We recommend moving the crons directory to a custom private directory above your web root to prevent unauthorized web-based access.
Customizing the WHMCS admin directory name makes it harder for bots and malicious users to find the login URL for your Admin Area.
WHMCS automatically bans IP addresses after three failed login attempts, or you can permanently ban them manually.
Captchas help you prevent bots from placing orders, creating accounts, or logging in to your Client Area. WHMCS includes several captcha types, including a default verification code captcha and options with enhanced protection from Google® reCAPTCHA and hCaptcha.
WHMCS's default captcha option displays an image with six characters on a striped background. This option does not require additional configuration or an additional account with a captcha service.
Enable hCaptcha or Invisible hCaptcha as your captcha type in WHMCS. hCaptcha offers checkbox-based and invisible captcha options to help you prevent bots from placing orders, creating accounts, or logging in to your Client Area or Admin Area. Before enabling hCaptcha or Invisible hCaptcha in WHMCS, you must configure it in your hCaptcha account.
Enable reCAPTCHA v3 as your captcha type in WHMCS. reCAPTCHA v3 is an invisible captcha type that can help you prevent bots from placing orders, creating accounts, or logging in to your Client Area or Admin Area. Before enabling reCAPTCHA v3 in WHMCS, you must configure it in your Google® account.