It’s always been difficult to find a compendium of SuiteCRM security practices and a list of things to do to secure SuiteCRM. Over the years I’ve come across many ideas and here are some of the things you can do to make sure your SuiteCRM is secure.
Before we get into specific details, more security is generally better. However, security comes at a cost in terms of setup and user time impact. The level of security you implement should be contingent upon the sensitivity of your data. For example, a bank and a 7/11 don’t need the same level of security—their risk of loss is different. Similarly, your risk of loss will be different depending on the amount of data you have in SuiteCRM as well as the sensitivity of that data.
General Security Best Practices
Keep SuiteCRM Up to Date
SuiteCRM releases new versions and patches on a regular basis. Most include security patches. Keeping your instance of SuiteCRM up to date is one way to ensure that known issues are patched.
Use Strong Passwords
All passwords are able to be compromised with enough time and tries. The stronger the password, the longer it takes. Simple passwords with names and numbers, for example, can be broken in minutes. SuiteCRM has the ability in Password Management to enforce strong passwords. You can also have SuiteCRM generate strong passwords for you.
Use HTTPS Protocol
Make sure to edit your config.php file and change the site URL to https://. In addition, you can either edit your .htaccess file to force all traffic to HTTPS, or set up your domain hosting to enforce HTTPS. Both methods are valid.
Restrict Access
Ensure you’ve set up security groups and roles appropriately. Make sure you assign only the required access to each user. You don’t want everyone to have the ability to delete records in bulk or access sensitive modules. Deny access to unused modules and review access settings regularly.
Disable Unused Modules
To reduce attack surfaces, disable any modules that are not in use. You can do this by navigating to Admin > Display Modules and Subpanels and unchecking any modules that are not needed. This prevents users from accessing modules that serve no purpose and might introduce vulnerabilities or confusion.
Setup Automated Backups
If you install SuiteCRM using Softaculous or Installatron, you can configure automated backups to your server or an external location (via SSH or FTP). Manual backups require copying both the file system and the database. Automating this task ensures regular and reliable recovery points.
Use a Firewall
A firewall adds a layer of protection by limiting traffic to known ports and monitoring for suspicious behavior. Consider using a server-level firewall or web application firewall (WAF) for added protection. You can find more detailed guidance in this tutorial on Fail2Ban and firewall configuration for SuiteCRM.
Educate Users
User behavior is often the weakest link in your security chain. Educate your users on password hygiene, how to spot phishing attempts, and why they shouldn’t reuse passwords.
Use a Dedicated API User
If you are using SuiteCRM’s API, create a dedicated user account specifically for API access. Restrict this user’s access only to the modules and actions required for the API functions. This limits exposure in case the API credentials are ever compromised.
Server Security
Disable Directory Listing
Ensure that your web server configuration (e.g., Apache or Nginx) has directory listing disabled. This prevents attackers from seeing the contents of folders that do not contain an index file.
Enable Error Reporting Cautiously
While error reporting can be helpful during development, it should be turned off or redirected to log files in production. Exposing errors publicly can reveal file paths, database names, or other sensitive information.
Secure File Permissions
Use the minimum necessary file and folder permissions. Typically, directories should be set to 755 and files to 644. Avoid setting anything to 777. Review permissions after upgrades or plugin installations.
Brute Force Protection
Protect login forms from brute force attacks by limiting login attempts or using tools such as Fail2Ban. Monitor your server logs for repeated login failures.
Enable Two-Factor Authentication (2FA)
SuiteCRM does not support full two-factor authentication (2FA) using authenticator apps (like Google Authenticator or Authy) out of the box. However, it does offer an email-based verification feature that can prompt users for a code sent to their email address under certain conditions (e.g., new IP login). While helpful, this is not a full replacement for modern 2FA standards. For stronger protection, consider installing a third-party plugin that enables time-based one-time passwords (TOTP) for full 2FA functionality.
Use reCAPTCHA for Password Resets
Add a reCAPTCHA challenge to your password reset form to prevent automated attacks from attempting to guess user emails or usernames. You can enable this in Admin > Password Management by checking the option to use Google reCAPTCHA and entering your reCAPTCHA public and private keys. Be sure to sign up for reCAPTCHA keys at Google’s reCAPTCHA admin console if you haven’t already.
Enable Fail2Ban
Fail2Ban scans log files and bans IPs that show signs of malicious behavior, such as too many failed login attempts. It is highly configurable and can work with Apache, SSH, and other services. For detailed steps, refer to our SuiteCRM Fail2Ban tutorial.
Advanced Tips & Hardening
Restrict Access to Configuration Files
Protect sensitive files like config.php and config_override.php from web access by adding the following to your .htaccess file:
<FilesMatch "^(config.php|config_override.php)$">
Order Allow,Deny
Deny from all
</FilesMatch>This ensures that even if someone tries to access them directly via browser, the server denies the request.
Auto-Logout Idle Sessions
Set a session timeout to automatically log out users after inactivity. Add this to your config_override.php:
$sugar_config['session']['timeout'] = 1800; // 30 minutesThis reduces risk on shared or unattended workstations.
Use Read-Only File Systems Where Possible
For even greater security, mount your SuiteCRM directory with read-only permissionsexcept for cache/, upload/, and custom/ to prevent unauthorized file modifications.
Final Thoughts
Security is an ongoing process, not a one-time configuration. Review your system regularly, stay up to date with security bulletins, and test your setup as if you were the attacker. Implementing even a few of these best practices can go a long way in protecting your SuiteCRM instance and the valuable data it holds.
If you need help implementing these security practices or want an expert audit of your current SuiteCRM setup, check out our SuiteCRM Consulting Services to see how we can help.
