WebGiant
Back to Blog

Server security

CPanel & WHM Security Checklist for 2026

A WHM server can host serious business infrastructure, but only if it is treated like production infrastructure and hardened properly.

CPanel and WHM are powerful because they make hosting manageable. That convenience also creates risk. If root access is weak, accounts are not isolated, PHP is outdated, SMTP is abused, or backups are missing, one compromise can become a much bigger incident.

Beginner Checklist

  • Enable two-factor authentication for WHM and important cPanel accounts.
  • Use strong unique passwords for root, reseller, and account users.
  • Keep WHM, cPanel, plugins, PHP versions, and operating system packages updated.
  • Enable automatic security updates where appropriate.
  • Configure backups and test that restores actually work.
  • Install malware scanning and review alerts regularly.

Intermediate Checklist

  • Disable password authentication for root SSH and use SSH keys.
  • Move SSH away from default habits, limit access, and block repeated failures.
  • Install and configure CSF firewall with sensible inbound and outbound rules.
  • Use ImunifyAV or Imunify360 for malware detection and proactive protection.
  • Enable SMTP restrictions so compromised scripts cannot freely send spam.
  • Isolate PHP versions per account and avoid running old PHP across the server.
  • Review cron jobs, forwarders, addon domains, and suspicious account files.

Enterprise Checklist

  • Use CageFS or account isolation so one compromised site cannot easily read another.
  • Separate high-value sites from low-trust or legacy sites.
  • Monitor mail queues, blacklists, disk usage, CPU spikes, and account-level abuse.
  • Secure Redis and never expose it publicly without strict controls.
  • Keep offsite backups separate from the production server.
  • Use central logging and alerts for login failures, malware events, and service changes.
  • Document incident response steps before the server is under attack.

Root Access And SSH

Root is the most powerful account on the server. Password-based root login is convenient, but it creates a direct target. Use SSH keys, limit who can connect, and block repeated login attempts with firewall rules.

Firewall And Malware Protection

CSF helps control traffic and block obvious abuse. ImunifyAV or Imunify360 helps detect malware, web shells, infected files, and suspicious behavior. Neither replaces good maintenance, but both give you visibility.

PHP Isolation

Old PHP versions and weak account isolation are common reasons shared hosting becomes dangerous. Each site should run the newest compatible PHP version, with risky functions and permissions reviewed carefully.

Backups Are Security

A backup strategy is part of security. Malware cleanup, ransomware recovery, accidental deletion, disk failure, and bad updates all depend on having clean restore points stored away from the affected server.

Final Thought

WHM security is not a once-off setting. It is a routine. Harden the server, isolate accounts, monitor abuse, scan for malware, restrict sending, and make sure recovery is possible.

WebGiant

Need a stronger server?

WebGiant can review, harden, and manage your hosting stack.

066 322 5322office@webgiant.co.zaProject enquiry form