How to secure cpanel server

After installing cpanel in dedicated or vps server, you should make below security check’s on your server to avoid hacking/unwanted access.

Common Settings

Check the below common settings are ON/OFF properly on server.
Home » Server Configuration » Basic cPanel & WHM Setup

• Basic cPanel & WHM Setup : (Contact Information) Update your email address to receive alerts from server.
• Basic Config : Check the server shared IP address whether its correct or not.
• Nameservers : Check once again your nameservers & its IP address are correct.

Home » Account Functions

• Manage Shell Access : Set Disabled Shell to all users.
• Manage Demo Mode : Don’t enable demo mode to any users.

Tweak Settings

Check the below Tweak settings are ON/OFF properly on server.
Home » Server Configuration » Tweak Settings

• Always redirect to SSL : On (When ever if you open cpanel, whm & webmail it will be redirected to https)
• Proxy subdomains : Off
• Horde & RoundCube webmail : Off
• Allow Remote Domains : Off
• Require SSL : On
• Prevent cPanel users from creating specific domains : Off (User’s can’t add or park common Internet domains, Like(gmail.com, yahoo.com,etc..)
• Initial default/catch-all forwarder destination : Fail
• BoxTrapper Spam Trap : Off
• Allow cPanel users to reset their password via email : Off
• Blank referrer safety check : On
• Use cPanel jailshell by default : On
• Email password reset : Off
• Send passwords when creating a new account : Off
• Blank referrer safety check : On
• Referrer safety check : On

Apache Settings

Check the below Apache settings are ON/OFF properly on server.
Service Configuration » Apache Configuration » Global Configuration

• SSL Cipher Suite : ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH PCI
• Trace Enable : Off
• Server Signature : Off
• Server Tokens : ProductOnly
• File ETag : None
• Max Requests Per Child : 1000

PHP Settings

Check the below PHP settings are ON/OFF properly on server.
Home » Service Configuration

• PHP 5 Handler : Should be “suphp”

You may edit your PHP configuration in Basic Mode or in Advanced Mode.

• enable_dl = Off
• register_globals = Off
• disable_functions = “show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen, ini_set”

Note :

You can make this changes from ssh itself @ /usr/local/lib/php.ini

Cpanel Security Center Settings

Check the below Security Center settings are ON/OFF properly on server.
Home » Security Center

• Configure Security Policies : password strength more then 50
• PHP open_basedir Tweak : Enable
• Apache mod_userdir Tweak : Enable
• Compiler Access : Enable
• Manage Wheel Group Users : This group controls which users can use the system’s `su` utility.
• Shell Fork Bomb Protection : Enable
• cPHulk Brute Force Protection : Enable

FTP Settings

Check the below FTP settings are ON/OFF properly on server.
Home » Service Configuration » FTP Server Configuration

• TLS Encryption Support : Disable ( While connecting ftp from FTP client use “Encryption = FTP over TLS”)
• Allow Anonymous Logins : No
• Allow Anonymous Uploads : No
• Allow Logins with Root Password : No

Note :

I have strongly recommended to install free firewall such as CSF or APF for more protection. And finally restart the apache webserver.