As you may have read, WHMCS.com was hacked yesterday.
And…it was hacked again today.
I’m just at a point where I’m working on skinning WHMCS and doing some customization. I really like the easy of modifying templates. I’m not as concerned about the underlying code – it’s a shopping cart/billing/support ticket system and I’ve used it enough as a customer to know it does what I want. But I am modifying the templates to get things to look like what I want and really, it’s very nice. Smarty templates, reasonable CSS, logical layout…so far, so good.
But the security! Ugh! Now I would point out that WHMCS.com being hacked is different than WHMCS itself being hacked. The software had an exploit last fall – so did a couple others like Hostbill so it may have been more of a general “class of exploit” sort of thing.
Something interesting that was pointed out to me: the hackers stole and published the customer database. While perhaps the immediate concern is that there are thousands of credit card numbers in circulation, a longer-term consideration is that there is a ready list of every domain and IP that WHMCS is installed on. As soon as another vulnerability is found, you an bet hackers will swiftly cycle through every domain in the database, looking for vulnerabilities.
So what are the alternatives?
Hostbill: Unfortunately, they only offer a yearly license.
Blesta: After several minutes of clicking around their site, I couldn’t find anything that said they supported Paypal, Maxmind, cpanel/WHM, etc.
ClientExec: I have not really investigated this one fully, because…
…there’s also ModernBill, AWBS, WHM AutoPilot, etc. My head hurts.
One wacky option I am lookng at is IP.Nexus. That’s by the people who make IP.Board. I have an IPB license and was planning to use it for the “customer forum” part of my site. It has cpanel/WHM integration, plus Maxmind, customizable fraud rules, etc. About the only thing missing is domain registrar integration, though they say that’s coming.
I’ve used IP.Board before and like it, though I will say that there are a couple serious negatives. Their documentation is appalling. They do provide some, but it’s uneven and they simply don’t get the idea that they should be providing a “getting started” guide, along with in-depth howtos for common things. Their software is quite powerful and you can do some cool things with it, but I shouldn’t need to read through tons of php code to find out how. I also find their product complex, which makes customization difficult.
One major hurdle to using Nexus is the structure of it. It’s an add-on to a forum, so really people would need to register on your forum before signing up for service, which wouldn’t really work. The forum is a nice add-on, but not every customer will even look at it. Because of how IPB works, you’d have to have it setup like this:
- www.example.com – main hosting company site
- www.example.com/forum – the forum
- www.example.com/forum/store – you can rename “store” to “clients” or whatever, but the point is that you’re a couple subdirectories down
You could do it like this:
- www.example.com – main hosting company site running on IP.Content (another IP product)
- www.example.com/forum – the forum
- www.example.com/store – Nexus
However, running my main site on IP.Content would be very unattractive. IP.Content is nice, but very complicated. Yes, the Invision Power web site is nice, but they have full-time staff who are intimately familiar with the product.
Cost-wise, Nexus support is $35 every 6 months, or $70/year. However, you also have to keep Board under support, which is another $50/year, so now you’re at $120/year or $10/month. I’m getting WHMCS for $5/month from my provider.
I think I’ll probably just stick with WHMCS.