How do I block the admin folder from whmcs to only be accessed by an ip?

Hello, can someone show me a tutorial to block the admin area from whmcs to be accessed only by a single IP?


Thank you for asking.

Domain name (zone) should be using Cloudflare nameservers at first.
Hostname like should be proxied and :orange:
WHMCS should work on a supported port which are compatible and supported with Cloudflare proxy :orange: as follows on the list from the link below:

Therefore, using the Security tab → WAF you would create a new WAF rule and build the expression like, if Hostname contains followed by the AND operator, IP address is not in (or not equal) and you enter the IP address into the field. At the end, you select “Block” for the action.

In case you’re running WHMCS inside a directory like, you’d use URI Path. Make sure you enter the /admin into the field. However, be advised maybe the WHMCS uses and executes some scripts therefrom take care to not block the server itself from executing those type, if such exist.

Helpful step-by-step tutorial here:

Otherwise, I’d suggest you to use Cloudflare Access to protect your WHM even better way:

1 Like

good, so it works but it blocks everything, I no longer have access either to the client area or to the main domain, I have /client/admin, what could be the problem of blocking the whole area?

I have to admit I haven’t used it for a while.

I wonder if there is a way to separate the client area from your admin, would be more suitable.

In such case, I would suggest you and I know Web hosting companies that do have it on a sub-domain like, therefrom the area is protected by the 401 Auth with Username and Password.
Therefore, the clientarea and shop, login, register, etc. is separated on a sub-domain like

Something could be done by modifying the Templates, using the API and Hooks. Despite, it might require some more programming knowledge :thinking:

Otherwise, I’d suggest you to put some JS Challenge WAF Rule on your login area, or integrate Cloudflare Turnstile on the form.

Since their URI routing goes the same, just by being behind :orange: is pretty good thing from being attacked, at least.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.