Best Practices for cPanel Security in 2023: Protecting Your Website and Data

As the world becomes increasingly digital, the need for strong security measures to protect websites and online data has never been more pressing. For websites hosted on cPanel servers, ensuring the security of the cPanel environment is crucial to protecting both the website and the data it hosts. In 2023, the threat of cyber attacks continues to grow, making it more important than ever for website owners and system administrators to implement best practices for cPanel security. In this blog post, we’ll explore the top best practices for cPanel security in 2023, including using strong passwords, enabling two-factor authentication, keeping cPanel up-to-date with the latest security patches, using SSL certificates, and more. By implementing these best practices, website owners and system administrators can help ensure the security and integrity of their cPanel environments, and protect their websites and data from cyber threats.

1. Use Strong Passwords

One of the simplest and most effective ways to improve cPanel security is by using strong passwords. Weak passwords can be easily cracked by hackers, giving them access to your cPanel environment and all the websites and data hosted on it. By using strong passwords, you can help ensure that only authorized users have access to your cPanel environment, and protect your website and data from cyber threats.

To create strong passwords, it’s important to use a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using dictionary words, common phrases, or personal information like your name or birthdate, as these can be easily guessed by hackers using brute-force attacks. Instead, use a combination of random characters that are difficult to guess.

Additionally, it’s recommended that users use a unique password for each account they have, rather than reusing the same password across multiple accounts. This can help prevent a single compromised password from giving hackers access to multiple accounts.

For users who find it difficult to remember multiple strong passwords, password managers can be a helpful tool. Password managers generate and store strong passwords for each account, so users don’t have to remember them all. Additionally, many password managers include features like two-factor authentication and password auditing, which can further improve cPanel security.

2. Enable Two-Factor Authentication
Two-factor authentication (2FA) is an extra layer of security that requires users to provide two forms of authentication in order to access an account. Typically, this involves entering a username and password (the first factor), and then providing a second form of authentication, such as a security code sent to a mobile device or email (the second factor).

By enabling 2FA in cPanel, users can add an extra layer of security to their accounts, making it more difficult for hackers to gain access to their cPanel environment, even if they have obtained the user’s password through a data breach or other means.

To enable 2FA in cPanel, users can follow these steps:

1. Log in to WHM panel
2. Click on the “Two-Factor Authentication” icon under the “Security Center” section
3. Follow the prompts to set up 2FA using one of the available methods, such as Google Authenticator or Microsoft authenticator.

cPanel provides detailed documentation on how to enable 2FA for cPanel accounts, which can be found here: https://docs.cpanel.net/whm/security-center/two-factor-authentication-for-whm/

By enabling 2FA, users can add an extra layer of security to their cPanel accounts, helping to protect their websites and data from unauthorized access.

3. Keep cPanel Up-to-Date

Keeping cPanel up-to-date with the latest security patches and fixes is essential for maintaining the security of your cPanel environment. As new vulnerabilities are discovered, cPanel releases updates that address these issues, making it more difficult for hackers to exploit these vulnerabilities to gain access to your cPanel account.

To update cPanel, users can follow these steps:

1. Log in to WHM (Web Host Manager)
2. Click on the “cPanel” button under the “Account Information” section
3. Click on the “Upgrade to Latest Version” button
4. Follow the prompts to update cPanel to the latest version.

It’s important to test updates before deploying them to production to ensure that they do not cause any compatibility issues or other problems that could negatively impact your website or data.

4. Secure SSH
SSH (Secure Shell) is a network protocol that allows users to securely connect to a remote server. In cPanel, SSH can be accessed through the Terminal feature. It’s important to secure SSH to prevent unauthorized access and protect your server from potential attacks.

Here are some best practices for securing SSH in cPanel:

Use strong SSH passwords: As with all passwords, it’s essential to use strong, complex passwords for SSH. Use a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using easily guessable passwords such as “password” or “123456.”

