cPanel Security Guide For Absolute Beginners

Larry May 11, 2018

cPanel security and ongoing maintenance can be tedious, there’re so many options and moving parts. Tedious does not mean difficult though, and cPanel makes securing a server easy. In this article, you’ll be able to follow along every step without needing much experience.

This guide will cover most security options which can be applied to any cPanel server. This article was last edited when cPanel was on v70.0.34 (checked on May 11th, 2018), but most of this guide’s information should still apply for several months after that point. If you see something that needs to be changed, comment below and we’ll credit you for the find.

cPanel Security Settings

cPanel provides a suite of configurable options to improve the security of your servers. By default, most of these settings are already set to the best possible values. There are however some options which could use a few tweaks.

Tweak Settings in WHM

You’ll find that most of your cPanel settings are stored within the Tweak Settings page in WHM. cPanel recommends modifying all values on this page through the WHM interface. You can however modify a single file (mentioned at the end of this section), but this should be reserved for when you’re running multiple cPanel servers.

This does not cover all values under Tweak Settings, but will serve as a valuable start in securing your server with these options. Each item is in the same order which they appear on the settings page.

  • Find [Allow autocomplete for login screens.], set this option to [Off] if you would like to prevent cPanel users from saving their passwords in a browser.
  • Find [Hide login password from cgi scripts], set this option to [On] to prevent the REMOTE_PASSWORD environment variable from being passed through scripts executed with the cpsrvd cgi handler.
  • Find [Blank referrer safety check], set this option to [On] to prevent XSRF attacks. All browsers should provide a referrer, and this stops those that don’t. Changing this option may break integration with some scripts, billing software, and other applications; so test your software after making this change.
  • Find [Referrer safety check], set this option to [On] if you’d like browser referrer details to match the destination details (domain/IP/port). Just like Bank referrer safety check, this may break integration with some applications such as billing software and other scripts.

The process of configuring your cPanel Tweak Settings can be very tedious. You may want to backup your settings, or even replicate them on other servers. For this purpose, find the file located at /var/cpanel/cpanel.config and save this somewhere locally. To replicate these settings, simply copy this file to other servers in the same file directory. Be sure to take a backup of the original file. If you’re using two different versions of cPanel on each server, you may introduce options not yet present in the existing Tweak Settings. After you’ve replaced the old cpanel.config file, simply restart cPanel by running the foillowing command.

/usr/local/cpanel/scripts/restartsrv_cpsrvd

Optional Software Considerations

Many companies stake their reputation on the products and services they provide for cPanel. Some are very notable and even give back to their respective communities by making contributions on various levels (back-ports, donations, expanded compatibility with other platforms). The software options listed here are industry tested to improve the overall security of cPanel servers. None are absolutely essential, but help in trimming down the amount of work you’ll otherwise need to do in order to achieve similar functionality.

CloudLinux

One of my favorite software options, CloudLinux offers an arsenal of security features and measures which makes a cPanel server almost impossible to exploit.

Built right into CloudLinux are multiple PHP versions, all patched with the latest security enhancements, and back-ported patches to versions that are no longer maintained. The back-ports make it more difficult to exploit older websites.

CloudLinux offers CageFS which allows for near true isolation of cPanel accounts. Enabling this option will make it much safer to offer SSH access to your users without them having access to read other customers’ web data.

Larry

Larry is an industry expert with almost 20 years of hands on experience. Having done work for dozens of web hosting companies and worked with thousands of clients, he has a unique perspective on The Internet with a wealth of knowledge to share.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *