If you have a cPanel/WHM server, you need to take security seriously. There are many ways to improve your security posture when running a web server with cPanel/WHM. We’ve put together a list of numerous suggestions you can consider. Let’s get your server secured!
How to Secure cPanel/WHM
1.) Use secure WHM and cPanel passwords
We recommend you use a secure password for your cPanel account. This means it is a unique password, only used for your cPanel account. It also means the password is 16 characters in length, and includes uppercase, lowercase, numeric, and special characters. If you need help creating a secure password, check out our password generation tool. Also, don’t forget to change your password on a regular basis, perhaps every few months.
2.) Enable automatic updates in WHM
If you enable automatic updates in WHM, you’ll at least know you are almost always running the latest version. They often roll out updates over multiple days to reduce load on their network, so at most you could be a week outdated. When you log into WHM, you’ll see on the “Update Preferences” page that you can choose the release tier you’d like to stay on. We recommend the “RELEASE” tier.
3.) Configure backups in WHM
You should configure some kind of automated backup solution. The WHM “Backup Configuration” section allows you to configure local and remote backup policies. You can learn more about configuring a backup solution in their documentation.
4.) Configure email spam protection and email filters in WHM
There are numerous options for reducing email spam. By default, Apache SpamAssassin comes installed on cPanel/WHM servers. We recommend considering other options for reducing email spam, such as MailScanner.
5.) Restrict SSH access to public keys in WHM
You can greatly increase your server security by restricting root level access to those with authorized SSH keys. This prevents someone with your root password from being able to access the server, since it would instead require your private key. You can learn more about managing root SSH keys in the documentation.
6.) Disable root access via SSH in WHM
In addition to switching to SSH keys, you should also prevent root logins. You can do this by editing the /etc/ssh/sshd_config file on the server, and changing the setting for PermitRootLogin to no, such as:
Related: Check out our blog article on Advanced Security tips for SSH.
7.) Install the CSF firewall in WHM
The most popular stateful packet inspection firewall for cPanel/WHM servers is CSF, by ConfigServer Services. You can configure this firewall to restrict ports, monitor login authentication failures, prevent port flooding, and so much more. Check out their website for a full list of features.
8.) Monitor access and error logs in WHM or cPanel
If you have CSF installed, you can use their Watch Logs or Search Logs tools in WHM to navigate their error logs and access logs. This can be helpful in determining the cause of email account login issues, mod_security violations, and much more. Alternatively, you can also download access logs within cPanel for each domain within the account.
9.) Enable brute force protection in WHM
There is a tool called cPHulk Brute Force Protection in WHM that allows you to configure rules for blocking repeat login failures. We recommend using this feature, unless you opted instead to install Imunify 360 on your server, which has its own solution for brute force attacks.
10.) Disable anonymous FTP in WHM
There is almost never a need for anonymous FTP on a web server. You can disable this in the “FTP Server Configuration” section of WHM. The setting is called “Allow Anonymous Logins.”
11.) Use the Security Advisor tool in WHM
The Security Advisor tool in WHM will report configuration and version issues found in PHP, Exim, SSH, and other server applications. It will also let you know if you have kernel issues, password strength issues, and other potential security problems.
12.) Disable unused services & daemons in WHM
You should never leave unused software running on your server. This provides another attack vector without any benefit to your organization. You can check which services are enabled and being monitoring by going to the “Service Manager” section within WHM.
13.) Enable mod_userdir Protection in WHM
Within the “Apache mod_userdir Tweak” section of WHM, you can enable mod_userdir protection to restrict mod_userdir to URLs whose users own the URL’s domains. This is an easy security improvement to enable.
14.) Secure the /tmp partition in WHM
For the best security posture, you should have a separate /tmp partition on your server. Additionally, you should mount the /tmp partition with the nosuid option. You should also set the /tmp partition to use the noexec mount option. You can read more in the WHM documentation here.
15.) Disable the PHP mail() function in WHM
If you don’t need your server to send email through PHP, and instead wish to have emails be sent over SMTP, then you should consider disabling PHP’s mail() function in WHM.
- Open the “MultiPHP INI Editor“
- Click the “Editor Mode” tab
- Select the PHP version you use
- Find the setting for disable_functions
- Add the “mail” function to the list of disabled functions, then click save: (multiple disabled functions are separated by spaces)
disable_functions = mail
16.) Restrict service access by IP address in WHM
You can use the “Host Access Control” section in WHM to restrict access to services based on IP addresses. This is helpful, especially for restricting WHM access to trusted IP addresses or ranges.
17.) Enable two-factor authentication in WHM
To help improve access controls over WHM, you can also consider enabling Two-Factor Authentication for WHM. You can read more about it in the documentation.
18.) Switch from Apache to LiteSpeed in WHM
We are huge fans of LiteSpeed Web Server, which provides better security and performance than Apache. It does have a monthly cost, but you should consider using it if you are running an web server with multiple clients.
19.) Switch from CentOS to CloudLinux
We are also big fans of CloudLinux, which provides increased security, stability, and performance to your Linux server. It does have a monthly cost, but you should consider using it if you are running an web server with multiple clients.
Why is cPanel/WHM Security Important?
The cPanel/WHM control panel is probably the best hosting control panel out there. However, there are numerous steps you have to take to further improve its security after installation. Because it offers so much control over your server, it is critical to take the necessary steps to ensuring its security.
Final Thoughts on cPanel/WHM Security
There are numerous security improvements that can be made to a cPanel/WHM server. You should always stay vigilant when it comes to running a secure web server. When you are just getting started with cPanel/WHM security, the previously mentioned steps will get you off to a good start. Beyond that, you should consider hiring a server security company, such as AdminGeekz, to help provide advanced troubleshooting and security auditing services.