Use SSH keys: SSH keys are a more secure way to authenticate than passwords. They use public-key cryptography to authenticate users and are not vulnerable to brute-force attacks. Consider using SSH keys instead of passwords for SSH authentication.

Change the default SSH port: By default, SSH uses port 22. Changing the default port to a non-standard port can make it harder for attackers to find your server and attempt to gain unauthorized access. Choose a high port number between 1024 and 65535.

Disable root login: By default, the root user is allowed to log in via SSH. However, this can be a security risk as attackers often target the root user. Consider disabling root login and using a separate, non-root user for SSH access.

5. Control access to services by IP Address

One of the best ways to improve cPanel security is to limit access to it only to those who need it. Unauthorized access can compromise your website and put sensitive data at risk. One effective method to limit access is by using WHM’s Host Access Control interface.

WHM’s Host Access Control interface is a front-end tool that allows you to configure the /etc/hosts.deny and /etc/hosts.allow files. These files are used by the TCP wrappers facility to restrict access to services such as cPanel, WHM, SSH, FTP, SMTP, and more.

Using the Host Access Control interface, you can easily add or remove IP addresses or ranges that are allowed or denied access to cPanel and other services. This provides an additional layer of security for your server by preventing unauthorized access attempts from specific IP addresses.

To access the Host Access Control interface, log in to WHM and navigate to the “Security Center” section. From there, click on “Host Access Control.” You can then configure the settings according to your needs.

By taking advantage of WHM’s Host Access Control interface, you can ensure that only authorized users are allowed access to cPanel and other services on your server, significantly reducing the risk of unauthorized access and potential security breaches.

You can find some examples on how to configure Host Access control on the below document
https://docs.cpanel.net/whm/security-center/host-access-control/

6. Use strong Firewall
A firewall is a network security tool that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between your server and the outside world, preventing unauthorized access and blocking malicious traffic. A firewall can also help mitigate the impact of DDoS attacks by filtering out unwanted traffic before it reaches your server.

To implement a firewall on a cPanel server, you can use third-party software such as ConfigServer Security & Firewall (CSF) or Advanced Policy Firewall (APF). These firewall solutions are designed specifically for cPanel and offer an easy-to-use interface for managing firewall rules. They support a variety of configuration options and can be customized to suit your specific needs.

Both CSF and APF do not support firewalld, so you may need to disable firewalld and install iptables before installing them. Once installed, you can configure firewall rules to limit access to specific ports and protocols, block known malicious IPs, and prevent unauthorized access to your server. You can also set up alerts to be notified when a security event occurs, such as when a blocked IP tries to access your server.

While firewalld is a popular firewall solution for many Linux systems, csf and apf have some advantages that make them better suited for cPanel servers. Here are a few reasons why:

Integration with cPanel: Both csf and apf are specifically designed to work with cPanel, meaning they integrate seamlessly with the control panel’s user interface and make it easier to manage firewall rules.

User-friendly interface: Both csf and apf offer a simple, easy-to-use interface for managing firewall rules, making it easier for cPanel users with little or no experience in server administration to set up and manage their firewall.

Advanced features: Both csf and apf offer advanced features such as connection rate limiting, port scanning detection, and real-time blocking, which can help to further improve server security.

Community support: csf and apf have been around for many years and have active communities of users and developers, which means that they are well-supported and regularly updated with the latest security features and bug fixes.

Overall, while firewalld is a good option for general Linux servers, csf and apf are more tailored to cPanel and offer advanced features and integration that make them better suited for cPanel servers. You should only installone of them.

7. Enable Brute Force Protection
Brute force attacks are a type of cyber attack in which an attacker attempts to gain access to a system by repeatedly guessing usernames and passwords until the correct combination is found. These attacks can be particularly harmful for cPanel servers, as they can potentially give attackers access to sensitive data and website files.

