How to secure cPanel server

Posted on by Seemab Saleem

After installing cpanel in your dedicated or vps server, you have to make below security check’s on your server to avoid hacking/unwanted access.

While server security can be a vast and complex subject, there are frequently basic steps that can be taken to instantly upgrade security.

cPanel/WHM provides various options to secure your server. Plugins and extra security applications are also available.

Here are some tips for  best utilization of cPanel’s security features.

Common Settings:

Check the below common settings are ON/OFF properly on server.
Home » Server Configuration » Basic cPanel & WHM Setup

  • Basic cPanel & WHM Setup : (Contact Information) Update your email address to receive alerts from server.
  • Basic Config : Check the server shared IP address whether its correct or not.
  • Name servers : Check once again your name servers & its IP address are correct.

Home » Account Functions

  • Manage Shell Access : Set Disabled Shell to all users.
  • Manage Demo Mode : Don’t enable demo mode to any users.

Define Secure Passwords:

Change passwords as an essential — strong passwords that can’t be hacked. Utilize the Password Generator tool in cPanel for suggestions.

Use different passwords to avoid default password setup that uses the same user ID and Password for a client account, FTP account, etc.

Tweak Settings:

Check the below Tweak settings are ON/OFF properly on server.
Home » Server Configuration » Tweak Settings

  • Always redirect to SSL : On (When ever if you open cpanel, whm & webmail it will be redirected to https)
  • Proxy subdomains : Off
  • Horde & RoundCube webmail : Off
  • Allow Remote Domains : Off
  • Require SSL : On
  • Prevent cPanel users from creating specific domains : Off (User’s can’t add or park common Internet domains, Like(gmail.com, yahoo.com,etc..)
  • Initial default/catch-all forwarder destination : Fail
  • BoxTrapper Spam Trap : Off
  • Allow cPanel users to reset their password via email : Off
  • Blank referrer safety check : On
  • Use cPanel jailshell by default : On
  • Email password reset : Off
  • Send passwords when creating a new account : Off
  • Blank referrer safety check : On
  • Referrer safety check : On

Always Get the Latest cPanel Updates :

When you use the latest version of cPanel, It will help you to benefit from all of bug fixes and upgrades for security. You can do it within the cPanel homepage “Upgrade to Latest Version” option.

Then your server update itself automatically on a daily basis. This can be done in “Update Preferences” under “Server Configuration.”

Apache Settings :

Check the below Apache settings are ON/OFF properly on server.
Service Configuration » Apache Configuration » Global Configuration

  • SSL Cipher Suite : ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH PCI
  • Trace Enable : Off
  • Server Signature : Off
  • Server Tokens : ProductOnly
  • File ETag : None
  • Max Requests Per Child : 1000

PHP Settings :

Check the below PHP settings are ON/OFF properly on server.
Home » Service Configuration

  • PHP 5 Handler : Should be “suphp”You may edit your PHP configuration in Basic Mode or in Advanced Mode.
  • enable_dl = Off
  • register_globals = Off
  • disable_functions = “show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen, ini_set”

Cpanel Security Center Settings :

Check the below Security Center settings are ON/OFF properly on server.
Home » Security Center

  • Configure Security Policies : password strength more then 50
  • PHP open_basedir Tweak : Enable
  • Apache mod_userdir Tweak : Enable
  • Compiler Access : Enable
  • Manage Wheel Group Users : This group controls which users can use the system’s `su` utility.
  • Shell Fork Bomb Protection : Enable
  • cPHulk Brute Force Protection : Enable

FTP Settings :

Check the below FTP settings are ON/OFF properly on server.
Home » Service Configuration » FTP Server Configuration

  • TLS Encryption Support : Disable ( While connecting ftp from FTP client use “Encryption = FTP over TLS”)
  • Allow Anonymous Logins : No
  • Allow Anonymous Uploads : No
  • Allow Logins with Root Password : No

IP Deny Manager :

IP Deny Manager prevents abuse by allowing a user to restrict a single IP or a range of IP addresses from accessing the server.By setting this parameter, you ensure that any repeatedly unsuccessful attempts to access the server from a given IP address will lead to that IP address being blocked.More details you can read here.

Leech Protection

This feature prevents outside users from accessing secure areas of your website. This normally happens when a user gives out the password information publicly.

We have strongly recommended to install free firewall such as CSF or APF for more protection. Put Anti-Virus plugin, and Rootkit in Place and finally restart the apache webserver.