Why cPanel Security Matters
A cPanel server is an attractive target for attackers. It hosts multiple websites, email accounts, and databases — all accessible from a web-facing interface. A single compromised account can cascade into a full server breach, affecting every site and user on the machine.
The good news: most successful attacks exploit known, preventable weaknesses. Following these hardening practices significantly reduces your attack surface.
1. Change the Default cPanel & WHM Port Numbers
cPanel runs on standard, well-known ports (2082/2083 for cPanel, 2086/2087 for WHM). Automated scanning bots target these ports constantly. While security through obscurity isn't a complete solution, restricting or changing these ports adds a meaningful layer of friction:
- Use a firewall (like CSF) to restrict access to these ports by IP whitelist
- Allow only trusted IP addresses to access the WHM interface
2. Enable Two-Factor Authentication (2FA)
Two-factor authentication is one of the most effective security controls available. cPanel and WHM both support 2FA natively via TOTP (Time-based One-Time Password) apps like Google Authenticator or Authy.
To enable 2FA in cPanel:
- Log into cPanel → go to Security → Two-Factor Authentication
- Click Set Up Two-Factor Authentication
- Scan the QR code with your authenticator app
- Enter the verification code to confirm and save
Enforce 2FA for all WHM reseller and root accounts — this is non-negotiable on any production server.
3. Install and Configure a Firewall (CSF/LFD)
ConfigServer Security & Firewall (CSF) is the most widely used firewall for cPanel servers. It provides:
- Port-based access control
- Login Failure Daemon (LFD) — automatically blocks IPs with repeated failed login attempts
- Connection rate limiting to prevent DDoS attacks
- Email alerts for suspicious activity
CSF integrates directly into WHM and is available at no cost. After installation, review the default settings and tighten the allowed port list to only what your server actually needs.
4. Keep cPanel and All Software Updated
Outdated software is the leading cause of server compromise. cPanel releases regular updates that patch security vulnerabilities. In WHM, ensure automatic updates are enabled:
- Go to WHM → Update Preferences
- Set cPanel updates to Automatic
- Enable automatic updates for the operating system packages as well
Also keep PHP versions, WordPress installations, plugins, and other applications up to date.
5. Disable Unused Services and PHP Functions
Every service running on your server is a potential entry point. Disable anything you don't actively use:
- Disable anonymous FTP if not needed
- Disable compiler access for shell users (prevents exploit compilation on the server)
- In PHP settings, disable dangerous functions:
exec,passthru,shell_exec,system
6. Enforce Strong Password Policies
Weak passwords remain one of the top vectors for account takeover. In WHM, configure password strength requirements:
- Navigate to WHM → Password Strength Configuration
- Set minimum password strength to Strong or Very Strong
- Apply requirements to cPanel accounts, email accounts, FTP accounts, and database users
7. Enable ModSecurity (Web Application Firewall)
ModSecurity is a web application firewall (WAF) that inspects incoming HTTP requests and blocks malicious traffic — SQL injection, XSS, file inclusion attacks, and more. It can be enabled in WHM under Security Center → ModSecurity™ Vendors.
Use a reputable ruleset like OWASP Core Rule Set (CRS) for comprehensive protection.
8. Set Up Regular Backups
Security hardening reduces risk but cannot eliminate it entirely. Backups are your last line of defense. Configure automated backups in WHM (Backup Configuration) and store copies offsite — ideally to an external storage provider or a different server entirely.
A Security Hardening Checklist
| Task | Priority |
|---|---|
| Enable 2FA on all admin accounts | Critical |
| Install and configure CSF firewall | Critical |
| Keep cPanel and OS updated | Critical |
| Enable ModSecurity | High |
| Disable unused PHP functions | High |
| Enforce strong passwords | High |
| Configure automated backups | High |
| Restrict WHM access by IP | Medium |
Security hardening is an ongoing process, not a one-time task. Review your configuration periodically and stay informed about new vulnerabilities affecting the software your server runs.