Are you using the latest release of WHMCS? Whether you’re a hobby host just doing website hosting for extra coin or you’re heavily invested in WHMCS to operate the core of your business, you should be.
Just like Microsoft Updates nowadays, WHMCS updates have less to do with features and UI changes and more to do with patching security holes. Most all of releases for WHMCS are related to taking care of exposed security issues. Updates and security is such a big issue they have a special blog section for Security Advisories where users can stay up to date with the popular threats, such as the internet famous heartbleed bug, as well as get a monthly overview of how things are doing with the latest Patch Releases.
Why Updates Are Necessary
Updating WHMCS, much like updating any other system or application, is a “never look back” way of protecting your environment. Once updates are done, the security flaws that are taken care of gone for good. Naturally, more security threats will rise in the future, but it’s nice to know that you’re protected from older issues that were discovered years back. Attackers use automated systems to crawl the web looking for access to your app. This could be as easy as making login attempts at your login page, or as sophisticated as creating accounts within your system and attempting to bend the app to their will once logged in. Once the links to your system are found, your app or software is on the “grid” for attackers. This means old and current attacks will occur and you can bet future attacks will happen as well.
Just because your system is updated does not mean outdated attacks will not occur. For example, our WHMCS install was hit with a AES_Encrypt attempt just a few days ago; an issue that was patched back in 2013. Nonetheless, has our system not been updated we would have been compromised. This account was immediately deleted.
Which Security Updates are Important?
Well, all of them, but if you want to get a real breakdown, you can determine the severity based on the importance level WHMCS assigns. Here’s what WHMCS says about their levels. Taken from here.
A critical rating applies to vulnerabilities that allow remote, unauthenticated access and code execution, with no user interaction required. These would allow complete system compromise and can easily be exploited by automated scripts such as worms.
An important rating applies to vulnerabilities that allow system authentication levels to be compromised. These include allowing local users to elevate their privilege levels, unauthenticated remote users to see resources that should require authentication to view, the execution of arbitrary code by remote users, or any local or remote attack that could result in an denial of service.
A moderate rating applies to vulnerabilities that rely on unlikely scenarios in order to compromise the system. These usually require that a flawed or unlikely configuration of the system be in place, and only occur in rare situations.
A trivial rating applies to vulnerabilities that do not fit into the higher categories. These vulnerabilities occur in very unlikely situations and configurations, often requiring extremely tight timing of execution and/or for events to occur that are out of the attacker’s control. This rating may also be given to vulnerabilities that, even if successful, impose few or no consequences on the system.