Skip to content
Intally

Quick start

Quick start

Admin Login Monitor adds a "who, when, from where" observability layer to WHMCS admin logins, plus active blocking and alerting on the Pro tier. This guide covers install, viewing logs, configuring alerts, and IP rules.

For WHMCS hosting providers and operators. Works on any WHMCS instance with zero business-logic impact.

1. Install and activate

  1. Download the ZIP matching your PHP version (e.g. admin_login_monitor_v1.x.x_php8.1.zip) and extract into your WHMCS root.
  2. WHMCS admin → Setup → Apps & Integrations → Admin Login Monitor → Activate.
  3. Configuration → Addon Modules → Admin Login Monitor → tick admin roles allowed access (Full Administrator recommended) + paste your license key (Pro features only) + Save.
  4. Top menu Addons → Admin Login Monitor opens the console.

After activation a hook auto-writes login events to mod_admin_login_monitor_logs. The existing WHMCS login flow is not modified.

2. Dashboard

The dashboard shows:

  • 7-day trend chart (success vs failed logins)
  • 10 most recent login records (username / IP / GeoIP / timestamp / status)
  • Anomaly counters (failed / locked)

Click "Logs" in the nav to browse all records with paging, time-range and status filters.

3. Logs page

Full event list with:

  • Admin username (on successful logins)
  • Source IP + GeoIP (country / city; recent records resolved asynchronously)
  • Event type: success / failed / locked / sso / etc.
  • Timestamp (WHMCS timezone)

Supports paging, time-range filter, search by username / IP.

4. Alert rules (Pro)

The Pro tier unlocks the Alerts page:

  1. Create rule → pick a trigger: - Failed-count threshold: e.g. ≥ 5 failures from same IP within 5 minutes - New IP login: successful login from an IP that has never appeared before - Foreign login: GeoIP country not on the allow-list - Off-hours login: configurable work-hours window
  2. Pick notification channel: email / Slack incoming webhook / custom webhook
  3. Save — the rule is live immediately.

Each rule can be toggled on/off independently and tracks recent trigger count.

5. IP rules (Pro)

The IP Rules page:

  • Allow-list: only listed IPs may attempt login; non-listed attempts are logged and may trigger alerts.
  • Deny-list: directly reject login attempts from listed IPs.

Single IP / CIDR / IP range supported. Rules take effect on the next request (hook re-checks each login attempt).

6. Settings (Pro)

The Settings page covers:

  • Lockout threshold (default 10 failures → lock 15 min)
  • Log retention days (auto-purge older records)
  • GeoIP provider (default: ip-api.com free)
  • Notification channel credentials (SMTP, Slack webhook URL, custom webhook URL)

7. Auto-updates

With a valid license the "Check for Updates" panel fetches the latest version; "Install Update" runs the WHMCS standard update flow.

8. FAQ

Q: What's free vs Pro? A: Dashboard + full Logs + 7-day trend + GeoIP enrichment are free. Alerts / IP Rules / Settings need Pro.

Q: Does writing logs slow down login? A: Single INSERT to local DB; GeoIP enrichment runs async and does not block login.

Q: Do IP deny-lists need a restart? A: No — every login request hits the hook and checks rules in real time.

Q: Can I forward events to an external SIEM (Splunk / ELK)? A: Yes — use the custom webhook channel to POST each event to your collector.

For deeper docs (hook timing, table schema, rule engine) see the "Full documentation" link on your store dashboard card.