Securing your server is one of the most important things you need to do when you’re setting up your cPanel for the first time. There are multiple steps you should take to be proactive about protecting your server. Most people understand the need to protect their website from vulnerabilities, but don’t realize their hosting server needs protection, too. When hackers discover they can’t get directly into your website, they’ll try to break in through your cPanel account.
In this article, you’ll learn basic best practices for safeguarding your site, server, and account from hackers. We’ll introduce security topics like:
- Configuring cPanel Security Advisor
- Using Strong Passwords and Unique Usernames
- Using Web and Email Security Tools
- Limiting Access by IP Address
- Preventing Brute Force Attacks with cPHulk
- AND How to Stay Updated and Actively Monitor Your System
We’ve got a lot of information to cover, so let’s get started!
Table of Contents
- 1 Introducing Security Advisor
- 2 How to Configure Security Advisor Notifications
- 3 Unique Passwords and Usernames
- 4 Web and Email Security
- 5 Limit Access by IP Address
- 6 cPHulk Brute Force Protection
- 7 Stay Updated
- 8 Step by Step: Securing Your cPanel Server
- 8.1 1. Use Strong Passwords
- 8.2 2. Enable Two-Factor Authentication (2FA)
- 8.3 3. Regularly Update Software
- 8.4 4. Use SSL Certificates
- 8.5 5. Install a Firewall
- 8.6 6. Harden SSH (Secure Shell)
- 8.7 7. Secure PHP
- 8.8 8. Implement ModSecurity
- 8.9 9. Backup Regularly
- 8.10 10. Harden MySQL/MariaDB
- 8.11 11. Enable cPHulk Brute Force Protection
- 8.12 12. Monitor Server Logs
- 8.13 13. Disable Unused Services and Daemons
- 8.14 14. Limit Recursion and Amplification Attacks
- 8.15 15. Regularly Audit Your Server
- 8.16 16. Secure Your Mail Server
- 9 In Conclusion
Introducing Security Advisor
Security Advisor is a feature that collects all plausible security concerns on your server for you to review. You’ll find the Security Advisor in the Security Center section of your cPanel. As a hosting provider, you’ll want to address these as soon as possible. When you select each item, the interface provides warnings and possible solutions. When you choose it from the left-hand menu in WHM, the Security Advisor interface displays services that have been installed, password strengths, and other settings, along with a colored status coded green, yellow, or grey. This status provides a notification to inform users about probable security issues that need addressing.
The color-coding of the messages in the Security Advisor indicates the severity of the possible issue. Red advisories indicate a severe security issue, and we recommend addressing them with a high priority. Yellow warnings show potential problems that require investigation and resolution sooner rather than later, and grey advisories provide an informational notice of a permissions issue on the server. Green advisories are generally trivial issues and don’t require immediate attention.
How to Configure Security Advisor Notifications
When you open Contact Manager in WHM (WHM >> Home >> Server Contacts >> Contact Manager), you can specify when and where the server sends notifications. You’ll find your Security Advisor notification controls here, along with other alerts that you can configure to send notifications multiple ways. You can set the level of importance of these notifications to low, medium, or high, depending on your preference.
Unique Passwords and Usernames
Another easy thing to do is remember to use usernames that aren’t easy to guess when setting up your accounts. But what makes a good username? Stay away from obvious choices, like your first or last name, or admin. Try using a combination of upper and lowercase letters in places they wouldn’t normally be. Add a number or symbol to the username. The idea is to make it something that is harder for a hacker to guess based on your publicly available personal information.
As far as passwords go, you want to use a strong and unique password for all accounts, including your system’s root user, the MySQL root user and any other system accounts in addition to your personal accounts. Many of the same standards recommended for creating a unique username can be applied when choosing a password, but some experts recommend choosing a random string of 5 words, as shown in this charming XKCD comic.
You may want to invest in a password manager to help you keep track of all these unique usernames and passwords.
Web and Email Security
Securing the Web and Email on a cPanel server is just as important as the other server related options. Here are some links to related documentation about these types of security for your servers.
- Web Security – pay special attention to ModSecurity™ Tools, as you will need to install rules for your server here.
- Email Security – these tips will help prevent email abuse from happening on your server.
Limit Access by IP Address
To protect your server assets and prevent unauthorized access, which lowers the risk of attack, it often makes sense to limit user connections to a specific IP address or range of addresses. You can allow only specific IP addresses to access services on the server using WHM’s Host Access Control interface (WHM >> Home >> Security Center >> Host Access Control.)
