Improve security by enabling Two-Factor Authentication in WHMCS for admins and clients. Follow this simple step-by-step guide.
Security is a top concern for any online business. WHMCS contains sensitive client data, billing information, and hosting credentials—which makes it a prime target for attackers.
One of the easiest and most effective ways to protect your WHMCS installation is by enabling Two-Factor Authentication (2FA). In this blog post, we’ll walk you through exactly how to set up 2FA in WHMCS for both admin and client accounts.
What is Two-Factor Authentication (2FA)?
Two-Factor Authentication adds a second layer of security to your login process. After entering the password, users are required to enter a time-based verification code generated on a mobile app like Google Authenticator or Authy.
Even if someone knows your password, they cannot access the account without the second code.
Why You Should Use 2FA in WHMCS
- Prevent unauthorized access to client and admin areas
- Protect customer data and billing information
- Comply with security standards and best practices
- Build trust with your users
How to Enable 2FA in WHMCS (Step-by-Step)
Step 1: Log in to WHMCS Admin Area
Make sure you’re logged in as an administrator with full permissions.
Step 2: Navigate to 2FA Settings
Go to:
Setup > Staff Management > Two-Factor Authentication
Step 3: Activate 2FA
- Click Activate next to the Two-Factor Authentication option.
- Choose the Time Based Tokens method (compatible with Google Authenticator, Authy, etc.).
Step 4: Configure 2FA Settings
You can apply 2FA to:
- Admin Users only
- Client Users only
- Both Admins and Clients
Choose the appropriate option based on your security preferences.
Step 5: Enforce 2FA for Admins (Recommended)
If you want to require 2FA for all admins, go to:
Setup > Staff Management > Administrator Roles
Then edit the role and check the box: “Require Two-Factor Authentication”
Step 6: Enable 2FA for Client Accounts (Optional)
Clients can optionally enable 2FA in their own accounts by going to:
Client Area > Security Settings > Two-Factor Authentication
You can also force 2FA for clients by enabling the setting under Setup > General Settings > Security Tab.
Testing 2FA
After activation, users will be prompted to scan a QR code using an authenticator app the next time they log in. They’ll then need to enter the time-based 6-digit code to gain access.
Make sure to test it yourself before requiring it for all users.
Tips for Managing 2FA
- Advise users to store backup codes in a safe place.
- If a user loses access to their authenticator app, admins can disable 2FA manually from the WHMCS admin panel.
- Consider providing a short tutorial in your client area for enabling 2FA.
Conclusion
Enabling Two-Factor Authentication in WHMCS is one of the simplest ways to drastically increase security. It’s quick to set up, free to use, and protects both your business and your customers.
Don’t wait for a security breach—enable 2FA in WHMCS today and stay protected.