To protect against brute force attacks, cPanel offers built-in brute force protection tools that can be enabled by the server administrator. These tools work by blocking IP addresses that repeatedly fail login attempts within a certain timeframe.

To enable brute force protection in cPanel, follow these steps:

1. Log in to WHM as the root user.
2. Navigate to Home > Security Center > cPHulk Brute Force Protection.
3. Click the “Enable” button to enable brute force protection.
4. Configure the settings to suit your needs, such as the number of login attempts allowed before blocking an IP address and the duration of the block.

It’s important to note that enabling brute force protection can sometimes result in false positives, such as when legitimate users mistype their passwords. To avoid these situations, consider adding IP addresses to a whitelist of trusted users who should not be blocked by the brute force protection tool.
For more detailed instructions on how to enable and configure cPanel’s brute force protection tool, refer to the cPanel documentation below:
https://docs.cpanel.net/whm/security-center/cphulk-brute-force-protection/

8. Regularly Back Up Website and cPanel Data
Regularly backing up website and cPanel data is crucial to ensuring the availability and integrity of your data. A backup is essentially a copy of your data that you can restore in case of data loss, corruption, or other unexpected events. Without a backup, you risk losing your data permanently, which can have serious consequences for your business or personal website.

Creating an effective backup strategy involves several key considerations. Here are some tips:

1. Choose a backup solution: cPanel comes with its own built-in backup solution that allows you to create full or partial backups of your cPanel account, including your website files, databases, email accounts, and settings. It’s essential to use a reliable backup solution that can handle your data size and is compatible with your hosting environment.

2. Determine backup frequency: The backup frequency depends on the frequency of changes to your website and data. For example, if you make frequent changes to your website or store sensitive data, you may need to back up your data daily or weekly. You may also consider backing up before making significant changes to your website or software.

3. Store backups in multiple locations: Storing backups in multiple locations is essential to ensure that you can restore your data in case of a disaster or outage. You can store backups locally on your server, but it’s also recommended to store backups remotely, such as in cloud storage or an offsite location.

4. Automate backups: Manually creating backups can be time-consuming and error-prone, which is why it’s recommended to automate backups. You can use cPanel’s built-in backup solution to schedule backups automatically or use third-party backup solutions like JetBackup to create automated backups.

For advanced backup options, you may consider using JetBackup, which offers features like incremental backups, remote backups, and backup retention policies. JetBackup is an excellent option for those who require more customization and configuration options than what is available with cPanel’s built-in backup system. Their FAQ is a useful resource for anyone looking to learn more about JetBackup’s features and capabilities.
https://docs.jetbackup.com/manual/whm/FAQ/FAQ.html

By implementing an effective backup strategy, you can ensure the availability and integrity of your data, and quickly restore your website and cPanel account in case of a disaster or data loss event.

9. Secure Apache
Securing Apache on cPanel is an essential step in protecting your website and data. Here are some ways to do it:

Use ModSecurity: ModSecurity is an open-source web application firewall that can help protect your website from a wide range of attacks. It can also help block malicious traffic before it reaches your server. WHM’s ModSecurity® Vendors interface allows you to install the (OWASP) Core Rule Set (CRS), which is a set of rules designed to protect against common web application attacks.

Use suEXEC module: suEXEC is a module that allows scripts to be executed under their own user ID instead of the default Apache user. This provides an additional layer of security by limiting the impact of a compromised script to the user’s home directory instead of the entire server.

Implement symlink race condition protection: Symlink race condition vulnerabilities can allow attackers to gain access to files that they should not have access to. Implementing symlink race condition protection helps prevent these vulnerabilities by denying access to files and directories that have weak permissions.

Implementing these measures can help secure Apache on cPanel and protect your website and data from potential security breaches.

