πŸš€ Secure & Optimise a cPanel Server (2025)

By /

Secure & Optimise a cPanel Server guide, updated for modern best practices, current WHM/cPanel versions (e.g., 126+), and modern Linux distros (e.g., AlmaLinux 9/CloudLinux 9):

⚠️ Disclaimer: This is a general guide, not a guarantee. Use at your own risk. If in doubt, consult a professional system administrator.

βœ… Keep All Software Updated

Update via WHM:

  • WHM Β» cPanel Β» Upgrade to Latest Version
  • WHM Β» Software Β» EasyApache 4
  • WHM Β» System Update (for OS packages)

Command line update:

dnf update -y && dnf upgrade -y

βš™οΈ Tweak Settings (WHM)

WHM Β» Server Configuration Β» Tweak Settings

SettingRecommended Value
Require SSLOn
Allow Remote DomainsOn
Allow unregistered domainsOn
Hide login password from CGI scriptsOn
Conserve memoryOff
Enable SPF on domains for new accountsOn
Default catch-all forwarder destinationFail
Track email origin via X-Source headersOn
Use pigz for compressionOn
Use jailshell by defaultOff
Prevent β€œnobody” from sending mailOn
Critical load thresholdAutodetect
PHP max POST size (UI)155M
PHP max upload size (UI)100M
Enable BoxTrapperOff
PHP loaderionCube
Set timezoneEurope/London

πŸ” Secure cPanel & WHM Settings

Security Center:

  • βœ… Enable php open_basedir Protection
  • βœ… Enable mod_userdir Protection
  • βœ… Enable Shell Fork Bomb/Memory Protection
  • βœ… Disable compilers (except root)
  • βœ… Enable cPHulk Brute Force Protection
  • βœ… Remove all users from Wheel Group (except root and your main admin)
  • βœ… Run Quick Security Scan
  • βœ… Enable Background Process Killer
  • βœ… Disable Shell Access for all accounts (except root/main)
  • βœ… Disable Anonymous FTP (WHM Β» FTP Configuration)
  • βœ… Change MySQL root password (WHM Β» SQL Services)
  • βœ… Apache:
    • ServerSignature: Off
    • ServerTokens: ProductOnly

🧾 Set SSH Legal Login Banner

nano /etc/motd

Example:

ALERT! You are entering a secured area! Your IP and login information have been recorded.
System administration has been notified. This system is restricted to authorised access only.
All activities on this system are recorded and logged. Unauthorised access will be thoroughly
investigated and reported to the appropriate law enforcement agencies.

Save and exit: CTRL+X β†’ Y β†’ Enter

πŸ” SSH Hardening (AlmaLinux 9 / CloudLinux 9)

Edit the SSH config:

nano /etc/ssh/sshd_config

Recommended changes:

Port 5678            # use a non-standard port
Protocol 2
PermitRootLogin no   # use sudo instead
PasswordAuthentication no  # use SSH keys
UseDNS no

Restart SSH:

systemctl restart sshd

Open SSH port in firewall:

firewall-cmd --permanent --add-port=5678/tcp
firewall-cmd --reload

🐘 PHP Configuration

Via WHM Β» MultiPHP INI Editor or edit php.ini:

memory_limit = 512M
max_execution_time = 300
max_input_time = -1
upload_max_filesize = 100M
post_max_size = 100M
enable_dl = Off
disable_functions = system, exec, shell_exec

🧱 EasyApache 4 Profile

Use: All PHP Options + OpCache

Enable extensions: ionCube, OPcache, imagick, zip, intl, etc.

πŸ”₯ Install and Configure CSF (ConfigServer Security & Firewall)

dnf install perl-libwww-perl perl-LWP-Protocol-https -y
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Initial CSF Settings:

TESTING = 0
RESTRICT_SYSLOG = 2
SMTP_BLOCK = 1
TCP_IN = 20,21,22,28,53,80,110,143,443,465,587,993,995,2077-2096,30000:35000

Optional performance adjustments:

LF_EMAIL_ALERT = 0
LF_DIRWATCH = 0
LF_INTEGRITY = 0
CT_EMAIL_ALERT = 0
PT_LIMIT = 0
PS_EMAIL_ALERT = 0

πŸ”— Passive FTP Fix (Pure-FTPd)

If passive FTP fails, set:

nano /etc/pure-ftpd.conf

Add:

PassivePortRange 30000 35000

Restart:

systemctl restart pure-ftpd

And ensure ports are open in CSF:

TCP_IN = 30000:35000

🚫 Disable Telnet (if present)

nano /etc/xinetd.d/telnet

Set:

disable = yes

Then:

systemctl restart xinetd
systemctl stop xinetd

Also block via /etc/hosts.deny:

echo "in.telnetd : ALL : severity emerg" >> /etc/hosts.deny

🧠 Bonus Tips

  • βœ… Enable Imunify360 for AI-powered security
  • βœ… Enable KernelCare for rebootless kernel updates
  • βœ… Install ClamAV if you’re hosting email accounts
  • βœ… Limit PHP versions to supported releases (e.g., 8.1, 8.2, 8.3)
  • βœ… Regularly audit accounts & installed plugins
Scroll to Top