It is important to tighten the security of the cPanel of the WordPress site to prevent any kind of hacking. Use these cPanel Security tips to tighten the back door of your site.
People usually take care of the site, with firewalls, and various plugins. But they often don’t care much about their hosting security.
If your hosting is not secure then the hacker can easily get control of your site through cPanel.
cPanel Security Tips
Here’s a list of 5 useful tips to make sure you don’t compromise your cPanel security.
- Have the Latest Version of cPanel
- Secure Password
- Secure SSH
- Secure Apache and PHP
- Enable Brute Force Protection
1. Keep cPanel Updated
If you don’t upgrade your cPanel to the latest version, the vulnerabilities increase. Therefore, make sure you have the latest version in-line.
Update cPanel: WHM > cPanel > Upgrade to Latest Version.
You can also update using this line: #/scripts/upcp –force
To escape these efforts, you can simply turn on the automatic updates.
Go to WHM > Server Configuration > Update Preferences.
2. Secure Password
Something everybody knows today! But still, people ignore it.
- Weak passwords > Hacked easily > Infect client sites or spread viruses
80% of hacking attempts try to obtain the site by cracking the weak password set by the site owners.
But how can you make sure your password is secure?
Edit “/etc/login.defs” file to configure password options on your system.
- Utilize at least 8 characters including alphanumeric and grammatical symbols.
- Avoid using significant dates and dictionary words.
- If you have issues, you can leverage the “Password Generator tool” to have ideas.
- Go to “Tweak Settings” in “Server Configuration” and enable SSL to avoid any leak.
- Still uncertain about password security? Test it via JTR cracker or check password strength using pam_passwdqc.
3. Secure SSH
SSH or Secure Shell is a remote connectivity tool in Linux which helps users to log into a remote machine and execute commands. Therefore, if you don’t secure SSH, there are chances of attacks.
How can you secure SSH?
Update SSH packages to the latest stable version.
A. Setup Wheel User
When you are logged into root user, create a new user, and you will then be asked a few questions.
Hit “Enter” once you are done with setting a password.
Add that user to the Wheel user group. If you want an existing user to be the wheel user, you can simply go to WHM > Security Center > Manage Wheel Group Users > Select the user and click “Add to Group”.
Now Disable Root User:
Open SSH config file > Set PermitRootLogin to ‘No’ > Restart SSH
Once you have terminated the session, you can’t log in as a Root user. To log in, use the new user you just created or the existing one.
B. Setup Key-based Password-less login
Disable password authentication and allow SSH access only by key-based authentication.
Open SSH Config file (vi /etc/ssh/sshd_config) > Edit the Password Authentication to “no”
Password authentication in the server is disabled now. Generate SSH key in the host machine > ssh-keygen
If you hit ‘Enter’, the key will be placed in ‘/home/user/.ssh/id_rsa’ by default.
4. Secure Apache and PHP
In WHM, you should enable ModSecurity to secure Apache from attacks like code injection. Specific rules defined in the ModSecurity helps in blocking connection that doesn’t match the rules.
WHM > Plugins > ModSecurity
- Configure suEXEC for executing the CGI scripts and suPHP as the PHP handler. Enable suEXEC and suPHP by browsing to WHM > Service Configuration > suEXEC.
- Change the PHP handler to suPHP, turn Apache suEXEC to ‘On’ and ‘Save’ New Configuration.
- Enable PHP open_basedir protection: It prevents PHP scripts from files outside of its home directory.
- WHM > Security Center > PHP open_basedir Tweak > Enable PHP open_basedir Protection > Save.
Disable some of the PHP functions:
- WHM > Service Configuration > PHP Configuration Editor > Select Advanced mode > register_globals: Off
- The register_globals setting controls how you access the server, form, and environment. If it is on, anything passed via GET or POST or COOKIE automatically appears to be the global variable in the code, this might have security consequences.
- Disable_functions: allow_url_fopen, proc_open, popen, phpinfo, exec, passthru, shell_exec, system, show_source.
“Save” the settings and restart Apache after this.
Important: Don’t forget the latest versions for proper security.
5. Enable Brute-Force Protection
Brute-Force: Repeated hit and trial attempt to access the server.
When you set the value of Brute-Force protection, it ensures that repeated unsuccessful attempts to access the server from a given IP address will get that IP blocked.
To activate this feature: “CPHulk Brute-Force Protection > Security Center > Enable”
Under the “IP Deny Manager” option, you can also block a particular IP address, domain name, or range of IP addresses from accessing a site managed by cPanel.