10. Disable unused services and daemons
Disabling unused services and daemons is an important step in ensuring the security of your cPanel server. Any service or daemon that allows connections to your server may also allow hackers to gain access, so disabling them can greatly reduce the risk of a security breach.
To disable unused services and daemons in cPanel, you can use the Service Manager interface in WHM. This interface allows you to view a list of all the services and daemons running on your server and disable the ones that you do not need.

To access the Service Manager interface, log in to WHM and navigate to Home » Service Configuration » Service Manager. Here, you will see a list of all the services and daemons running on your server, along with their status (either Enabled or Disabled).

To disable a service or daemon, simply click the Disable button next to its name. You can also use the checkboxes at the top of the page to select multiple services or daemons and disable them all at once.

11. Monitor your system
It is important to regularly monitor your server and review logs to ensure that everything is functioning as expected and to quickly identify any potential security threats. You can set up alerts and notifications to stay informed about any issues that arise.

To effectively monitor your system, you can use various tools and software solutions. Some popular ones include:

Tripwire: This tool monitors checksums of files and reports changes. It can be used to detect unauthorized changes to critical system files.
Chkrootkit: This tool scans for common vulnerabilities and rootkits that can be used to gain unauthorized access to your system.
Rkhunter: Similar to Chkrootkit, this tool scans for common vulnerabilities and rootkits, and can help detect potential security threats.
Logwatch: This tool monitors and reports on daily system activity, including any unusual or suspicious events that may require further investigation.
ConfigServer eXploit Scanner: This tool scans your system for potential vulnerabilities and provides detailed reports on any security issues found.
ImunifyAV: This is a popular antivirus solution for cPanel servers, which can scan your system for malware and other security threats.
Linux Malware Detect: This is another popular malware scanner for Linux servers, which can detect and remove malicious files.

12. Use SSL Certificates whenever possible
SSL certificates are digital certificates that provide secure communication between a website and its visitors by encrypting the data transmitted between them. They help protect against eavesdropping and data theft by making sure that the data being exchanged is not intercepted and read by any third party.

To obtain and install an SSL certificate in cPanel, you can either purchase one from a trusted certificate authority or use free SSL provider. To install a certificate, you’ll need to generate a certificate signing request (CSR) and then use it to obtain the SSL certificate. Once you have the certificate, you can install it through cPanel’s SSL/TLS Manager interface.

One way to obtain a free SSL certificate is through cPanel’s AutoSSL feature, which can automatically provision and renew SSL certificates for domains hosted on the server. Let’s Encrypt and Sectigo are two SSL providers that are supported by AutoSSL.

Enforcing and using SSL for cPanel services, like webmail and cPanel itself, is also important for security. You can require SSL for cPanel services by enabling the “Force HTTPS Redirect” option in cPanel’s “SSL/TLS” interface. Additionally, you can use the “Require SSL” option to require SSL connections for specific cPanel services, like webmail or FTP.

Summary
Securing your cPanel server is crucial to protect your website and data from cyber attacks. In this blog post, we discussed some best practices for cPanel security in 2023, including:

1. Updating cPanel and its components regularly to ensure the latest security patches.
2. Creating strong passwords and enabling two-factor authentication.
3. Limiting access to cPanel to only those who need it and using WHM’s Host Access Control interface to restrict access.
3. Implementing a firewall like csf or apf to protect against cyber attacks.
4. Enabling brute force protection and regularly backing up website and cPanel data.
5. Securing Apache with ModSecurity and suEXEC module, and disabling unused services and daemons.
6. Monitoring your system with various tools like Tripwire, chkrootkit, Rkhunter, Logwatch, ConfigServer eXploit Scanner, ImunifyAV, and Linux Malware Detect.
7. Using SSL certificates to encrypt data in transit, and enforcing SSL for cPanel services using the “Require SSL” feature.

By following these best practices, you can significantly improve the security of your cPanel server and protect your website and data from cyber threats. Remember, security is an ongoing process, so it’s essential to stay vigilant and regularly monitor your system for any vulnerabilities or suspicious activity.