How to Secure Your cPanel VPS? – Actionable Tips

How to Secure Your cPanel VPS? - Actionable Tips

In 2012, Sophos estimated that more than 30,000 websites are hacked every day. Given how much the internet has grown over the last few years, the current number is likely much higher.

As an owner of a cPanel VPS that can host multiple websites, you have a sizeable target painted on your back. Luckily, the setup you’ve chosen has many mechanisms to protect your virtual server.

Today, we’ll see what they are…


Table of Contents:

Why cPanel VPS Hosting?

Great VPS Hosting Use Cases

Cpanel VPS Hosting Security – Tips and Tricks

ScalaHosting and VPS Security



Why cPanel VPS Hosting?

First, let’s see why a cPanel VPS is one of the best possible hosting platforms you can choose.

Shared hosting may be the cheapest available solution, but it’s riddled with problems. You utilize the same system resources as dozens of other users, so you can never be sure whether the performance will be up to par. The implications of sharing an IP with multiple other users could also be serious, especially if your “neighbors” decide to send spam.

A Virtual Private Server gives you much better security and more reliable performance. You get guaranteed hardware resources reserved just for you and available all the time. As you will be the only one using it, you don’t need to worry about getting your dedicated IP blacklisted, either.

You have the entire server to yourself, so the host allows you full control over the machine. A VPS is extremely flexible when it comes to customizations and can do wonders…if you know what you’re doing.

WHM & cPanel ease the client’s burdens when it comes to server management. With them, you get all the tools you need to create the best possible hosting environment with minimum technical work. The management platform streamlines and automates many of the administration tasks. In the case of organizations, this can be an amazing time saver, and Time often equals Money in the business world. 

Great VPS Hosting Use Cases

A VPS acts as a standalone dedicated server. It has its own operating system, an underlying hardware setup, and an IP address. As a result, it can do pretty much anything a dedicated server can.

Among other things, you can use it as:

  • a file storage facility
  • an offsite backup facility
  • a testbed for new applications
  • a mail server
  • a game server
  • a VoIP server
  • a Virtual Private Network

When it comes to web hosting, VPS solutions are perfect for websites that need reliable performance and a high level of security. These include online shops, e-learning platforms, and media outlets.

Cpanel VPS Hosting Security – Tips and Tricks

Although a single physical machine can host multiple virtual servers, the virtualization technology that powers VPS hosting allows for a completely isolated environment.

Compared to a shared server, it’s a much more secure setup, but you should always strive for more if you want to achieve the level of protection suitable for a successful online business. 

You might be surprised to learn just how much WHM & cPanel can help you out. Here’s where to start.

Set up a firewall

A firewall is one of the first tools a sysadmin uses to protect a server or a network. Its job is to follow preset policies to keep the bad traffic out and let the good one in.

Since we are talking about cPanel VPS platforms, your virtual server runs Linux and has a firewall utility called Iptables. You can try to configure it on your own, but since you have cPanel & WHM, you’re much better off navigating through their intuitive Graphical User Interface (GUI).

Many server owners use ConfigServer Security & Firewall (CSF). You would need root SSH access and a couple of commands to install it on the server, and you can then activate and configure it through WHM. Because it’s so widely used, there is plenty of information available online on setting it up correctly.

CSF has proven its worth as a firewall utility, and it can help you immensely if someone decides to launch a DDoS attack against your server, for example.

A good idea is to also install a Web Application Firewall (WAF) to protect your site against cross-site scripting attacks, SQL injections, and other attacks.

There are quite a few WAFs available on the market, but ModSecurity remains a firm favorite for many. One reason for its popularity is its easy integration with WHM & cPanel. ModSecurity is part of the Apache module, and you can activate it in WHM with a couple of mouse clicks.

Malware and virus protection

Running a Linux server means you have fewer security concerns than you would have had with a Windows machine. 

It’s dangerous to run a virtual server without a malware scanner that periodically checks for malicious code and infected files. 

For cPanel servers, the two most popular malware scanners are ClamAV and ImunifyAV.

