When it comes to web hosting, security is everything. cPanel & WHM are powerful tools, but with great power comes great responsibility. Whether you’re managing a single website or multiple client accounts, securing your cPanel and WHM environment is essential to protecting data, uptime, and your online reputation.
Here’s our expert-recommended list of best practices for securing cPanel & WHM:
Table of Contents
1. Keep cPanel & WHM Updated
Outdated software is a goldmine for hackers. Regular updates fix vulnerabilities and improve performance. GotMyHost automatically updates systems, but you should always:
- Enable automatic updates in WHM.
- Monitor release tiers (Stable, Release, Current, Edge).
2. Use Strong Passwords & 2FA
Weak passwords are still one of the top causes of security breaches.
- Enforce strong password policies.
- Enable Two-Factor Authentication (2FA) for all users.
- Avoid using the default “root” or “admin” username.
3. Restrict SSH Access
Secure Shell (SSH) access should be limited:
- Change the default SSH port (22).
- Use key-based authentication instead of passwords.
- Disable root login and only allow access to specific IPs.
4. Enable a Firewall (CSF or iptables)
Use ConfigServer Security & Firewall (CSF) for an extra layer of defense.
- Block unwanted ports.
- Enable LFD (Login Failure Daemon) to track brute-force attacks.
- Allow access only to trusted IPs.
5. Secure Apache & PHP Configurations
Web server configuration is crucial:
- Disable directory browsing.
- Turn off unnecessary modules.
- Use mod_security and mod_evasive to prevent exploits and DDoS.
6. Install and Configure cPHulk Brute Force Protection
cPHulk helps protect against brute-force login attempts:
- Enable it from WHM.
- Configure it to block IPs after multiple failed login attempts.
- Whitelist your own IP to prevent lockout.
7. Use SSL for All Services
SSL isn’t just for websites—secure all cPanel services:
- Force HTTPS on cPanel, WHM, and Webmail logins.
- Install free AutoSSL or commercial certificates for all domains.
8. Disable Unused Services and Ports
The fewer services you run, the smaller your attack surface:
- Turn off FTP if you’re using SFTP.
- Disable services like Telnet, POP3 if not needed.
9. Enable Account Resource Limits
Prevent abusive behavior by users:
- Use CloudLinux (offered with GotMyHost VPS/Shared plans).
- Set limits on CPU, RAM, and I/O usage.
- Avoid “noisy neighbor” issues on shared hosting.
10. Regular Backups
No security strategy is complete without backups:
- Schedule daily/weekly backups via WHM.
- Store them offsite (Amazon S3, Google Drive, Remote FTP).
- Verify backups periodically.
Final Thoughts
Securing your hosting environment is not a one-time task—it’s an ongoing process. At GotMyHost, we prioritize security and offer proactive support, ensuring your servers stay protected 24/7.
Also read: [Effective DDoS Attacks Website Security] to further strengthen your server protection and safeguard your online presence.
