Page tree
Skip to end of metadata
Go to start of metadata

Overview

Use the following checklists as quick references for the security settings that we recommend.

Tweak Settings checklist

We recommend the following settings for WHM's Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings):

SettingDescriptionRecommendation
Hide login password from cgi scriptsThis setting allows you to hide the REMOTE_PASSWORD environment variable from scripts that the cpsrvd daemon's CGI handler executes.On
Referrer safety checkOnly permit cPanel, Webmail, and WHM to execute functions when the browser-provided referrer (port and domain or IP address) exactly matches the destination URL. This helps prevent XSRF attacks but may break integration with other systems, login applications, and billing software. You must use cookies if you enable this option.On
Initial default/catch-all forwarder destinationSelect Fail to automatically discard un-routable email that your server's new accounts receive. This option helps to protect your server from mail attacks.Fail
Verify signatures of 3rdparty cPaddonsEnable this option to verify GPG signatures of all third-party cPAddons. To use this setting, you must enable the Signature validation on assets downloaded from cPanel & WHM mirrors option.On
Prevent "nobody" from sending mailEnable this option to block email that the nobody user sent to the remote address.On
Allow users to relay mail if they use an IP address through which someone has validated an IMAP or POP3 login within the last hour (Pop-before-SMTP)Enable this option to allows users who authenticated against the POP3 or IMAP service in the last 30 minutes to send emails through SMTP again without the need to reauthenticate.Off
Enable SPF on domains for newly created accountsEnable this option to deny spammers the ability to send email when they forge your domain’s name as the sender (spoofing). On
Service subdomain overrideDisable this option to prevent automatically-generated service domains when a user creates a cPanel, Webmail, Web Disk, or WHM subdomain.Off
Service Subdomain CreationDisable this option to prevent the addition of cPanel, Webmail, Web Disk, and WHM service subdomain DNS entries to new accounts.Off
Cookie IP validation

Disable this option to allow logins regardless of the user's IP address.

Important:

We strongly recommend that you do not rely on cookie-based IP validation.

disabled

Security Center checklist

We recommend the following settings for WHM's Security Center section (WHM >> Home >> Security Center):

SettingDescriptionRecommendation
Password Strength ConfigurationThis feature allows you to specify a minimum password strength for accounts that your server hosts. A value of 50 or greater.
PHP open_basedir Tweak

This option requires users to manually specify the open_basdir setting in their relevant php.ini files if PHP is configured to run as a CGI, SuPHP, or FastCGI process.

Important:

We removed this interface in cPanel & WHM version 78. If your system runs EasyApache 4, change this directive in the Editor Mode section of WHM's MultiPHP INI Editor interface (WHM >> Home >> Software >> MultiPHP INI Editor ).

Enable
Apache mod_userdir Tweak 

If you enable this option, users can not bypass bandwidth limits when they use the Apache mod_userdir redirection to access their site (for example, http://example.com/~username).

Warning:

If you enable this option, the following Apache modules won't function:

  • mod_cgi 
  • mod_fcgid 
  • mod_mpm_itk 
  • mod_passenger 
  • mod_ruid2 

For more information, read our Apache mod_user Tweak documentation.

Enable

Note:

We recommend that you exclude the Default Virtual Host from mod_userdir protection. This allows all users to access their sites on your server, but not affect other users' bandwidth.

Compiler Access This option disables compiler access for unspecified users in order to help prevent attacks on your server.Disable
Manage Wheel Group UsersThis feature allows you to set a list of users who can use the su command in order to become the root user.Remove all users except for root and your main account.
Shell Fork Bomb Protection 

This option limits the amount of server resources that users with terminal access may use.

Enable

Note:

If you enable this option, it may cause resource shortage problems because this setting heavily limits various resources. 

FTP Server Configuration

This interface allows you to configure your FTP server.

Disable Anonymous FTP.
Manage Shell Access

This interface allows you to select which users will have shell access on your server and whether that shell access is Normal or Jailed.

Disable shell access for all other users.
cPHulk Brute Force Protection This interface allows you to configure Brute Force Protection on your server.

On

Note:

If you enable this option, we strongly recommend that you add trusted IP addresses to the White/Black List Management tab so that you do not lock yourself out of your server.

EasyApache configuration checklist

When you configure EasyApache, we strongly recommend that you include the following modules:

ModuleDescription
suphpThis module causes PHP scripts to run as the owner of the script instead of as the nobody user.
suhosinThis module is an advanced protection system for PHP installations. For more information, read the Suhosin website.
mod_security

This module is an open-source web application firewall. For more information, read our ModSecurity documentation.

EasyApache modules to avoid

Warning:

  • We no longer provide or support the modules described in this section.
  • We strongly recommend that you avoid modules that we mark as End-Of-Life or Deprecated.
  • We strongly recommend that you ensure that your software is up-to-date with the most recent stable versions of software. For example, the last release of PHP 5.3 was on August 14, 2014 and has reached end of life. Even though PHP may backport security patches for this version, you should not consider it secure and should update it to PHP 5.4 or higher.

We suggest that you do not include the following modules unless they are absolutely necessary:

ModuleDescription
mod_frontpage

We do not provide or support FrontPage®. Additionally, Microsoft has not released updates or security patches for FrontPage in over a decade.

mod_perlThis module grants unlimited control to scripts over the website, which is unsafe in a shared hosting environment.
mod_jk

This module runs code as a shared user and presents a security risk.

mod_monoThis module runs code as a shared user and presents a security risk.
mod_mono2This module runs code as a shared user and presents a security risk.
XcacheThis module uses shared caching logic and EasyApache disables it by default.
EAcceleratorThis module uses shared caching logic and EasyApache disables it by default.

For more information, read our PCI Compliance and Software Versions documentation.

Global Configuration checklist

This checklist pertains to the Global Configuration section of WHM's Global Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Global Configuration).

SettingRecommendation

Server tokens  
Set this option to Product Only to receive a more concise output than the other options.

Product Only
File ETag  
Set this option to None to receive a more concise output than the other options.
None

Additional documentation