Security

The Ultimate cPanel Security Checklist for Sysadmins

cpanel security checklist for sysadmin

If you’re a system administrator, you’ll want to check out our cPanel Security Checklist. After all, you know that securing your cPanel environment, and keeping it secure, is your top priority. A properly configured cPanel server can prevent cyber threats, data breaches, and unauthorized access.  

However, misconfigurations and overlooked settings can leave your server vulnerable to attacks. This can lead to irretrievable data loss, increased costs, legal and compliance issues, and malware infections, to name just a few of the biggest problems.  

That’s why we’ve compiled the information in this post: the ultimate cPanel security checklist! We’ll cover the essential security measures that every sysadmin should implement. From firewall configuration and backups, all the way to SSL certificates and intrusion detection, this guide will help you fortify your cPanel server against potential threats. 

Let’s get to it!  

Summary of What You’ll Learn 

  • Use a step-by-step checklist to secure your cPanel servers. Such as strong passwords, two-factor authentication, and IP access to prevent unauthorized logins and brute-force attacks 
  • Focuses on best practices for system administrators to prevent cyber threats and unauthorized access 
  • Enable automated and remote backups, test them regularly, and always stay up to date with cPanel, WHM, and third-party software. 
  • Aims to help admins maintain a secure, compliant, and high-performance hosting environment 

“In 2024, the global average cost of a single data breach hit an all‑time high of $4.88 million, a 10 % jump from the previous year.” 

60+ Key Data Breach Statistics for 2025 

1. Secure Your cPanel Login 

Use Strong Passwords and Two-Factor Authentication (2FA) 

Ensuring both you and all cPanel and WHM users have the correct password and security protocols set up is the first step towards a safe environment.  

  • Ensure that all cPanel and WHM users have strong, unique passwords. For specific help with configuring this, follow the guide here.  
  • Enforce Two-Factor Authentication (2FA) via WHM > Security Center > Two-Factor Authentication. 
  • Disable the “root” user login and use sudo-enabled accounts instead. 

Restrict Access by IP Address 

  • Set up IP-based access control to high privileged or admin accounts by restricting logins to specific IPs. 
  • Use cPHulk Brute Force Protection to block repeated failed login attempts. 

Enable Auto Logout for Inactivity 

  • Navigate to WHM > Tweak Settings > Logout for Inactivity to ensure inactive sessions are automatically terminated. 

2. Secure the cPanel Server with Firewalls 

Firewalls help you filter traffic, prevent unauthorized access, mitigate attacks, and help you monitor logins, to name just a few of the ways they keep your environment safe.  

Install and Configure CSF (ConfigServer Security & Firewall) 

  • Install ConfigServer Security & Firewall (CSF) to manage network traffic and block suspicious activity. 
  • Enable Login Failure Daemon (LFD) to detect repeated login failures. 
  • Whitelist trusted IPs and blacklist known malicious ones. 

Close Unused Ports 

  • Disable all unnecessary ports to minimize entry points for attackers. 
  • Use WHM > Security Center > Host Access Control to control access. 

Enable ModSecurity 

  • Navigate to WHM > Security Center > ModSecurity Configuration
  • Ensure that OWASP ModSecurity Core Rule Set (CRS) is enabled to protect against common web vulnerabilities. 

3. SSL and Encryption Best Practices 

Following best practice for SSL and encryption ensures a continued level of trust between you and your users and keeps all your data (and theirs!) protected.  

Enforce SSL for cPanel, WHM, and Webmail 

  • Enable AutoSSL in WHM > Manage AutoSSL to provide free SSL certificates. 
  • Force SSL redirection in WHM > Tweak Settings > Require SSL for cPanel Services

Disable Weak SSL/TLS Protocols 

  • Navigate to WHM > Service Configuration > Apache Configuration > Global Configuration. 
  • Disable TLS 1.0 and 1.1, ensuring only TLS 1.2 and 1.3 are allowed. TLI 1.0 and 1.1 are deprecated and no longer part of best practice.  

Use Strong Cipher Suites 

two factor authentication login

4. Secure User Accounts and Permissions 

This step is incredibly important in order to prevent unauthorized access to your system, as well as to maintain data integrity and minimize insider threats. In general, it’s always best to follow the Least Privileges Principle when you assign roles and permissions to users.  

Implement CageFS within CloudLinux 

  • Install CloudLinux for improved security and resource allocation. 
  • Use CageFS to isolate user accounts and prevent cross-account attacks. 
  • Restrict File Permissions 
  • Set secure file permissions by following the FileProtect documentation here

Disable Shell Access for Non-Admins 

  • Go to WHM > Account Functions > Manage Shell Access and disable shell access for all non-admin users. 

5. Regular Backups and Disaster Recovery 

Regular backups might seem like a simple task, but you’d be surprised how many companies have been the victims of data loss due to not sufficiently backing up. One survey on this subject from 2024 concluded that over 80% of organizations lost data due to not backing up enough, so don’t think it can’t happen to you too!  

Enable cPanel Backups 

  • Configure Automated Backups via WHM > Backup > Backup Configuration. 
  • Store backups on a remote server to prevent loss in case of an attack. 

Test Your Backups 

  • Regularly restore a backup in a test environment to verify integrity. 
  • Use Incremental Backups 
  • Enable Incremental Backups to reduce storage space while maintaining recent changes. 

