cPanel Security Best Practices You Should Be Following Today

In today’s rapidly evolving digital world, web hosting security is more critical than ever. If you’re using cPanel to manage your web server, you already know how powerful and user-friendly it is. However, with great power comes great responsibility. Misconfigurations or overlooked settings can expose your system to serious threats.

This guide outlines essential cPanel security best practices that every server administrator, web hosting company, and website owner should implement immediately. Whether you’re running a personal blog or managing client websites, these practices will help safeguard your data and reputation.

1. Keep cPanel & WHM Updated

One of the simplest yet most critical steps is to keep cPanel and WHM updated. Updates often include security patches, bug fixes, and new features. Failure to update leaves your system vulnerable to known exploits.

How to Enable Automatic Updates:

• Log in to WHM as root 
• Navigate to “Server Configuration > Update Preferences” 
• Set the update tier to “RELEASE” or “STABLE”

Pro Tip: Always test updates in a staging environment if you run mission-critical sites.

 

2. Use Strong Passwords and Enable 2FA

Passwords remain the first line of defense. Using weak passwords is like inviting hackers to a free-for-all.

Best Practices:

• Use complex passwords with uppercase, lowercase, symbols, and numbers 
• Rotate passwords every 60–90 days 
• Never reuse passwords across accounts 
• Enable Two-Factor Authentication (2FA) in WHM and cPanel for all users

This dramatically reduces the chances of unauthorized access, even if a password is compromised.

 

3. Secure SSH Access

Many cPanel servers allow SSH access by default. If improperly configured, SSH becomes an easy gateway for attackers.

Recommended Security Measures:

• Disable root login and create a separate user with sudo privileges 
• Use key-based authentication instead of passwords 
• Change the default SSH port from 22 to something obscure 
• Install tools like Fail2Ban to block brute-force attempts

4. Enable and Configure a Firewall

A properly configured firewall is vital to protect your server from unauthorized traffic.

Recommended Tools:

• CSF (ConfigServer Security & Firewall) – cPanel-compatible and widely used 
• Block unused ports 
• Whitelist trusted IP addresses 
• Configure alerts for suspicious activity

A firewall helps filter traffic, reducing exposure to known and unknown threats.

5. Install an Antivirus and Malware Scanner

Even if your applications are clean, malware can still infiltrate via file uploads or vulnerable plugins.

Top Tools to Use:

• ClamAV – An open-source antivirus engine compatible with cPanel 
• ImunifyAV or Imunify360 – Offers advanced protection with malware scanning, patching, and proactive defense 

Regular scans should be scheduled, and real-time alerts configured for critical infections.

6. Leverage cPHulk for Brute Force Protection

cPHulk is a built-in brute force protection tool within WHM that defends against login attempts on various services.

Configuration Tips:

• Go to WHM > Security Center > cPHulk Brute Force Protection 
• Enable protection for SSH, WHM, FTP, and Email 
• Set reasonable thresholds for blocking IPs and usernames 
• Whitelist your static IP to avoid self-lockout 
  

  7. Restrict and Monitor File Permissions

Improper file permissions can expose sensitive files to unauthorized users. In cPanel environments, this often leads to defaced sites or injected malware.

Best Practices:

• Files: 644 
• Folders: 755 
• Configuration files: 400 or 600 
• Never set anything to 777 unless absolutely necessary

Use the “Fix Permissions” feature in some hosting tools or manually audit using the command line.

 8. Disable Unused Services and Features

Every additional feature enabled in cPanel increases your attack surface. Evaluate what’s necessary and disable the rest.

Examples:

• Disable FTP if you’re only using SFTP 
• Disable WebDAV and FrontPage Extensions (obsolete) 
• Turn off unnecessary PHP versions or handlers

Go to WHM > Service Manager and review services regularly.

9. Use ModSecurity with OWASP Rules

ModSecurity is an open-source web application firewall (WAF) that can be integrated into Apache (LiteSpeed/Nginx via compatibility).

Benefits:

• Blocks SQL injection, XSS, and other malicious traffic 
• Works at the HTTP layer 
• Highly customizable with OWASP Core Rule Set

In cPanel, ModSecurity can be enabled via WHM > Security Center > ModSecurity Configuration.

10. Enforce Secure Connections (SSL/TLS)

All traffic, including control panel access and email, should be encrypted using SSL/TLS certificates.

Actions to Take:

• Install SSL certificates using AutoSSL (WHM > Manage AutoSSL) 
• Force HTTPS redirects via .htaccess or cPanel’s domain settings 
• Ensure mail clients use SSL ports (465, 993, 995)
  
  SSL also improves SEO rankings and builds user trust.

11. Enable Backup and Disaster Recovery

Security isn’t just about prevention—it’s also about recovery. Regular backups ensure that you can quickly restore services after a compromise.

Backup Options:

• Use cPanel’s built-in Backup Wizard 
• Schedule daily, weekly, and monthly backups 
• Store backups off-site or on cloud platforms like AWS S3, Google Drive 
• Test recovery procedures regularly
  

12. Monitor Logs and Audit Trails

Keeping an eye on what’s happening under the hood is crucial.

Where to Look:

• /usr/local/cpanel/logs/access_log – cPanel access logs
  
• /var/log/secure – Login attempts and authentication 
• /var/log/messages – System-related activities
  
• Use tools like Logwatch, GoAccess, or even SIEM platforms

Set up alerts to catch unusual patterns like repeated login failures or large file uploads.

13. Harden PHP Configuration

PHP is one of the most exploited languages on cPanel servers.

Recommended Tweaks:

• Disable functions: exec(), shell_exec(), system(), passthru() 
• Set open_basedir to restrict directory access 
• Turn off allow_url_fopen and allow_url_include

You can manage these via WHM > MultiPHP INI Editor for each version.

14. Limit cPanel User Privileges

Don’t give users more access than they need.

Actions:

• Use Reseller privileges cautiously 
• Apply Feature Lists to restrict access to sensitive settings 
• Periodically audit accounts and disable unused users

15. Educate Your Users

Sometimes, the weakest link is human error. Educating clients or users can go a long way in improving your server security posture.

Educate them about:

• Phishing attacks 
• Safe password practices 
• Avoiding insecure plugins and themes

Send regular newsletters or in-app reminders if you manage a multi-user environment.

🔑 Key Takeaways:

• Keep cPanel updated 
• Use strong passwords + 2FA 
• Harden SSH and PHP configurations 
• Enable ModSecurity and firewall protection 
• Set up regular backups and monitoring 
• Educate users on cyber hygiene

Final Thoughts

cPanel security is not a one-time task—it’s a continuous process. With threats evolving daily, being proactive is your best defense. By implementing these cPanel best practices, you not only protect your server but also ensure the integrity, availability, and confidentiality of your clients’ data.

Start today. Secure your tomorrow.

Let our server experts help you secure your cPanel server today. With 24×7 monitoring, patch management, and proactive hardening, we ensure your hosting environment remains secure, stable, and optimized.