You don't have to be a Linux Guru to know how to work with the cPanel web interface. In fact, that's the purpose of cPanel and WHM, to simplify administering a web server. There're a lot of often overlooked settings in WHM/cPanel, and I've learned this while jumping into hundreds of cPanel based servers from different companies. It's become a habit of mine to look at some settings, and simply mention what I find to my clients in order to see if they were aware of such an insecure configuration. In many cases, they didn't even know and went with the advice I've given them.
The settings you'll read in this post are so simple, anyone can do it. It's just a matter of pointing, and clicking. In fact, if you took the advice here, you'll preemptively prevent over 50% of common attacks on cPanel servers (My statistics are not verified, but you'll definitely be securing your server from a lot of bad things!).
If you're not a savvy developer, you should disable C compilers immediately if you're going to share your resources with others. You might not know how secure people you host will keep their websites, or if they'll get compromised from the latest attack trends that seem to sweep the web.
The developers of cPanel know this is a security risk as well, so it's best to disable it if you don't need compilers activated on your system.
Many common exploits require a working C compiler on the system. This tweak allows you to deny compiler access to unprivileged users; you can also choose to allow some users to use the compilers while they remain disabled by default.
You'll find the page where you can disable this under Compiler Access
This one should be obvious to everyone, use strong passwords! We often forget how important this is, and would rather go with convenience over security. The fact is if you're using a password that's less than 6 characters and is alpha-numeric, you're going to get brute force hacked eventually.
I always say the best password is one not even you know, but try to at least use a clever string of letters, numbers, and special characters and secure it in a safe place. If you can remember it, even better!
With that said, sometimes it's nice to be reminded to use strong passwords. Navigate to Password Strength Configuration and set the value to over 75. I've found 100 tends to be overly complicated for some people ,but 75 is tolerable. Leave the rest at the default so they inherit this rule. It's pointless to have different rules because security is only as good as your weakest attack point.
PHP open_basedir Protection
Do you want to expose files to others on your system? If not, then you'll want to enable PHP's open_basedir protection. Generally, it's unsafe if an account gets compromised and is able to read files outside it's /home/username directory. Protect your server with this simple tweak, and you'll prevent a menagerie of future complications in the off chance you end up hosting a hacked website.
To disable this, look for PHP open_basedir Protection in your WHM menu, and make sure Enable php open_basedir Protection. is checked.
This one is my far my favorite instant security tweak! I couldn't tell you how many times a client has used weak passwords, became victim of a keylogger, or just had poor security practices locally and had their account password compromised. This might seem "inconvenient" at first, but you'll be grateful when it saves several of your clients per year from losing their cPanel account to a hacker or social engineer.
Look for Security Questions in the WHM menu and set ones for WHM. Be warned, you "CAN" lock yourself out of WHM, so open up an SSH terminal just in case. Set your questions, refresh the page, answer them, and you're good to go. Just to reiterate, open an SSH terminal, or at the very least set security questions you know you can answer.
Anyone that has access to a cPanel account will now have to set security questions upon logging in.
Additional Resources and Ideas
Although this guide was intended to be simple, you shouldn't stop at this stage. Do your own research and secure an environment that's best for you. Here are some additional ideas you should consider while securing your WHM/cPanel server.
- Check out Security Advisor in the WHM menu.
- ConfigServer Firewall is a great application, look into it!
- Read up on mod_security. It's essential in today's web hosting world!
- Update EasyApache at least once every 2 months.
This is a very basic guide, but should help you out a lot if you're new to the web hosting world. I guess most of these practices pertain to shared environments, but even still you should have strong security practices even in a private environment. You never know what's out there.