The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing cPanel on shared hosting

Discussion in 'Security' started by Jared23, Sep 21, 2016.

  1. Jared23

    Jared23 Member

    Joined:
    Sep 21, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I'm looking to secure my cPanel login page (beyond just a strong password) and much of what I've read on Google points to using WebHost Manager options but my shared host (GoDaddy) doesn't include WHM in their economy Linux cPanel plan.

    Besides changing hosts or upgrading plans, do I have any other options (such as .htaccess or IP-restriction) for my domain's cPanel login page, or even a way to disable the common redirects to it (such as example.tld/cpanel/) would make it a bit more difficult for less-experienced attackers to find?

    Also for those on shared hosting plans without WebHost Manager options, is there any way to restrict cPanel access after a number of unsuccessful login attempts to help deter bruteforce attempts?

    Thanks in advance for any insight and ideas.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Two-Factor Authentication should be useful. You can find it under the Security section of your cPanel.
     
  3. Jared23

    Jared23 Member

    Joined:
    Sep 21, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Under 'Security' in my cPanel (11.58.0.19) I only see:

    SSH Access
    IP Blocker
    SSL/TLS
    Hotlink Protection
    Leech Protection

    Would it be somewhere else or if not is there anything else you'd recommend? Thanks!
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    It looks like you'll need to enable it on the Features list for the Package your cPanel account is on:

    WebHost Manager »Packages »Feature Manager » Edit Feature List, Two-Factor Authentication

    Once you do that, you should see it in your cPanel.
     
  5. Jared23

    Jared23 Member

    Joined:
    Sep 21, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Hmm.. if I go to example.tld/whm/ I see the WHM Login page but my cPanel account doesn't work for it, so I figured since I'm on shared (versus VPS or dedicated) hosting I won't be able to access the WebHost Manager.

    I notice GoDaddy's WebHost Manager page falls under their 'VPS & Dedicated Servers' section and isn't mentioned on their Economy Linux cPanel area... does this sound correct, or do you think I should be able to access WHM and follow-up with them on this? Thanks again!
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You'll need to ask them if you've got root, or Reseller access to WebHost Manager, that's correct.

    GL!
     
  7. Jared23

    Jared23 Member

    Joined:
    Sep 21, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    It appears I'm back to square one, as they confirmed only their VPS and dedicated servers offer WebHost Manager not their shared economy cPanel Linux plans.

    That said, without WHM access is it safe to say there is no other way to restrict or protect my cPanel login page?
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes sure. Go back to GoDaddy and ask them to enable Two-Factor Authentication for your account. I can't imagine why they wouldn't so am anxious to hear what they tell you. :)
     
  9. Jared23

    Jared23 Member

    Joined:
    Sep 21, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I'm not sure how knowledgeable the person I chatted with was, but this is what I was told:

    "Only Reseller, VPS or Dedicated hosting packages include WHM, and only VPS or Dedicated have the option for two-factor authentication."

    When I asked if they could just enable 2FA for my shared account I got this response:

    "That is not possible for shared hosting packages. Shared hosting includes user level access to a single cPanel account, and there are several php limitations. There is no WHM, and no root user access for these accounts."

    That leaves me wondering why there isn't a way on shared hosting that doesn't have WHM/2FA to protect or restrict the cPanel login page... it's hard to believe some thrifty but clever person hasn't sorted a way around it.

    I've tried creating /cpanel/, /whm/ and so on directories hoping they'd take precedence over cPanel's hardcoded shortcuts but with no success unfortunately. If you have any other ideas I'd definitely be interested in giving them a try and thanks!
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The decision to enable security features such as two-factor authentication is generally left to the hosting provider. This allows them to take factors specific to their company into consideration and determine if a feature is suitable for their shared hosting plans.

    I recommend consulting with your hosting provider again to see what additional steps they take for the security of the server, as most solutions require root access to the system to implement.

    Thank you.
     
Loading...

Share This Page