cPanel is currently the leader and industry standard for standalone hosting platforms. Its main product, WHM/cPanel, is widely used by most web-hosting providers due to its flexibility, ease of management, customizability, and high-quality support.
Most of us involved in the web-hosting industry are familiar with its capabilities. However, if you are new to cPanel, we recommend that you follow these five initial setup steps.
9 Web Hosting Tips You Should Know (Before You Pay Up)
Good hosting is crucial to any website. They are the foundation of your website, your brand, and your... Read more
1. Get a Strong Password
As a user, you are given a default username and password to access the cPanel domain owner interface, as well as the default MySQL database user, FTP/SFTP account, email address, and system user login used to access the server remotely via SSH (if enabled by the server administrator).
It is highly recommended to change your cPanel login password as soon as possible. If someone can guess or obtain your password, they will have unauthorized access to the server, which can be extremely dangerous.
Hackers have been known to take over a valid user’s registered email account, gaining access to the login credentials for their cPanel account. This can make it difficult for the owner to reset their password, as the registered email address is required for verification as the account owner.
To avoid such problems, it is essential to follow good password management practices. Some tips for creating a strong password include changing it frequently, avoiding dictionary words and familiar items such as birth dates, vehicle registration numbers, or phone numbers, using a combination of letters, numbers, and symbols, using more than eight characters, and not saving your password in the browser.
2. Understand the server environment
To ensure optimal use of the server environment, it is essential to have a comprehensive understanding of its operating system and architecture, kernel version, application versions, IP address, and hosting package limitations.
This information can be found on the main page of the cPanel interface. It is recommended that a good hosting server be run on the updated version of the kernel and applications under 64-bit architecture (x86_64).
Additionally, it is important to check the cPanel Service Status to determine the server’s real-time condition. This feature provides information on the number of CPUs running on the server, total memory usage, and disk space status. It is advisable to ensure that all services are up and running as expected.
For optimal server performance, disk usage should be below 80%, swap below 10%, and the server load average should be below 2x the total number of CPUs.
3. Check permission (File and directory)
As a cPanel user, it is crucial to ensure that the correct permissions and ownership are set for all files and directories within your home directory, particularly the
To check the PHP handler being used on your cPanel server, you can create a phpinfo page under
public_html and check the value of "Server API" accessed via a web browser. If the PHP handler is CGI/FastCGI, suPHP is likely being used.
This handler executes PHP as a separate process alongside Apache, and all file permissions should be set to 644 and directory permissions to 755. Permissions higher than this may result in an "Internal Server Error" when executing PHP scripts. If the PHP handler is Apache 2.0 Handler, DSO is being used.
This handler doesn’t require strict file permissions and ownership because Apache handles the PHP file entirely. However, it is still recommended to follow the same permission practices as advised for the CGI/FastCGI method. To fix any permission or ownership issues, you can use cPanel File Manager, an FTP client, or SSH access (if allowed).
Remember to delete the phpinfo page once you have retrieved the necessary information.
4. Add some protection
It is also important to take advantage of the platform’s flexibility to add protection to your website, domain, and cPanel account. While protection and security are primarily the responsibility of the server administrator, there are steps you can take to enhance your security.
Firstly, ensure that Spam Assassin is enabled under cPanel > Mail > Spam Assassin. Although some web hosting providers do not enable this feature by default, it is a useful tool for filtering out spam emails.
Additionally, it is recommended to discard all unrouted email under Default Address (cPanel > Mail > Default Address) with an error to the sender at SMTP time.
Avoid using the "blackhole" or "forward to email address" options, as these can be exploited by hackers to launch a DOS attack on the SMTP service. Another important step is to disable Frontpage if it is not being used (cPanel > Advanced > FrontPage Extensions).
Microsoft has discontinued FrontPage extension support for the Unix platform, and many web hosting providers have reported severe intrusion attempts via FrontPage vulnerabilities.
It is also advisable to check the PHP
disabled_function using the phpinfo page and ensure that all critical functions have been disabled inside the server.
If not, create a php.ini file under
public_html and add the following line:
disable_functions=exec, passthru, shell_exec,system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source.
Finally, enable hotlink protection (cPanel > Security > Hotlink Protection) to prevent others from stealing your bandwidth. This feature allows you to only allow your website’s URL to access static contents like .jpg, .jpeg, .gif, .png, and .bmp, thereby preventing others from linking your images to their websites and using your bandwidth.
5. Notification and Monitoring
To ensure that you receive notifications from cPanel, it is recommended to add a secondary email address as a backup in case the primary email is unreachable. This can be done under the "Update Contact Info" section in cPanel’s preferences.
Additionally, it is advisable to subscribe to an external website monitoring tool to monitor the availability of your website and domain. This will provide more accurate results than relying solely on your web hosting provider’s monitoring service. You will also get notification or email alert whenever the site goes down.
This article is not intended for new cPanel users only. It also serves as a reminder for those who already familiar with cPanel as well. By practising these best configuration practices it may help you to become a better and more responsible website/domain owner.