WHM/cPanel Hardening & Security

WHM – Account Functions:

Disable cPanel Demo Mode
Disable shell access for all accounts (except root)


Set MySQL password (Don’t set the same password like for the root access)

-If you didn’t set MySQL password someone will be able to login into the DB with
username “root” without password and delete/edit/download any db on the server.

WHM – Service Configuration – Apache Configuration – PHP and SuExec Configuration

Enable suEXEC – suEXEC = On
When PHP runs as an Apache Module it executes as the user/group of the
webserver which is usually “nobody” or “apache”. suEXEC changes this so
scripts are run as a CGI. Than means scripts are executed as the user
that created them. With suEXEC script permissions can’t be set to
777(read/write/execute at user/group/world level)

Optimization & Security

Keep all services and scripts up to date and make sure that you running the latest secured version.

Enable symlink security patch from the following link


WHM -Tweak Security:

* Secure tmp
* Apache server signature turned off
* Disabled Directory Listing
* cPHulk Brute Force Protection
* Shell Fork Bomb Protection
* SMTP Tweak
* Compiler Access
* Apache mod_userdir Tweak
* PHP open_basedir Tweak

* Disable Compilers for all accounts (except root)
* Disable Anonymous FTP
* Disable shell access for all other users.

PHP Security


php -i | grep php.ini
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
It means you have to edit /usr/local/lib/php.ini

php.ini & disabled functions
safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd

#service httpd restart


Limit compiler 

The permission of gcc and perl binaries should be 750

cd /usr/bin

chmod 750 *cc*
chmod 750 *++*
chmod 750 ld
chmod 750 as
chmod 755 mysqlaccess

Binary Hardening

chmod 755 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/scp

Install Packages

Zend Optimizer

Snoopy logger


Install Logcheck


Firewall – DDoS Protection

CSF Installation
Install Anti-Virus.

* Linux Malware Detect ( LMD )

* ClamAV
* Login to you WHM then go to the following and enable it cPanel > Manage Plugins

* Rootkit
* Use latest stable release

Secure SSH
Recommended Security Tweak Settings Checklists

Blank referrer safety check On
Require SSL On
Enable HTTP Authentication Off
Security Tokens On
Cookie IP Validation On
Proxy Subdomain Creation Off
Block Common Domains Usage On
Initial default/catch-all forwarder destination Fail
Max hourly emails per domain
Enable SpamAssassin spam filter On


3 thoughts on “WHM/cPanel Hardening & Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s