cPanel Server Security Tips and Tutorial

cpanel security guide tips and tricks


This tutorial lists several tips to make your cPanel & WHM installation more secure.

Exercise extreme caution when following these tips. the author or takes no responsibility to individual servers or the security practices mentioned in this guide. Each server is a collection of compromises which means that any server that allows connections could be insecure. 

Use Secure Passwords

insecure passwords are one common security vulnerability. If an account password is insecure and compromised client sites can be defaced, hacked and valuable data can be stolen.

Always change your password as often as possible. Here are more tips to making a secure password.

  1. Passwords should be alphanumeric and grammatical.
  2. Passwords should be in 10 or more characters.
  3. Do not use the same password for other sites.
  4. Do not let your browser store your passwords.
  5. Do not use names of your family, birthdate or numbers special to you.
  6. Do not use any dictionary words in your password.
  7. Generate a random password, some password generator sites include[1]. They provide options to generate password with special characters.

Use secure SSH Keys

Change the way you login to your servers shell from passwords to SSH keys. SSH keys are more secure and require a special pass phrase to be used. To generate an SSH key login to WHM > Security Center Section > Manage root’s SSH Keys.

Click on Generate a New Key, enter the key name and your secure password twice.

Generate a Key

Move SSH to a Different Port

Try to move your ssh to a different port to deter anyone without any specific knowledge of your server from easily discovering your ssh port. Most visitors search on port 22 which is the default ssh port.

Always use ports below 1024 since these are privilege ports and only root can use them. Anything above port 1024 can be used by anyone.

To move your ssh to a different port login to your server command line as root and open 'sshd_config'.

nano /etc/ssh/sshd_config

Uncomment and change:

Port 22


Port 102

then restart sshd:

service sshd restart

As an example we have changed the default ssh port 22 to port 102.

Note: It is important to allow the new port in the server firewall. Make sure not to close the current ssh connection while testing the new port to avoid any unnecessary outcome.

Enable CPHulk Brute Force Protection

CPHUlk is a service that protects your server from brute force attacks. A brute force attack is a hacking method that uses an automated system to guess the password to your web server or services.

When CPHulk blocks an attack it shows in the login page that the 'login is invalid'. To avoid getting locked out of your own server, add your ip address to the whitelist.

You can access CPHulk thru WHM > Security Center section > cPHulk Brute Force Protection.

cphulk brute force protection page

Turn off unused services and daemons

Any service or daemon that allows connections to your server may also allow hackers to gain access. To reduce security risks, disable all services and daemons that you do not use.

Disable any services that are not in use in WHM's Service Manager interface (Home >> Service Configuration >> Service Manager).

Service Manager for WHM

Secure your Apache

The most readily-available way to access a web server is the web server application. You must secure your Apache installation.

One of the best tools that you can use to prevent malicious Apache use is ModSecurity™.

In cPanel & WHM version 11.46 and later, you can use the following interfaces to manage ModSecurity:

  • WHM's ModSecurity™ Tools interface (Home >> Security Center >> ModSecurity™ Tools).
  • WHM's ModSecurity™ Configuration interface (Home >> Security Center >> ModSecurity™ Configuration).

ModeSecurity Configuration Page

Install CSF

If your PC is connected to the Internet, you are a potential target to an array of cyber threats, such as hackers, keyloggers, and Trojans that attack through unpatched security holes. This means that if you, like most people shop and bank online, are vulnerable to identity theft and other malicious attacks.

A firewall works as a barrier, or a shield, between your PC and cyber space. When you are connected to the Internet, you are constantly sending and receiving information in small units called packets. The firewall filters these packets to see if they meet certain criteria set by a series of rules, and thereafter blocks or allows the data. This way, hackers cannot get inside and steal information such as bank account numbers and passwords from you.

Once such firewall you can install for WHM/cPanel is CSF (ConfigServe Firewall). CSF configures your server's firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking your email, or loading your websites. ConfigServe Firewall also comes with a service called Login Failure Daemon, or LFD.

To install CSF follow the commands below:

cd /usr/src
rm -fv csf.tgz
tar -xzf csf.tgz
cd csf

Next, test whether you have the required iptables modules:

perl /usr/local/csf/bin/

Login to your WHM and you will now see a CSF configuration page in the Plugins section. To configure CSF you can follow the steps taken on the tutorial Installing and Configuring CSF on CentOS 7[2].

CSF Configuration Page

Harden your /tmp partition

We recommend that you use a separate /tmp partition that you mount with the nosuid option. This option forces a process to run with the privileges of its executor. You may also wish to mount the /tmp directory with noexec after you install cPanel & WHM.

To mount your /tmp partition to a temporary file for extra security you will have to run:


Note: make sure that disk space is enough for the partitions. 8GB minimumfor /usr and 16GB for /var is recommended. Anyting under the recommended disk space will result in some issues later on. You can read cPanel Advanced Partitioning Guide[3] for more information.

Disable system compilers

Most users do not require the use of C and C++ compilers. We strongly recommend that you disable compilers for all users who are not in the compilers group in the /etc/group file. Many pre-packaged exploits require functional compilers.

To disable compilers from the WHM interface, use WHM's Compiler Access interface (Home >> Security Center >> Compiler Access).

System Compiler configuration page

To disable compilers from the command line, run the following command as the root user:

/scripts/compilers off