Version: 1.1.5 Released (03/10/2025)
Maintenance

Fixed Date format from d/m/Y to m/d/Y

Version: 1.1.4 Released (03/02/2025)
Maintenance

Fixed PHP date

Version: 1.1.3 Released (02/27/2025)
Maintenance

Added Download link
Fixed Remove Auto
Updated Support WHMCS 8.11.x & 12.x
Updated Remove Support for WHMCS V8.4 to 8.9
Updated Remove Support for PHP 7.4
Updated Improve ionCube Loader v14

Version: 1.1.2 Released (11/25/2022)
Maintenance

Fixed Issue with PHP 8.1
Updated Remove Support for PHP 7.3
Updated Remove Support for WHMCS V8.3.x

Version: 1.1.1 Released (05/15/2021)
Maintenance

Fixed the Problem with the promotion date

Version: 1.1.0 Released (04/23/2021)
Minor

Admin Area Widget

Version: 1.0.0 Released (04/15/2021)
Stable

New Initial Release

Expired Password:
Force customers to change their password x days before when expires.
When they login it forces them to change their password.
Automatic Password Expiry.
Based on Registration Date.
Client Email Notifications.
Block client/admin from using the same password within x number of days.
Allow clients not to be forced to change passwords.
Admin Exclusion: Exclude specific Staff from detection.

IP Security Limits: Clients can restrict account access to certain IP ranges, reducing the risk of unauthorized access. A client can add their IP, and nobody can login to his/her account without that IP.

Client Account Number: The client assigns an account number to each customer so that all have an x-digit account number. It automatically generates an x-digit account number for each customer when they sign up in WHMCS, This is so we can attach their account number to invoices, etc, and also makes it easier for us to confirm the client with their assigned account number that they got assigned when they call or live chat. In the admin section, there should be a way to search for the number once the client provides it.

Login Notification: Your clients will get an email when they login, fail to login to the accounts, or change their passwords. Each time the client's login, they will receive an email with login details, or when someone login with the email.

Admin Notification: Enable Admin Notification when a new client registers
Admin Clear Log: Admin can clean the logs with one button, or Admin can delete logs automatically after X days

Login Authentication: Login Authentication records users' IP addresses in the client profile. Should a customer login from a new IP, they will be asked to authenticate. will send a login code to the user's registered email address. The customer enters the code to whitelist the new IP they are using. You can choose to send login alerts or enable authentication checks

Inactivity Warning:
Warning Alerts: Issues warning messages before logging out idle users.
IP Whitelisting: Whitelist selected IP addresses to exempt them from idle detection.
Client Exclusion: Exclude specific clients from detection.
Detection: Detects client inactivity after a specified x time.

Hidden Staff:
None of your staff see who is online if you enable this. Only the full admin can see everybody.
Option to hide the email of the Staff while viewing the Ticket. Only the person who can see that email is a full Admin.

Disable Forget Password Reset: 
The client can enable/disable the forgot password reset.

Installing Security Tools is very simple. The following steps will guide you through the process:

1) Upload the entire folder to your website - if you experience problems, try uploading in binary mode. However, do not upload the “upload” folder, just the files inside of it!
2) Login to the admin area, go to Configuration > System Settings > ADDON MODULES
3) In the addon modules page, you will see the Security Tools. Click activate, then click configure to see the options
4) You can access your module at 'Addons' → 'Security Tools', you can setup what you need

Version: 1.1.0 Released (10/10/2025)
Minor

Added: Failed Login Notification
Added: Password Changed Notification
Added: Client Details Notification
Added: Admin Notification when a new client registers
Added: Login Authentication
Added: Force Authentication
Added: Clean logs manually
Added: Delete logs automatically after X days
Updated: Admin icon times and check color changed to red and green, respectively
Updated: modified the Admin security log page, interchanged trash and edit icon position
Updated: Client area security options dependency on the Enable Login Notification admin option

Version: 1.0.0 Released (08/25/2025)
Stable

New Initial Release

1) How does the WHMCS Secure Credentials (WSC) Module protect my customers' data?
ANS: You enter an Encryption Key into the module. That key is stored in a hashed format in the database. When your customers complete a credentials form, the key is used to encrypt the data. The encrypted data sits in your database, and when one of your support team members clicks the Credentials tab on the WHMCS support ticket, the key is used to decrypt the data and display it in plain text. The ability to use a custom key to encrypt data and display it in a tab is unique to the WHMCS Support Module. Once the support ticket has been closed, any data left by the customer is deleted from the database.

2) Can the Credentials form be modified?
ANS: Yes, but this is license-dependent. WSC users can change all of the text on the credentials form and hide sections that are not needed.

3) Can you use multiple Credential Forms?
ANS: Not yet, very soon

4) What do the ticket updaters do?
ANS: These have many use cases and are another unique feature of our WHMCS module. From asking your customers to supply additional information to apologising for a delay in answering the customer's request, to closing requests after a certain time. The sole purpose of this feature is to automate tasks that would usually require a human to perform. Saving you valuable time.