The appeal comes from the fact the two offer relatively seamless integration with WHM & cPanel. Both can be activated in WHM and have pretty much equal malware detection capabilities.

That said, although there are a few GUI options, properly configuring ClamAV may require some command-line work. Meanwhile, ImunifyAV is easier to use, but you can only initiate its scans via WHM. Plus, the free version lacks a few essential features.

Spam filters

Minimizing the number of unsolicited emails that land in your inbox is essential. If you don’t have any protection in place, junk mail could quickly fill up your account’s quota, making you miss essential communication.

In a corporate environment, spam filters are even more critical. Attackers often target phishing campaigns against click-happy employees, and the results can sometimes be devastating.

WHM & cPanel come with Apache’s SpamAssassin – a tried and tested spam filter, often pre-installed and enabled by default on a cPanel VPS. If you suspect it might not be working properly, you can always check whether it’s turned on in WHM’s Service Manager.

Individual cPanel users have another way of filtering junk mail. You can take advantage of a tool called BoxTrapper to request additional action from senders of suspicious-looking messages before delivering them to the recipient’s inbox. The idea is to stop junk mail sent by automated scripts.

Strong passwords

According to Verizon, weak passwords sit at the bottom of an estimated 81% of all data breaches, highlighting people’s lack of respect for the importance of login credentials.

With login data leaking left, right, and center, the problem is no longer concerning weak passwords alone. Reused credentials are just as dangerous because they enable hackers to use a single data breach to compromise multiple accounts.

For years, security experts have been advocating the use of reputable password management solutions for creating and storing login credentials. There are plenty of free and premium options out there, and they all guarantee you’ll be able to protect your accounts with unique, impossible-to-guess passwords.

As yet another precaution, you can use WHM & cPanel’s two-factor authentication system. With it, every time you try to log into WHM or cPanel, you’ll need to provide a temporary security code in addition to a valid username and password. The idea is that a hacker who has stolen your login credentials won’t be able to access your server without your phone device.

Limit admin access

By default, you can use any IP to manage your cPanel VPS. This is convenient if you’re working on your server on the move, but it’s hardly the most secure setup. What’s more, you are much more likely to control the server from a single network with a static IP.

WHM’s Host Access Control gives you the option of allowing or denying individual IPs access to the following services:

  • cPanel
  • WHM
  • SSH
  • FTP
  • SMTP
  • IMAP
  • POP3
  • Webmail
  • Web Disk

Using the Host Access Control tool, you can effectively block any hacking attempts from the outside world. You just need to be careful not to disrupt the work of other users who need access to the VPS or the website backend.

Keep everything updated

Most modern websites are built using Content Management Systems. Their owners manage them through a point-and-click backend interface that requires little to no skills to navigate around.

Behind the scenes, however, there are millions of lines of code. Some bugs will inevitably pop up, and they could easily open the doorway for attackers. 

Security specialists and developers spend a lot of time identifying vulnerabilities and producing patches for them. Still, it’s your responsibility to install the patches, and you should do so promptly after their release.

The only way to ensure you’re as well protected as possible is to regularly update every piece of software and associated plugins installed on your server.

Cpanel’s automatic updates are enabled by default, and if you use WordPress – you have access to the WordPress Toolkit. It features an auto-update functionality for the CMS core, the themes, and the plugins. 

Secure offsite backups

You can’t take anything for granted in the online world, and you must be prepared for the worst. You probably already know that you need to have a backup of your data at all times, but you have to bear in mind that this is not enough.

If you keep your backups on the same VPS, a potential hardware failure can lead to terminal data loss. Your home computer might seem like an alternative option, but it’s not that viable, especially if your website is big.

Your best bet is to store your backups on a remote server.

You don’t need to install any additional tools or services to have an automatic offsite backup system. Through WHM’s Backup Configuration interface, you can configure your server’s scheduled backups to your exact requirements and schedule the system to send your archived site copies to a remote server of your choice.

