cPanel is a commercial web hosting automation platform widely used for shared hosting, reseller accounts, and VPS management. As a high-value target controlling multi-tenant environments, it requires comprehensive security hardening to protect both server infrastructure and customer data.
Vulnerability Details:
Action Required:
/usr/local/cpanel/cpanel -V/scripts/upcp --force| CVE | Description | Fixed In |
|---|---|---|
| CVE-2026-2474 | Crypt::URandom vulnerability | v132.0.27 |
| CVE-2021-4456 | Net::CIDR vulnerability | v132.0.27 |
| CVE-2025-6965 | SQLite3 vulnerability | v132.0.0 |
| CVE-2025-40927 | CGI::Simple vulnerability | v132.0.0 |
| CVE-2025-40929 | Cpanel::JSON::XS vulnerability | v132.0.0 |
Important: Starting February 25, 2026, cPanel maintains its own fork of CSF (ConfigServer Security & Firewall) focused on critical security and stability fixes.
Impact:
Action Required:
cPanel supports TOTP-based 2FA for all account types. Enable it immediately after installation.
Enable 2FA via WHM:
# Force 2FA for all cPanel accounts
whmapi1 config_set twofactorauth_enabled=1
# Force 2FA for WHM admin access
whmapi1 config_set twofactor_enforce=1
# Set grace period (seconds) before enforcement
whmapi1 config_set twofactor_enforce_grace_period=86400
Enable 2FA via cPanel UI:
Restrict WHM access by IP:
# Edit /etc/hosts.allow
echo "cpwhitelight: 10.0.0.0/24" >> /etc/hosts.allow
echo "cpwhitelight: ALL" >> /etc/hosts.deny
# Or use WHM interface: Security Center → Host Access Control
Configure via WHM:
Disable root SSH login, use sudo:
# Edit /etc/ssh/sshd_config
PermitRootLogin no
# Add admin users to wheel group
usermod -aG wheel admin-user
# Restart SSH
systemctl restart sshd
Least privilege for resellers:
Key restrictions to configure:
| Permission | Recommended Setting | Reason |
|---|---|---|
| Access Control List | Granular per reseller | Limit scope of access |
| Package creation | Disabled for most resellers | Prevent resource abuse |
| Account suspension | Enabled only for trusted resellers | Avoid accidental outages |
| Nameserver management | Disabled | Centralize DNS control |
Configure via WHM:
Configure session timeouts in WHM:
# WHM → Server Configuration → Tweak Settings
# Set the following:
# cPanel session timeout (minutes)
cpanel_session_timeout=15
# WHM session timeout (minutes)
whm_session_timeout=15
# Enable session protection
session_protection=1
Install valid SSL certificate for cPanel/WHM:
# Install Let's Encrypt certificate via WHM
whmapi1 install_ssl certificate='-----BEGIN CERTIFICATE-----...' key='-----BEGIN PRIVATE KEY-----...'
# Or auto-provision via WHM UI:
# WHM → SSL/TLS → Install an SSL Certificate on the Server
Force HTTPS redirects:
# WHM → Server Configuration → Tweak Settings
redirect_to_https=1
Configure strong ciphers in WHM:
Recommended cipher suite (Modern):
TLSv1.3 only + TLSv1.2 with ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
cPanel includes CSF (ConfigServer Security & Firewall):
# Install CSF if not already installed
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
# Configure via WHM: Plugins → ConfigServer Security & Firewall
Key CSF settings (/etc/csf/csf.conf):
# Enable/disable firewall
TESTING = "0" # Set to 0 after testing
# Allowed ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096"
TCP_OUT = "20,21,25,53,80,110,443,465,587"
# Rate limiting
LF_CONNTRACK = "50"
LF_TRIGGER = "500"
# Email alerts
LF_ALERT_TO = "admin@example.com"
LF_ALERT_APC = "1" # Port scan alerts
Block countries (if needed):
# In /etc/csf/csf.conf
CC_DENY = "CN,RU,KP,IR" # Add country codes as needed
Enable cPanel’s built-in DDoS protection:
# WHM → Security Center → DDoS Protection
# Enable mod_evasive for Apache
Configure mod_evasive (/etc/apache2/conf.modules.d/):
<IfModule mod_evasive24.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify admin@example.com
</IfModule>
cPanel includes a comprehensive Security Center in WHM. Run all audits:
Key security audits:
Enable via WHM:
# WHM → Security Center → Audits
# Run each audit and apply recommended fixes
Configure PHP security settings:
# WHM → MultiPHP INI Editor
# Set the following for all PHP versions:
expose_php = Off
allow_url_fopen = Off
allow_url_include = Off
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
display_errors = Off
log_errors = On