5) What languages can be used with the WHMCS Secure Credentials Module?
ANS: We've already translated the text within the module to all languages supported by WHMCS. If your customer chooses a different language in their client area. The module will use the same language. All of the language files are provided to all users, respective of license tier, and can be edited.

6) Can the WHMCS Secure Credentials Module be used with replication?
ANS: Yes. Our WHMCS module can be used in environments where your database is replicated to other nodes/hosts.

7) What custom themes does the module work with?
ANS: We make the module compatible with Lagom theme. The WHMCS Secure Credentials Module uses hooks to place data on templates. Due to this, it should be compatible with most WHMCS themes.

Error 403 when saving the credentials form

This usually happens when your environment is running Mod_Security. Older rule sets trigger a false positive when WSC tries to save the initial tables to the database. To confirm this is the case, you can visit the credentials form, and you won't see any fields that can be filled out by end users. There are a couple of options to resolve this.

Disable Mod_Security (Temporarily)

In cPanel you can disable Mod_Security on a per-domain basis. Navigate to the cPanel UI and search for Mod_Security. Slide the slider to off and then try to attempt to save the credentials form again. This time if the form saves and you can see the WSC form fields when visiting the credentials form, you know Mod_Security was the issue.

Disable Mod_Security Rule
If you have cPanel and access to WHM you can navigate to the Mod_Security section to see which rule is being triggered. This rule can then be whitelisted and ModSec enabled again.

Update RuleSet
The latest ruleset can be installed, which should resolve this issue. The latest ruleset may not be shipped with control panels like cPanel, and updating ModSec rules is beyond the scope of our support. cPanel, Plesk, and DirectAdmin provide support for features contained in their respective control panels.

Correct visitor IP when using CloudFlare
Cloudflare proxies traffic to your origin server. For this reason, in your logs and when WSC Protect records IP information in the WSC Protect log, it will record Cloudflare's IP and not the real visitors' IP. To correct this, you can use Mod Remote_IP to correct the information we receive from Cloudflare. As this is not a problem with WSC we are unable to assist you with installing Mod Remote_IP, but we are providing instructions below. If you use a control panel like cPanel, your host or control panel provider should help you install Remote_IP if you are not sure.

cPanel
cPanel has provided detailed instructions on how to enable Mod Remote_IP. See the post located on the cPanel website. Unfortunately, this does require some technical knowledge. Make sure you can complete this or you could end up with a broken server. If in doubt, ask cPanel for assistance.

LiteSpeed
If you use LiteSpeed, you can log in to the LiteSpeed administration area. Navigate to Server > General > General Settings and tick the “Use Client IP in Header” option. Remember to restart the web server for the new settings to take effect.

Other Systems
Cloudflare provides a range of instructions for other systems. These guides can be found here. (https://developers.cloudflare.com/suppor...itor-ips/(

WSC Protect - Edit the Pin Check page style and text
When 2FA is enabled, WSC will record the user's IP addresses. These are stored in a log that can be seen on the "WSC Protect" tab located on WHMCS client's profiles. It's possible to change the look of the page that end users see to enter the PIN code they receive via email. Some people like to change the colour of this page to match their website. Others may need to tweak the page so text is visible correctly. Open up the file below on your desktop or in a file manager. If you are editing the file in your file manager, make a copy first.

/modules/addons/tickets_credentials/templates/pinchecker.tpl
As of V2.1.1 you can also edit this page to change the text that is displayed to end users. We will add language strings in a future version. The default code of the file displays as;

1) WSC Encryption Key
Create a strong encryption key

The encryption key is used to encrypt any data that end users place in the credentials form. The only way to see credentials is to provide the key to decrypt the information. Even if anyone with access to your database cannot see any encrypted information. The only place the key is used is inside the WHMCS administration area. It's stored in a hashed format. When creating an encryption key, we advise you to use a website like Strong Random Password Generator (passwordsgenerator.net). Your key needs to be at least 16 letters and numbers long. These can be higher and lowercase, but you cannot use special characters like @&*%^.

Here are a few examples of some strong strings.

Key Security

You must keep a copy of the encryption key you use. Without the key, any data in the database will become inaccessible. We advise you to keep your key on a USB stick in a locked safe. Do not store it on the server with WHMCS, and we advise you not to store it in an email account or a Cloud storage account. If you do, store it in a password-protected zip file.

If you ever disable WSC you will need to enter the same encryption key again to access any credentials attached to current open support tickets. All data collected is deleted when support tickets are closed.

2) Change The Text Displayed On The Ticket Confirmation Page

When an end-user has submitted a request, WSC can automatically forward it to the credentials form. If this feature is not enabled, end users will see the default ticket submission page. The text on this page can be edited in the WHMCS language files by using an overrides file.

Step-By-Step Instructions
Create the folder ‘overrides’ within the ‘lang’ folder located at /lang. But, if you already have this folder and an overrides file just place the below code into the file and edit the text as required.