6. Secure Database and PHP Settings

This part of the process is incredibly important for securing sensitive data and ensuring data integrity, as well as preventing code injection and enhancing performance.  

Protect MySQL Databases 

  • Restrict MySQL access to localhost unless required. 
  • Use strong, unique passwords for database users. 
  • Disable MySQL SHOW DATABASES for non-root users. 
  • Follow the guide here for a more detailed explanation. 

Harden PHP Configuration 

  • Edit /etc/php.ini and set: disable_functions = exec,passthru,shell_exec,system 
    expose_php = Off 
    allow_url_fopen = Off 
  • Enable open_basedir restriction in WHM > MultiPHP Manager. 
  • For a more specific set of configurations and assistance, follow the guide here

7. Enable Intrusion Detection and Security Logs 

This part of the process is incredibly important for real time threat detection, identifying vulnerabilities, as well as compliance!  

Install and Configure Fail2Ban 

  • Install Fail2Ban to monitor and block suspicious login attempts. 
  • Configure rules to ban IPs after repeated failed logins. 

Monitor Logs for Suspicious Activity 

  • Regularly check security logs, this blog can be helpful in learning how! 
  • Set up log monitoring alerts to notify you of unusual activity. 

8. Keep Software and Plugins Updated 

This might seem basic, but again, sometimes the easiest and simplest parts of security processes are the ones we take for granted, and therefore the ones it’s easy to forget about and miss.  

Regularly Update cPanel and WHM 

  • Enable automatic updates in WHM > Update Preferences. 
  • Regularly check WHM > cPanel Version Information for updates. 

Update Third-Party Plugins and Applications 

  • Ensure WordPress, Joomla, and other CMS applications are up to date. 
  • Use WordPress Toolkit to manage WordPress security settings. 

Remove Unused Plugins and Themes 

  • Disable and delete any unused plugins to minimize security risks. 

9. DDoS Protection and Network Security 

Ensuring you’re compliant with this part of the process helps to prevent service interruptions, safeguard your reputation, as well as reducing financial losses and protecting sensitive data. 

Use Cloudflare or a WAF 

  • Integrate Cloudflare to provide DDoS protection and web application firewall (WAF). 
  • Enable Imunify360 for advanced malware protection. 

Implement Rate Limiting 

  • Configure ModEvasive to protect against brute-force attacks. 
  • Set up rate limiting for login attempts. 

Use CDN for Improved Security 

  • Implement Content Delivery Networks (CDN) to reduce server load and protect against attacks. 

10. Security Audits and Best Practices 

Performing regular security audits on your cPanel environment is vital to keeping your users’ data safe, and their trust in you high. 

Conduct Regular Security Audits 

  • Use cPanel Security Advisor (WHM > Security Advisor) to check for vulnerabilities. 
  • Perform manual security audits every quarter. 

Educate Users and Staff 

  • Train users on secure password policies and phishing awareness. 
  • Subscribe to Security Updates 
  • Stay updated on cPanel security patches and apply them immediately. 
  • Subscribe to cPanel’s security mailing list for alerts. 

Conclusion 

As you know, securing your cPanel server is an ongoing process, one that requires constant diligence and proactive management. By following our cPanel security checklist, you can significantly reduce the risk of security breaches and maintain a safe hosting environment, ensuring your team members and customers stay safe.  

Regular updates, strong password policies, firewalls, backups, and active monitoring are key components of a strong security posture. Implement these measures today to safeguard your cPanel server against evolving cyber threats. 

Frequently Asked Questions (FAQs) 

1. Why is securing cPanel important? 

A misconfigured or insecure cPanel server can lead to data breaches, malware infections, financial loss, and non-compliance with regulations. 

2. What are the first steps to secure cPanel?

Use strong, unique passwords, enforce Two-Factor Authentication (2FA), and restrict access by IP address. Disable the root login for added security.

3. How can firewalls protect a cPanel server? 

Firewalls like CSF filter traffic, block suspicious logins, and close unused ports. Enabling LFD and ModSecurity adds further protection against common attacks. 

4. What are SSL/TLS best practices for cPanel?

Enable AutoSSL, enforce SSL redirection, and disable outdated protocols (TLS 1.0/1.1). Use only strong cipher suites for encryption. 

5. How should user permissions be managed?

Follow the Least Privilege Principle, use CloudLinux with CageFS, restrict shell access, and set secure file permissions. 

6. How often should backups be done? 

Set up automatic daily backups, store them offsite, and regularly test their integrity to ensure data recovery in case of emergencies. 

7. How do I secure PHP and MySQL settings? 

Harden PHP using php.ini and disable risky functions. Restrict MySQL access and privileges to reduce exposure to SQL injection attacks.

8. What tools help with intrusion detection? 

Install Fail2Ban to block brute-force attacks and monitor logs for suspicious activity. Set up alerts for real-time threat detection.

9. How do I mitigate DDoS attacks on my cPanel server?

Use services like Cloudflare and Imunify360, configure rate limiting, and deploy a Content Delivery Network (CDN) to absorb malicious traffic.

10. What regular practices ensure long-term security? 

Conduct quarterly security audits, train staff on security hygiene, subscribe to cPanel updates, and immediately patch known vulnerabilities. 

cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.