error_reporting = E_ALL
open_basedir = "/home/user:/tmp:/var/tmp"
upload_max_filesize = 10M
post_max_size = 10M
max_execution_time = 30
Hide server version information:
# WHM → Service Configuration → Apache Configuration → Global Configuration
# Set: Server Signature = Off
# Set: Server Tokens = Prod
Add security headers:
# WHM → Service Configuration → Apache Configuration → Include Editor
# Add to GLOBAL-INCLUDE.conf:
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
cPanel automatically sets permissions, but verify:
# Check home directory permissions
ls -la /home/
# Should be 711 for user directories
# Should be 755 for public_html
# Fix permissions if needed
/scripts/fixperms username
Protect sensitive files:
# .htaccess protection for cPanel config
echo "Order deny,allow
Deny from all" > /home/user/public_html/.htaccess
# Protect .ssh directories
chmod 700 /home/user/.ssh
chmod 600 /home/user/.ssh/authorized_keys
Enable automatic updates:
# WHM → cPanel → Update Preferences
# Select: Release Track (CURRENT, RELEASE, STABLE, LATEST)
# Recommended for production:
# - STABLE for most servers
# - RELEASE for testing before STABLE rollout
# Force update check
/usr/local/cpanel/scripts/upcp --force
Update schedule:
# Add to cron for weekly updates
0 3 * * 0 /usr/local/cpanel/scripts/upcp
cPanel logs location:
| Log File | Purpose |
|---|---|
/usr/local/cpanel/logs/access_log |
cPanel/WHM access |
/usr/local/cpanel/logs/error_log |
cPanel/WHM errors |
/usr/local/cpanel/logs/login_log |
Login attempts |
/var/log/messages |
System messages |
/var/log/secure |
Authentication logs |
/var/log/cpanel/* |
Per-account cPanel logs |
View recent logins:
# Show recent cPanel logins
grep "cpanel\[" /usr/local/cpanel/logs/login_log | tail -50
# Show failed login attempts
grep "Failed" /usr/local/cpanel/logs/access_log | tail -50
# WHM login history
grep "whm\[" /usr/local/cpanel/logs/login_log | tail -50
Set up alerts for:
cPanel’s built-in monitoring:
# WHM → Server Configuration → Tweak Settings
# Enable:
stats_load_interval = "1,5,15"
stats_run_interval = "5"
Rsyslog configuration:
# /etc/rsyslog.d/cpanel.conf
:filename, contains, "cpanel" /var/log/cpanel/central.log
:filename, contains, "cpanel" @syslog.example.com:514
# Restart rsyslog
systemctl restart rsyslog
Filebeat for ELK stack:
# /etc/filebeat/modules.d/cpanel.yml
- module: cpanel
access:
enabled: true
var.paths: ["/usr/local/cpanel/logs/access_log"]
error:
enabled: true
var.paths: ["/usr/local/cpanel/logs/error_log"]
Enable automated scanning:
# WHM → cPanel → Manage Plugins
# Install: ClamAV Scanner
# Configure scan schedule
# WHM → ClamAV Scanner → Scan Configuration
# Enable real-time scanning
/usr/local/cpanel/bin/clamav_scanner --enable-realtime
# Schedule full system scan
0 2 * * * /usr/local/cpanel/bin/clamav_scanner --all-users
Restrict API access:
# WHM → Development → Manage API Tokens
# Create tokens with specific scopes
# API token best practices:
# - Use tokens instead of passwords
# - Set expiration dates
# - Limit to specific IPs
# - Rotate quarterly
Example API call with token:
curl -k -H "Authorization: whm root:TOKEN_HERE" \
https://your-server:2087/json-api/listaccts
Restrict remote MySQL:
# WHM → SQL Services → Remote MySQL
# Only allow specific hosts
# Avoid using % wildcard
# Enable MySQL authentication
require_secure_transport = ON
| Control | Status | Notes |
|---|---|---|
| 2FA enabled for all accounts | ☐ | Enforce via WHM |
| Host access control configured | ☐ | Restrict WHM by IP |
| Valid SSL certificate installed | ☐ | Let’s Encrypt or commercial |
| CSF firewall enabled | ☐ | With country blocking if needed |
| PHP hardening applied | ☐ | Disable dangerous functions |
| Security headers configured | ☐ | HSTS, CSP, X-Frame-Options |
| ClamAV scanning enabled | ☐ | Daily scans recommended |
| Centralized logging configured | ☐ | Forward to SIEM |
| API tokens secured | ☐ | If using WHM API |
| Backup encryption enabled | ☐ | Encrypt off-server backups |
| KernelCare installed | ☐ | Live kernel patching |
| ModSecurity enabled | ☐ | WAF protection |
If you suspect a security breach:
cp -r /usr/local/cpanel/logs /root/cpanel-logs-backup-$(date +%Y%m%d)
/usr/local/cpanel/bin/clamav_scanner --all-users --full-system
grep "action" /usr/local/cpanel/logs/access_log | tail -100