+- WHMCS Services Forum (https://www.whmcsservices.community)
+-- Forum: WS Modules (https://www.whmcsservices.community/forumdisplay.php?fid=5)
+--- Forum: Addons Modules (https://www.whmcsservices.community/forumdisplay.php?fid=6)
+---- Forum: WHMCS Secure Credentials Pro (https://www.whmcsservices.community/forumdisplay.php?fid=226)
+---- Thread: Troubleshoot WSC Problems (/showthread.php?tid=1276)
Troubleshoot WSC Problems - whmcsservices - 07-09-2025
Error 403 when saving the credentials form
This usually happens when your environment is running Mod_Security. Older rule sets trigger a false positive when WSC tries to save the initial tables to the database. To confirm this is the case you can visit the credentials form and you won't see any fields that can be filled out by end users. There are a couple of options to resolve this.
Disable Mod_Security (Temporarily)
In cPanel you can disable Mod_Security on a per-domain basis. Navigate to the cPanel UI and search Mod_Security. Slide the slider to off and then try to attempt to save the credentials form again. This time if the form saves and you can see the WSC form fields when visiting the credentials form you know Mod_Security was the issue.
Disable Mod_Security Rule
If you have cPanel and access to WHM you can navigate to the Mod_Security section to see which rule is being triggered. This rule can then be whitelisted and ModSec enabled again.
Update RuleSet
The latest ruleset can be installed, which should resolve this issue. The latest ruleset may not be shipped with control panels like cPanel, and updating ModSec rules is beyond the scope of our support. cPanel, Plesk, and DirectAdmin provide support for features contained in their respective control panels.
Correct visitor IP when using CloudFlare
Cloudflare proxies traffic to your origin server. For this reason, in your logs and when WSC Protect records IP information in the WSC Protect log, it will record Cloudflare's IP and not the real visitors' IP. To correct this, you can use Mod Remote_IP to correct the information we receive from Cloudflare. As this is not a problem with WSC we are unable to assist you with installing Mod Remote_IP, but we are providing instructions below. If you use a control panel like cPanel your host or control panel provider should help you install Remote_IP if you are not sure.
cPanel
cPanel has provided detailed instructions on how to enable Mod Remote_IP. See the post located on the cPanel website. Unfortunately, this does require some technical knowledge. Make sure you can complete this or you could end up with a broken server, If in doubt, ask cPanel for assistance.
LiteSpeed
If you use LiteSpeed you can log in to the LiteSpeed administration area. Navigate to Server > General > General Settings and tick the “Use Client IP in Header” option. Remember to restart the web server for the new settings to take effect.
Other Systems
Cloudflare provides a range of instructions for other systems. These guides can be found here. (https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/(
WSC Protect - Edit the Pin Check page style and text
When 2FA is enabled, WSC will record the user's IP addresses. These are stored in a log that can be seen on the "WSC Protect" tab located on WHMCS client's profiles. It's possible to change the look of the page that end users see to enter the PIN code they receive via email. Some people like to change the colour of this page to match their website. Others may need to tweak the page so text is visible correctly. Open up the file below on your desktop or in a file manager. If you are editing the file in your file manager, make a copy first.
/modules/addons/tickets_credentials/templates/pinchecker.tpl
As of V2.1.1 you can also edit this page to change the text that is displayed to end users. We will add language strings in a future version. The default code of the file displays as;
Code:
div class="row">
<div class="col-md-12">
<div class="card panel panel-default card-default">
<div class="card-body panel-body">
<form method="POST" action="" role="form">
<input type="hidden" name="checkpin" value="1">
<div class="smsmanagerarea" style="background-color: #fff">
{if $alert}
<div class="alert alert-danger">Invalid PIN, please try to put right PIN to continue login!</div>
{/if}
<center><b>It looks like you are logging in to your WHMCS Services account from an IP address we have not seen before. We have blocked this login to protect your account. You should have received a random login code to your registered email address. Please enter the code below to whitelist this new IP and access your account.</b></center>
<br><br>
<div>
<div class="form-group row">
<label for="inputExistingPassword" class="col-xl-4 col-form-label" style="text-align: right">PIN</label>
<div class="col-xl-5">
<input type="password" class="form-control" name="pin" id="inputExistingPassword" autocomplete="off">
</div>
</div>
</div>
<div class="form-group text-center">
<input class="btn btn-primary" type="submit" name="save" value="Validate PIN Now">
<a class="btn btn-danger" href="logout.php">Logout</a>
</div>
</form>
</div>
</div>
</div>
</div>At line 9 you can change the text of the warning that is displayed when an incorrect pin is entered.
At line 11 you can change the text displayed explaining 2FA authentication is required.
At line 22 you can change the text of the buttons on the page.