View Categories

How to Protect Your Website With cPanel (7 Essential Tips)

  • Feb 25, 2022
  • 0
  • by A2 Security Team

With malware attacks increasing by 385% in 2020, site security is more important than ever. However, keeping your site safe from ransomware, malware, and other malicious activity can be a challenging and time-consuming task. 

Fortunately, there are many ways to protect your website from the threat of malware and other cybersecurity issues. Many hosting providers enable customers to configure a range of site security settings using the popular Linux control dashboard cPanel

In this post, we’ll explain what website security is and why it’s important. We’ll also provide seven actionable tips that you can use to improve your site security and protect your website with cPanel. Ready? Let’s get started!

Why Protecting Your Website Is Important

It takes time and money to create a high-quality website for your business. However, without the right level of security, you could be putting your site at risk. 

According to cybersecurity statistics published by Forbes, one in three Americans have been a victim of ransomware attacks, and only five percent of companies ensure that their folders are properly protected.  That’s why it’s so important for site owners to take steps to secure their websites on a regular basis.

However, although protecting against cybercrime is one of the main benefits of maintaining good site security protocols, there are also some other benefits, including: 

  • It helps to keep your employees safe. In the same way that your website can be at risk of malware attacks, your workers can be too. Viruses can pass from device to device. Therefore, if your site becomes infected, the devices your team members use to access the site may become compromised too.
  • It can prevent your website from going down. Site owners should aim for as little website downtime as possible. Good cybersecurity measures can help you achieve this. By putting protective measures in place before attacks happen, you can prevent malware from causing issues that make you take your site offline to fix them. 
  • It can inspire confidence in your customers. For online businesses, reputation is everything, even when it comes to your website. By following good cybersecurity protocols and sharing this with your customers, you can help them feel safe and secure when using your site. 

Next, we’ll take a look at cPanel, a commonly used control panel for WordPress sites. You can use it to make your website more secure without investing in any expensive plugins. 

A Brief Introduction to cPanel

cPanel is a control application that enables you to carry out server tasks for your WordPress website:

The cPanel dashboard

It isn’t the only application of this type available, but it’s the most commonly used Linux control panel. cPanel provides users with an easy-to-use interface for carrying out essential server-side maintenance tasks, including:

  • File management
  • Database management 
  • Email management
  • Site backups 

It can make your site easier to manage due to its automated processes and 24/7 support team. As such, it could be worth considering if you’re looking to save time and effort on your website management.

There are also several ways in which you can use cPanel to enhance cybersecurity. Next, we’ll take a look at some of the things you can do to protect your website with this application. 

How to Protect Your Website With cPanel (7 Essential Tips)

There are many site security plugins that you can use to enhance your cybersecurity. However, many of these are premium plugins that aren’t available for free. By using cPanel, you can secure your website using tools already at your disposal, so you don’t have to spend a penny. Here are our top seven tips for protecting your website with cPanel.

1.  Update cPanel Regularly 

Outdated elements on your website can lead to serious vulnerabilities. This is also true for cPanel. If it isn’t up to date, you could be leaving your site open to attacks and breaches. 

Additionally, you could be missing out on access to new security features by using an outdated version. Updates are used to fix bugs, add new features, and improve the security of cPanel. As such, it could be a good idea to ensure that you are always using the latest version of the software.

The good news is that keeping cPanel up to date is fairly easy. Depending on your hosting package, you may not need to manually update it at all, as the system administrators may take care of it for you.

If you do need to update it manually, start by logging into WebHost Manager (WHM). In the upper right corner of the main WHM screen, you should be able to see the current version of cPanel you’re running:

The WHM dashboard showing the current version of cPanel

If a new version is available, you’ll also see a box just underneath this giving you the option to Update Now. All you have to do is click on this and wait for it to finish upgrading (it might take a while). Note that the Update Now box isn’t visible in the image above, as we’re currently already running the latest stable build. 

2. Choose Strong Passwords and Regularly Update Them

It’s imperative to ensure that all of your site entry points are protected by strong passwords. Without secure passwords in place, seasoned cybercriminals can easily infiltrate your site and install malware. 

