🚀 Secure & Optimise a cPanel Server (2025)

Secure & Optimise a cPanel Server guide, updated for modern best practices, current WHM/cPanel versions (e.g., 126+), and modern Linux distros (e.g., AlmaLinux 9/CloudLinux 9):

⚠️ Disclaimer: This is a general guide, not a guarantee. Use at your own risk. If in doubt, consult a professional system administrator.

✅ Keep All Software Updated

Update via WHM:

WHM » cPanel » Upgrade to Latest Version
WHM » Software » EasyApache 4
WHM » System Update (for OS packages)

Command line update:

dnf update -y && dnf upgrade -y

⚙️ Tweak Settings (WHM)

WHM » Server Configuration » Tweak Settings

Setting	Recommended Value
Require SSL	On
Allow Remote Domains	On
Allow unregistered domains	On
Hide login password from CGI scripts	On
Conserve memory	Off
Enable SPF on domains for new accounts	On
Default catch-all forwarder destination	Fail
Track email origin via X-Source headers	On
Use pigz for compression	On
Use jailshell by default	Off
Prevent “nobody” from sending mail	On
Critical load threshold	Autodetect
PHP max POST size (UI)	155M
PHP max upload size (UI)	100M
Enable BoxTrapper	Off
PHP loader	ionCube
Set timezone	Europe/London

🔐 Secure cPanel & WHM Settings

Security Center:

✅ Enable php open_basedir Protection
✅ Enable mod_userdir Protection
✅ Enable Shell Fork Bomb/Memory Protection
✅ Disable compilers (except root)
✅ Enable cPHulk Brute Force Protection
✅ Remove all users from Wheel Group (except root and your main admin)
✅ Run Quick Security Scan
✅ Enable Background Process Killer
✅ Disable Shell Access for all accounts (except root/main)
✅ Disable Anonymous FTP (WHM » FTP Configuration)
✅ Change MySQL root password (WHM » SQL Services)
✅ Apache:
- ServerSignature: Off
- ServerTokens: ProductOnly

🧾 Set SSH Legal Login Banner

nano /etc/motd

Example:

ALERT! You are entering a secured area. Your IP and login have been logged.
Unauthorized access is prohibited and will be reported.

Save and exit: CTRL+X → Y → Enter

🔐 SSH Hardening (AlmaLinux 9 / CloudLinux 9)

Edit the SSH config:

nano /etc/ssh/sshd_config

Recommended changes:

Port 5678            # use a non-standard port
Protocol 2
PermitRootLogin no   # use sudo instead
PasswordAuthentication no  # use SSH keys
UseDNS no

Restart SSH:

systemctl restart sshd

Open SSH port in firewall:

firewall-cmd --permanent --add-port=5678/tcp
firewall-cmd --reload

🐘 PHP Configuration

Via WHM » MultiPHP INI Editor or edit php.ini:

memory_limit = 512M
max_execution_time = 300
max_input_time = -1
upload_max_filesize = 100M
post_max_size = 100M
enable_dl = Off
disable_functions = system, exec, shell_exec

🧱 EasyApache 4 Profile

Use: All PHP Options + OpCache

Enable extensions: ionCube, OPcache, imagick, zip, intl, etc.

🔥 Install and Configure CSF (ConfigServer Security & Firewall)

dnf install perl-libwww-perl perl-LWP-Protocol-https -y
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Initial CSF Settings:

TESTING = 0
RESTRICT_SYSLOG = 2
SMTP_BLOCK = 1
TCP_IN = 20,21,22,28,53,80,110,143,443,465,587,993,995,2077-2096,30000:35000

Optional performance adjustments:

LF_EMAIL_ALERT = 0
LF_DIRWATCH = 0
LF_INTEGRITY = 0
CT_EMAIL_ALERT = 0
PT_LIMIT = 0
PS_EMAIL_ALERT = 0

🔗 Passive FTP Fix (Pure-FTPd)

If passive FTP fails, set:

nano /etc/pure-ftpd.conf

Add:

PassivePortRange 30000 35000

Restart:

systemctl restart pure-ftpd

And ensure ports are open in CSF:

TCP_IN = 30000:35000

🚫 Disable Telnet (if present)

nano /etc/xinetd.d/telnet

Set:

disable = yes

Then:

systemctl restart xinetd
systemctl stop xinetd

Also block via /etc/hosts.deny:

echo "in.telnetd : ALL : severity emerg" >> /etc/hosts.deny

🧠 Bonus Tips

✅ Enable Imunify360 for AI-powered security
✅ Enable KernelCare for rebootless kernel updates
✅ Install ClamAV if you’re hosting email accounts
✅ Limit PHP versions to supported releases (e.g., 8.1, 8.2, 8.3)
✅ Regularly audit accounts & installed plugins