review scanner patterns
- Remove problematic pattern
- Add legitimate bot to whitelist
- Or whitelist specific IP
Threat intelligence blocking customer:
- Customer IP on threat feed (likely compromised)
- Inform customer their network may be compromised
- Whitelist temporarily if verified legitimate
- Customer should check their security
High memory/CPU usage:
- Check cache settings enabled
- Review log retention (auto-cleanup working?)
- Reduce threat intelligence sources
- Contact support with specifics
Cron not updating threat feeds:
- Verify WHMCS cron running
- Check cron execution in WHMCS logs
- Manual test: Utilities → System → Cron Status
- Check server cURL working
When You Need This
Required if:
- Public-facing WHMCS installation
- Admin logins from multiple locations
- High bot/scanner traffic
- Want automated protection
- Need visibility into attacks
- GDPR/compliance logging needed
Not required if:
- WHMCS behind VPN only
- Single admin, fixed IP
- Very low traffic
- Server firewall sufficient
- No security concerns
Technical Specifications
Requirements:
- WHMCS 8.9+
- PHP 8.1+
- MySQL/MariaDB
- cURL (for threat feeds)
File Structure:
modules/addons/access_shield_pro/
├── access_shield_pro.php Main module
├── hooks.php Protection hooks
├── lib/ Core functions
├── cache/ Cache storage
└── lang/ TranslationsDatabase:
- `mod_access_shield_pro_rules` (IP rules)
- `mod_access_shield_pro_logs` (access logs)
- Automatic cleanup, no bloat
Languages:
- English
- Dutch
- Russian
- (Add more by copying lang files)
Performance:
- Multi-tier caching
- Under 1ms response (cached)
- Automatic cleanup
- Minimal overhead
Support
Purchase: [ArkHost Store](https://arkhost.com/store/whmcs-modules/access-shield-pro)
Before contacting support:
- Check access logs for blocked IP
- Verify whitelist configured
- Review WHMCS activity log
- Test with module disabled
When reporting issues:
- WHMCS version
- PHP version
- Module version
- Specific error from logs
- Steps to reproduce
- Your IP (if locked out)