SSL certificates

SSL certificates utilize the Transport Layer Security (or TLS) protocol to encrypt the flow of information between your site visitors and the hosting server. Without them, the data would be transmitted in plain text and easily intercepted or altered.

An SSL certificate also verifies the site’s identity and confirms the visitor’s connection to the right server.

In the past, getting an SSL certificate used to cost a lot of money, and installing it was usually a manual process done by the hosting provider’s support team. Nowadays, however, certificate authorities like Let’s Encrypt offer free SSL certificates. Thanks to WHM’s AutoSSL tool, deploying certificates across different projects is completely automated.

Cpanel also has an SSL manager, which lets you control certificates for individual websites.

Server monitoring

If you see that something’s not quite right with your VPS, you need to be able to quickly determine where the problem lies. Even if all seems well – you must have easy access to analytics telling you exactly how your server is doing and what you may need to improve.

WHM has all this data and more.

It integrates several different tools, giving you vital information on resource usage, uptime, and load averages over a set period of time. You can also see all the running services, processes, and their status.

With all this information, you can get an insight into how well you’re utilizing your server, draw a growth plan, and, crucially, spot potential security problems.

ScalaHosting and VPS Security

At ScalaHosting, we firmly believe that VPS hosting is at the heart of our industry’s future. For over a decade, we’ve been working hard to make our virtual private servers more reliable, affordable, and secure.

All of our VPS solutions are based on KVM virtualization, and thanks to our partnership with DigitalOcean – you can now choose from 11 centers spread around the world.

With our managed VPS plans, you can opt to use cPanel & WHM to take full advantage of its numerous security features. Alternatively, you can choose a much more affordable solution that is just as powerful.

SPanel is an all-in-one management solution designed specifically for ScalaHosting’s virtual private servers. It’s our answer to cPanel’s 2019 pricing policy changes, and its goal is to allow users to have a reliable, fully managed VPS service at a reasonable price. SPanel is equipped with all the tools and features you need to operate your projects in the best possible hosting environment.

SPanel VPS servers also come with an innovative security system called SShield. It monitors your server in real-time, and it uses artificial intelligence to block almost all known attacks. If it does detect an unusual behavior – it informs the client immediately.

Because we developed SPanel and SShield ourselves, we can offer them as a part of our managed VPS hosting plans at no additional cost. This enables us to have some of the most competitively-priced managed virtual servers on the market.


Security is a major aspect of running a virtual private server, and there are many things you need to think about, especially on a self-managed VPS. To protect your server properly, you have to know what the main threats are, so you can build a strategy that covers as many scenarios as possible.

This may sound like an extremely complicated job, but the truth is, WHM & cPanel have plenty of options to make your hosting life a whole lot easier. 


Do I need WHM & cPanel on my VPS?

Strictly speaking, you don’t necessarily need WHM or cPanel for your VPS. There are a number of other web hosting control panels that help you manage your virtual server, and you can even try and operate everything without such a panel.

However, WHM/cPanel’s wide range of tools and features makes the management platform a firm favorite with millions of site owners.

What are the security threats to VPS servers?

A virtual private server acts as an independent physical machine. All online threats applicable to dedicated servers are also valid for VPS machines, meaning the proper configuration and secure setup are absolutely essential.

Poor security setup, weak passwords, lack of updates, and utilizing unlicensed software are just a few of the vulnerabilities hackers exploit as means to get to your account and website.

Can cPanel be hacked?

By default, WHM & cPanel work with a simple username-and-password login mechanism, and there’s no way of changing the login URL. In theory, if the hackers know (or guess) your login credentials, they will be able to break in. You have plenty of tools to stop their attacks, though.
Utilizing two-factor authentication, restricting access to the login URL, and using cPanel’s built-in brute force protection are just a few of the ways to avoid unwanted breaches.

Borislav Tonev


Borislav is a copywriter with a keen eye for detail and a fascination for information technology that dates back to his childhood. During his content writing career, he has covered and analyzed a wide variety of subjects and topics, but he admits that helping readers figure out how the World Wide Web works has always been the most exciting challenge.

Write a Comment