Thankfully, with cPanel, it’s easy for you to reset your password. It even comes with a password generator to help you protect your site using strong credentials. To keep your site as safe as possible, it’s recommended that you change all passwords on a regular basis. Configuring them around once a month is usually sufficient. 

To change your cPanel password, log in and head to the Preferences tab, then click on Passwords and Security

The password and security section of the cPanel dashboard

Next, you’ll be prompted to input your old password, as well as your new updated password. You’ll also see a score that tells you how weak or strong your credentials are. If your chosen password is too weak, you might want to click on Password Generator instead. This will automatically generate a new, stronger login: 

The change password interface

Once you’ve done that, copy the generated password and paste it into the New Password field. Also, be sure to save it in a secure location that you can access in case you forget it and need a reminder. 

When you’re ready, click on Save Password Now! Once you’ve done that, your update should be complete, and you can start using your new credentials. 

3. Password Protect Your Vulnerable Directories 

In addition to having a strong password for your cPanel account, it’s equally important to password protect your vulnerable directories. Doing this in cPanel enables you to limit access to certain content for specific users.

Once you’ve added password protection to a directory, your site will prompt visitors to enter a username and password in their web browsers before they can access it. This helps to keep sensitive content secure from unauthorized access.

To add password protection to a directory, start by logging into cPanel. Next, scroll down to the Files section and click on Directory Privacy:

The cPanel dashboard with the Directory Privacy icon highlighted

Here, you should be able to see a list of all your directories. Click on Edit next to the name of the folder you want to protect. On the next page, tick the box next to the text that says Password protect this directory. Then, type in a name for the protected directory below and click on Save:

The directory privacy permissions interface showing a textbox where the user can enter a name for the protected directory

Once you’ve done that, you should see a brief ‘success’ message. Click on Go Back, then enter a Username and Password in the appropriate text boxes, and then click on Save.

Note: You can also automatically generate a strong password by clicking on the Password Generator button:

A screenshot of how to create a user in cPanel

If you ever want to remove the password protection, repeat the steps above to navigate to the directory again. Then, clear the Password protect this directory checkbox.

4. Enable cPHulk Brute-Force Protection

cPHulk is another useful service provided by cPanel that helps to protect your server against brute force attacks. These attacks involve an attacker using an automated system to attempt to guess your username and passwords by repeatedly trying different combinations in rapid succession.

Using cPHulk through cPanel will enable you to block the IP address or accounts exhibiting suspicious behavior automatically. This prevents attackers from carrying out any further attempts to log in, thus preventing them from gaining unauthorized access and installing malware on your site.

To enable CPHulk Brite-Force protection, you’ll first need to log in to WHM. From there, navigate to Security Center in the left-hand sidebar, and click on cPHulk Brute Force Protection:

A screenshot of where to find WHM CPHulk protection in cPanel

Next, you can toggle the button to ON to enable cPHulk protection:

A screenshot of how to turn cPHulk on

Once it’s enabled, you can tweak the Configuration Settings. For example, you can specify how many failed login attempts are required to lock IP addresses out, and how long they should be locked out for. Once you’re done making changes, click on Save:

A screenshot of cPHulk configuration settings

Note that aside from Configuration Settings, several other tabs are available on this page: Whitelist Management, Blacklist Management, and History Reports.

You can whitelist and blacklist certain IP addresses manually by navigating to the appropriate tab. This is useful in certain circumstances. For example, it may be a good idea to whitelist your own IP to avoid a lockout from your server.

If you ever need to see a log of what actions cPHulk has taken, you can do so by clicking on the History Reports tab. 

5. Protect Against Hotlinking 

Hotlinking (sometimes called ‘direct linking’) refers to when another website links out directly to content hosted on your website, such as image files. When visitors to their website load the page, your site serves the image files they see. This allows the other website to effectively ‘steal’ your bandwidth and use it to show pictures to their visitors. 

Naturally, this is something you’ll probably want to avoid. Fortunately, you can do so easily. All you have to do is configure hotlink protection using cPanel. Here’s how to go about it.

