Contacts:

WHMCS SSH Plesk Module

This is another project from 2016. Quite an interesting one. One of my clients – an awesome web hosting from UK (Scotland) – wanted to have a custom Plesk server module for WHMCS.

The default WHMCS Plesk module worked by making API calls directly to the Plesk server. But despite having an option for using secure connections in the default module, the client wanted to make it even more secure by using SSH tunnel and Plesk CLI API (and disable the direct access to Plesk API).

The module was supposed to have the following features:

  • Connect to the Plesk server via SSH.
  • Get Control Panel login URL for specific domain (to display in the WHMCS control panel for users).
  • Create new Plesk Customer and Reseller accounts (automatically in specific events).
  • For hosting products (“Customer” Plesk accounts) – create and assign a new domain.
  • Trigger password reset (i.e. Plesk would send an email to user with password reset instructions, if the user presses an appropriate button at WHMCS).

The module created new Plesk accounts when a new product provisions. This could be by WHMCS upon checkout or payment for a new order. Or, by accepting an order in the WHMCS admin area by manager (depends on each product settings).

Each time the module had to do something with Plesk, it first connected to it via SSH, and then executed required Plesk CLI API commands in the shell.
From what I remember, the client also set up some custom shell on the Plesk server for the SSH user, which allowed only the required Plesk API commands, adding another level of security.

I’ve used SSH2 PECL for SSH connections, and simple cURL to trigger password reset.

To prevent some smart guys from making injections into the product names, etc, I used escapeshellarg PHP function for any input that was used in the shell commands.

This project was very interesting, and I gained some experience both with WHMCS (with which I actually worked before for some other projects - making modules and addons) and Plesk API.