In today’s digital age, securing your virtual private server is no longer optional—it’s essential. Especially if you’re using a cPanel to manage websites, emails, and databases, the risks multiply. Hackers are constantly on the lookout for vulnerabilities, and an unsecured VPS can quickly become a playground for cyber threats. Whether you’re a developer, sysadmin, or website owner, locking down your server should be a top priority.
This guide walks you through 20 tips to secure a cpanel VPS keeping your data safe and your server running smoothly. These aren’t generic ideas. We’re talking about real-world techniques that experienced server admins use every day.
1. Keep Your Server OS and Software Updated
Running outdated software is like leaving your front door open. Security patches are released regularly to fix vulnerabilities in the operating system and applications. By not applying them, you leave your system wide open to known exploits.
Use package managers like yum or dnf (for CentOS/AlmaLinux) or apt (for Debian/Ubuntu) to stay updated. Schedule cron jobs for automatic updates if you’re comfortable, or make it a habit to check for updates weekly.
Learn more about cPanel updates here: https://docs.cpanel.net/knowledge-base/cpanel-product/how-to-install-and-update-cpanel-whm/
2. Enable a Firewall (CSF Recommended)
A firewall acts as a filter between your server and the internet, allowing only trusted traffic to come through. CSF (ConfigServer Security & Firewall) is widely used in the cPanel ecosystem. It not only blocks unwanted access but also provides an easy-to-use interface inside WHM.
You can define inbound and outbound rules, block IPs, and even automate responses to suspicious activity.
Install CSF: https://download.configserver.com/csf/install.txt
3. Disable Root SSH Login
Root access grants full control over the server. If an attacker guesses the root password, they can do anything. To mitigate this, create a separate user with sudo privileges and disable root login in the SSH config file:
PermitRootLogin no
Edit the file at /etc/ssh/sshd_config and restart the SSH service with systemctl restart sshd.
4. Use SSH Keys Instead of Passwords
SSH keys use public-key cryptography and are exponentially more secure than passwords. Generate a key pair on your local machine using ssh-keygen, and then upload the public key to your server.
Disable password-based logins by editing /etc/ssh/sshd_config and setting:
PasswordAuthentication n
5. Change the Default SSH Port
Moving SSH from port 22 to a non-standard port reduces the number of automated attacks. While it doesn’t provide true security, it’s a helpful layer of obscurity.
Update your SSH config:
Port 2222
Restart SSH and make sure to open the new port in your firewall.
6. Install and Configure ModSecurity
ModSecurity protects your websites from common attacks like SQL injection, cross-site scripting (XSS), and more. With cPanel, you can install it via EasyApache 4 and configure it directly in WHM.
Choose a rule set like the OWASP Core Rule Set (CRS) to get started. Fine-tune the rules to reduce false positives.
How to set up ModSecurity: https://docs.cpanel.net/whm/security-center/modsecurity-configuration/
7. Scan for Malware Regularly
Even with good firewall rules and software, malware can sneak in through weak passwords or vulnerable plugins. Use scanners like ImunifyAV or ClamAV to catch threats early.
Set up cron jobs for scheduled scans and review logs to ensure malware isn’t lingering on your server.
ImunifyAV: https://www.imunify360.com/imunifyav
8. Use Two-Factor Authentication (2FA) for WHM/cPanel
2FA drastically reduces the risk of account compromise. It requires a second form of verification, like a mobile app code, after entering your password.
Enable it via WHM under “Security Center” > “Two-Factor Authentication,” and require users to enroll.
2FA Setup: https://docs.cpanel.net/whm/security-center/two-factor-authentication/
9. Harden PHP Configuration
PHP is one of the most targeted languages in web hosting. Disable functions in your php.ini file that allow system-level access:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec
Also set:
expose_php = Off
10. Enable cPHulk Brute Force Protection
cPHulk is a cPanel feature that blocks repeated failed login attempts. It helps prevent brute-force attacks on services like SSH, WHM, and FTP.
Set thresholds, ban durations, and whitelist trusted IPs to avoid locking yourself out.
More info: https://docs.cpanel.net/whm/security-center/cphulk-brute-force-protection/
11. Limit User Permissions
Grant users the minimum required permissions. Don’t give shell access unless absolutely necessary. Monitor file uploads and scripts to ensure users aren’t uploading malware or abusing resources.
Use WHM’s Feature Manager to limit what users can do within their cPanel accounts.
12. Use CageFS for Shared Hosting
CageFS is part of CloudLinux and helps isolate users on shared hosting servers. It prevents users from seeing each other’s files and accessing sensitive directories.
It also virtualizes the file system, meaning compromised accounts can’t affect others.
Learn about CageFS: https://docs.cloudlinux.com/cloudlinux_os_components/#cagefs
13. Monitor Logs and Set Alerts
Review log files like:
/var/log/messages
/var/log/secure
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
Tools like Logwatch can email you daily reports. Fail2Ban can also monitor logs for suspicious patterns and block malicious IPs.
14. Disable Unused Services
Check running services with netstat or ss and stop anything unnecessary:
systemctl stop FTP
systemctl disable ftp
Each service you remove is one less opportunity for attackers.
15. Secure MySQL and phpMyAdmin
Use mysql_secure_installation to harden your MySQL installation. Set strong passwords, remove anonymous users, and disable remote root login.
If using phpMyAdmin, restrict access with .htaccess or allow access only from specific IPs.
16. Install SSL Certificates
SSL certificates encrypt data between your server and clients. cPanel makes it easy with AutoSSL, which automatically renews certificates for all domains.
Enable it in WHM > “Manage AutoSSL” and choose Let’s Encrypt or Sectigo.
SSL in cPanel: https://docs.cpanel.net/whm/security-center/manage-autossl/
17. Back Up Regularly (and Store Backups Offsite)
Automated backups won’t help if they’re stored on the same server that gets hacked. Set up remote backups to Amazon S3, Google Drive, or a remote FTP server.
Encrypt your backups and schedule them during off-peak hours to reduce load.
18. Set Up Rate Limiting
Rate limiting can prevent DDoS attacks and brute-force login attempts. Use mod_evasive or mod_qos to detect and block abusive traffic.
You can also use firewall rules to block IPs making too many requests in a short time.
19. Use Antivirus and Rootkit Detection
Install tools like:
- rkhunter for rootkit detection
- chkrootkit for signature-based detection
- LMD (Linux Malware Detect) for user-space malware
Set these tools to run regularly via cron and alert you on findings.
rkhunter guide: https://www.tecmint.com/install-rkhunter-rootkit-scanner-in-linux/
20. Disable Directory Listing
To prevent users from viewing contents of folders without an index file,
add this to your .htaccess or Apache config
Options -Indexes
This stops prying eyes from browsing your directories and finding files they shouldn’t see.
Final Thoughts
Securing your cPanel VPS doesn’t have to be overwhelming. By following these 20 actionable tips, you’re significantly reducing your risk of being compromised. Make security a habit, not a one-time task. Regular audits, monitoring, and updates are key.
Each layer you add strengthens your defense, making it that much harder for attackers to find a way in. Be proactive. Review your server configuration monthly, and stay informed about emerging threats.
And remember: security is a journey, not a destination.
If you’re serious about keeping your data safe, start with these steps today.