These services include
- POP3 (pop3)
- Webmail (webmaild)
- Web Disk (cpdavd)
- FTP (ftpd)
- cPanel (cpaneld)
- SSH (sshd)
- IMAP (imap)
- SMTP (smtp)
- WHM (whostmgrd)
cPHulk Brute Force Protection
cPanel also offers a service called cPHulk Brute Force Protection. A brute force attack uses automated systems to try to guess the passwords on your system. It also includes some IP management tools as part of the software. cPHulk also makes it possible to block specific countries from logging in to your server. It’s a very robust package. You can learn more about cPHulk in our documentation.
Stay Updated
Security experts highly recommend that you use only the latest stable versions of any software on a server that is live and in production. Staying updated ensures that your software has all the latest patches and security fixes. You should check for updates often, at least weekly.
Step by Step: Securing Your cPanel Server
Securing your cPanel server is crucial to protect sensitive data, avoid malicious attacks, and ensure smooth functioning of your websites. Here’s a comprehensive guide to help you secure your cPanel server:
1. Use Strong Passwords
- Always use strong, unique passwords for all accounts.
- Change passwords periodically.
- Avoid using default or easily guessable passwords.
2. Enable Two-Factor Authentication (2FA)
- cPanel supports 2FA. Enable it for an extra layer of security.
3. Regularly Update Software
- Ensure your cPanel, WHM, and all other software packages are up-to-date.
- Updates often contain security patches.
4. Use SSL Certificates
- Ensure all logins and data transfers occur over SSL to encrypt the data.
- cPanel & WHM support AutoSSL, which automatically installs and renews free SSL certificates.
5. Install a Firewall
- Consider software like ConfigServer Security & Firewall (CSF) or Advanced Policy Firewall (APF).
- Firewalls can block malicious traffic and monitor server processes.
6. Harden SSH (Secure Shell)
- Change the default SSH port to deter automated attacks.
- Disable root login and use a non-root user with sudo privileges.
- Use SSH keys instead of passwords for authentication.
7. Secure PHP
- Disable functions like
exec,shell_exec, andpassthruif they’re not required. - Update PHP versions regularly.
- Use
open_basedirto restrict PHP access to specific directories.
8. Implement ModSecurity
- ModSecurity is an application firewall that can protect your websites from various attacks.
- cPanel supports ModSecurity, and rules can be configured to suit your needs.
9. Backup Regularly
- Regular backups are essential to quickly recover from any security breach.
- Store backups in a secure off-site location.
10. Harden MySQL/MariaDB
- Use strong database passwords.
- Bind your database server to
localhost(127.0.0.1) if remote connections are not required. - Regularly audit and clean up user privileges.
11. Enable cPHulk Brute Force Protection
- cPHulk will block IP addresses that have too many failed login attempts.
- It protects against brute force attacks.
12. Monitor Server Logs
- Regularly review and monitor logs to catch any suspicious activity.
- Tools like Logwatch can help summarize logs for you.
13. Disable Unused Services and Daemons
- Any service or daemon not in use should be disabled to minimize potential entry points for attackers.
14. Limit Recursion and Amplification Attacks
- For DNS servers, configure recursion to only be available for local users to prevent DNS amplification attacks.
15. Regularly Audit Your Server
- Use tools like
chkrootkitandrkhunterto search for rootkits. - Consider services like CloudLinux or Imunify360 for proactive server defense against threats.
16. Secure Your Mail Server
- Prevent email spoofing by implementing DMARC, DKIM, and SPF records.
- Monitor mail queues to detect any spam activity.
Always keep in mind that server security is a continuous process, not a one-time setup. Stay informed about the latest security threats and best practices, and periodically review and update your security configurations.
In Conclusion
Server security is one of the most important parts of owning a web server. It’s as essential as network security, and in some ways more important, because servers often contain a great deal of vital information. If your server is compromised, crackers can not only cause damage to the way the site is displayed; they can steal data as all of the server’s contents may become available for them to use at will. If you find that all of this seems overwhelming, you can always hire a SafeAdmin Accredited System Administrator who knows what the best practices for protecting your server are. A list of currently certified SafeAdmin Sysadmins is available on the cPanel Forums.
As always, if you have any feedback or comments, please let us know. We are here to help in the best ways we can. You’ll find us on Discord, the cPanel forums, and Reddit.