First, log in to cPanel and scroll down to the Security section. Then, click on the Hotlink Protection icon:

A screenshot of hotlink protection in cPanel

On the next page, you can toggle Hotlink protection ON or OFF. You can also change your configuration settings. For example, you might want to specify certain URLs that are allowed to access your files (cPanel will automatically populate this box with suggested local URLs):

A screenshot of how to configure hotlink protection

Next, you can also specify the specific file extensions you want to block direct access to by adding them to the Block direct access for the following extensions box (make sure you separate each file extension by a comma):

A screenshot of using block extensions box

Again, the above box should be automatically pre-populated with commonly hotlinked file extensions. However, you might want to add extra file extensions that aren’t already included. 

You can also add a URL to the Redirect requests to the following URL text box:

A screenshot of the redirect requests box

This will serve users from blocked sites with the specified URL page instead of the hotlinked file. Once you’re done making changes to the settings, just click on Submit.

6. Utilize Patchman by SITELOCK

Patchman is a really useful security service that helps to prevent your site from being hacked. Once installed, it will automatically scan your website for malware. If it detects any potential threats, it immediately emails you to notify you of them. If you don’t resolve the issue within 24 hours, Patchman will quarantine the affected files to protect your site:

A screenshot of the Patchman by SITELOCK homepage

Not only that, but Patchman also detects whether your WordPress, Drupa, or Joomla installation requires patching. Again, it will notify you of this by email and automatically apply the patch if you don’t fix it yourself within a week.

A2 Hosting has partnered with Patchman to provide our web hosting customers with free malware and vulnerability scans. Therefore, if you have a web hosting account with us, Patchman should already be enabled for your domain. 

However, if you want to manage your settings or carry out specific administrative tasks, you can do so by accessing the Patchman dashboard. To get to the dashboard, start by logging into cPanel, then click on Patchman in the Advanced section:

A screenshot of Patchman in cPanel

From here, you can run manual scans, view detected items and applications, and carry out manual actions. For example, you can review potential malware and choose to either ignore it or quarantine it:

A screenshot of the Patchman dashboard

Utilizing Patchman is one of the best ways to protect your website from security threats. However, not all hosting providers include access to it. Therefore, it may be a good idea to choose a hosting service provider that partners with the service.

7. Use Secure Shell File Transfer Protocol (SFTP)

SFTP stands for Secure Shell File Transfer Protocol. As the name suggests, it’s a secure version of the regular File Transfer Protocol (FTP). It uses the Secure Shell protocol to encrypt transfers.

If you didn’t already know, FTP is how you transfer files between your computer and your hosting server to make them accessible to the public and vice-versa. These files are often confidential and may include sensitive data such as usernames and passwords.

The problem is that the original FTP protocol doesn’t encrypt this data, which leaves it vulnerable to interception by attackers. If you want to prevent hackers from getting access to your data, it’s recommended that you encrypt it by using STFP instead.

In order to transfer files using SFTP, you’ll need your main cPanel account’s private key for authentication. To find it, log in to cPanel and scroll down to the Security section. Then, click on SSH Access:

A screenshot of how to access SSH in cPanel]

On the next page, click on Manage SSH Keys:

A screenshot of how to manage SSH Keys

If you already have a public/private key pair, you can use those for SFTP transfers. If you don’t already have one, you can generate a new one by clicking on Generate a New Key:

Once you’ve generated a new key, go back to the Manage SSH Keys interface, and click on the Manage link next to the new key. Next, click on the Authorize button to allow it:

A screenshot of how to authorize SSH key

Go back and scroll down to Private Keys and click on View/Download. The next page should display your SSH key details. You can click on Download Key to save it somewhere safe to your computer:

A screenshot of the download key button

Once you’ve done all the above, your site is ready for an SFTP connection. You can open your preferred FTP client and use the private key you downloaded to connect via SFTP.


Keeping your site safe from malicious activity and malware is extremely important. Fortunately, cPanel offers you several ways to ensure that your site is secure and protected. 

Here’s a quick recap of how to protect your website using cPanel:

  1. Update cPanel regularly. 
  2. Choose strong passwords and update them regularly. 
  3. Password protect your vulnerable directories. 
  4. Enable cPHulk Brute-Force protection.
  5. Protect against hotlinking.
  6. Utilize Patchman by SITELOCK.
  7. Use Secure Shell File Transfer Protocol (SFTP).

If you’re looking for a hosting provider that understands the importance of site security and reliable hosting, check out our affordable Linux hosting plans!

Image credit: Free-Photos.