1. Create or copy the language file you want to override.
For example, to create an override for the English language, you create /lang/overrides/english.php
2. Open the file and start the file with a PHP tag ‘<?php’ indicating PHP code is to be used.
3. Add the code below, changing the text to your requirements;

$_LANG[‘supportticketsticketcreateddesc’] = “Your ticket has been successfully created. An email has been sent to your address with the ticket information. If you would like to view this ticket now, you can do so. We advise you to now add your server’s details by clicking the appropriate button below. If you do not add your server's credentials to this ticket, you will see a much longer delay in us resolving your problem.”;

Upload or save the file to /lang/overrides/english.php

3) Add The Credentials Button To WHMCS Templates
WSC is configured to add two buttons via a hook from the WSC UI. In some cases, you might want to add the button to other pages, like the ticket submission page. Doing so is simple and just requires the addition of a few extra lines of code on the template. If you use a control panel like cPanel you can use the file manager to edit the templates you are using. At the time of writing this article, the default WHMCS templates are located at /templates/twenty-one/. As an example, we will add the credentials button to the page after ticket submission. That template is located at /templates/twenty-one/supportticketsubmit-confirm.tpl.

Step-By-Step Instructions
Open up the /templates/twenty-one/supportticketsubmit-confirm.tpl with a file manager or download it to your desktop. Locate line 6 in this file which looks like this;

WSC Protect
WSC Protect is a module that provides two main functions. This section is designed to remind users not to do certain things when using the support request via trigger words and to secure WHMCS client accounts. WHMCS provides 2FA, but only via App. To get the useful features, you must pay. Many people do not like using an App to secure WHMCS accounts because if they lose their device, they also lose access to WHMCS. This generates support requests and further work for your support team.

WSC Trigger Words
Trigger words are words that are typed by end users into the support reply box. When any of the configured words are typed, a warning is displayed in the client area. If the end user removes the word from the reply box, the warning is removed. By default, WSC is configured to display a warning when words related to passwords and root access are typed. The text in the warning is configured in the WSC Language files.


WSC Protect
WSC Protect is a module that keeps a record of end users' IP addresses and sends notifications. Notifications can be edited in WHMCS > Settings > Email Templates. Upon each login by an end user to the WHMCS client area, the IP address is stored on the "WSC Protect" tab located on the customer's WHMCS profile. When a user logs in, WSC will check the user's IP address against the IP list in the WSC Protect tab. If the user's IP does not appear in the list, WSC will make the user whitelist the IP by sending a code to their registered email account. This feature can be forced enabled, which enables it for all users or can be optional and enabled/disabled by end users.

Installing WHMCS Secure Credentials is very simple. The following steps will guide you through the process:

1) Upload the entire folder to your website - if you experience problems, try uploading in binary mode. However, do not upload the “upload” folder, just the files inside it!
2) Login to the admin area, go to Configuration > System Settings > ADDON MODULES
3) In the addon modules page, you will see the WHMCS Secure Credentials. Click activate, then click configure to see the options
4) Check the Full Administrator box in the Access Control, then click Save Changes
5) You can access your module at 'Addons' → ' WHMCS Secure Credentials'

Configure Auto_Reply Cron
So that the ticket updater posts updates to tickets, configure the below cronjob to run every minute or five minutes. The cron command below assumes you are using cPanel with Easy Apache and PHP 8.1. The path to the cron file is /modules/addons/tickets_credentials/autoreply_cron.php for other environments.

cPanel - PHP 8.1

Quote:/opt/cpanel/ea-php81/root/usr/bin/php -q /home/CPANEL_USER_NAME/public_html/modules/addons/tickets_credentials/autoreply_cron.php >/dev/null 2>&1

Quote:/opt/alt/php81/usr/bin/php -q /home/USERNAME/public_html/modules/addons/tickets_credentials/autoreply_cron.php >/dev/null 2>&1

Version: 2.2.1 Released (08/04/2025)
Maintenance

Fixed License System
Fixed PHP Issues

Version: 2.2.0 Released (07/16/2025)
Minor

Changed: to the new company name
Changed: to the new licence system
Changed: Improve ionCube Loader
Changed: new WHMCSServices menu to work with WHMCS 8.13
Removed: remove Support for WHMCS V8.9.x to 8.10.x
Removed: removed the Free module
Fixed: Support WHMCS 8.13.x
Fixed: Import credentials issue not working in the admin.
Fixed: Trigger Words JavaScript code to ensure proper keyword detection and execution
Fixed: Login Authentication* mechanism feature to record all IP addresses used by customers during login
Fixed: a couple of JS

Version: 2.1.1 Released (01/01/2024)
Maintenance

Added Keep database tables.
Added End-users can now enable & disable WSC Protect.
Fixed the urgent ticket feature.
Fixed to escalate the ticket feature.
Fixed to WSC Update.
Update Style changes to WSC UI