WHM Security Tips for a Safer Server
Learn how to configure WHM to secure your server and help protect your website from hacking vulnerabilities. Tips for improving security within WHM.
WHM is one of the most popular server and user management platforms in use today. It is trusted by countless webmasters and resellers to simplify the process of setting up servers and managing user accounts. For users with VPS or dedicated hosting accounts, you'll most likely have access to WHM. Securing your server helps to keep your business reputation from being impacted by a hack. WHM contains several tools that help to protect your server from hacking vulnerabilities.
Tip 1: Use Strong, Frequently-Updated Passwords
This sounds like common sense, but one can’t stress enough the importance of having a strong password to log into your server with. Create a password that contains a variety of characters, including letters, numbers, and symbols. The longer your password is, the better. To update your root password, find the “Server Configuration” section in the left sidebar of WHM and click “Change Root Password”. Use a password that WHM considers to be “Very Strong”.
Frequently updating your passwords is advisable for server security. You should update your passwords every few months or even more frequently. Also, remember to always use different passwords for the rest of your accounts, such as your web hosting account, ftp accounts, or even website logins.
If your hosting came with a database installed, you should immediately update the database’s root user password to a secure value. To update your MySQL root password, find the “MySQL Services” section in WHM and click “MySQL Root Password.” Enter a password that WHM considers to be “Very Strong”.
Tip 2: Keep WHM and Other Software Up To Date
WHM contains several sections that allow you to keep the various software components of your server up to date.
- Server Configuration → Update Preferences. This section contains preferences for updating cPanel-related services, OS packages, and SpamAssassin. It is advisable to set “Release Tier” to “RELEASE”. This will ensure that stable versions of software are installed. It is also advisable to set all of the following settings to “Automatic”.
- Daily Updates
- Operating System Package Updates
- Apache SpamAssassin™ Rules Updates”
Updating these services automatically will ensure that the software is kept up to date on a nightly basis.
- Software → EasyApache (Apache Update) – This section contains preferences for updating Apache, PHP, and related components. Security issues are often resolved in software, so update when possible. WHM does not provide an option to automatically update these services, since this could break an application created for a specific version of PHP, etc. It is advisable to update the listed software when appropriate.
- Software → MySQL/MariaDB Upgrade – This section is where you can update your database version. As with EasyApache updates, database updates are not automatic.
Tip 3: Enable suPHP and suEXEC
PHP runs on the server using a set handler. A handler is the means that Apache uses to communicate with PHP. The suPHP handler contains several security implementations to help keep your application secure. To enable suPHP, find the “Service Configuration” section of WHM and click “Configure PHP and suEXEC”. When using suPHP, also enable suEXEC. This ensures that all CGI programs (including PHP using suPHP) are run as a specific user.
By enabling the suPHP handler, PHP scripts are executed under a specific user name, rather than under the “nobody” user. This means that if a PHP script was ever exploited, the script can access only those files owned by that user.
Tip 4: Encrypt Uploaded Data and Disable Anonymous FTP
How can users transfer files securely to the website server? FTP without SSL does not encrypt your login credentials or files being transferred. This means that they could potentially be intercepted and files could even modified by a hacker. SFTP (FTP over SSH) and FTPS (FTP over SSL) are secure transfer methods since they encrypt data being sent to the server.
If cPanel users will be uploading files under their own account names (without creating FTP accounts), then SFTP can be used for secure uploads. SFTP is enabled by default when a cPanel account is created. Users will need to know your server’s SSH port number to connect via SFTP. By default, this is port 22.
If cPanel users will be creating FTP accounts to upload files, FTPS can be used to secure uploads. Because FTPS uses SSL to secure data transferred to the server, you will need to add a SSL certificate to FTP in order to use FTPS. Follow these steps to enable FTPS in WHM.
- In the Service Configuration section of WHM, click “Manage Service SSL Certificates”. Scroll down to “Install a New Certificate”.
- Check the box entitled “FTP Server”.
- Paste your SSL certificate and private key content into the respective input boxes. If you purchased an SSL certificate from a third-party company, the company will provide this information. Or if you wish to save costs, you can generate a self-signed certificate. For more information, go to the “Generate an SSL Certificate and Signing Request” interface located in the “SSL/TLS” section of WHM. For self-signed certificates, you will also need to fill out the “Certificate Authority Bundle” section.
- Now that the SSL certificate is installed for FTP, ensure that FTPS is enabled on the server. Find the “Service Configuration” section in WHM and click “FTP Server Configuration”. Ensure that “TLS Encryption Support” is set to either “Optional”, “Required (Command)” to encrypt credentials, or preferably “Required (Command/Data)” to encrypt credentials and transferred files.
- Set “Allow Anonymous Logins” and “Allow Anonymous Uploads” to “No”. Anonymous FTP allows FTP access without a password. Disable this for security reasons.
You can now use your preferred FTP client to upload files with FTPS, as long as it is supported. Simply select the FTP with TLS/SSL transfer method within the FTP client.
Tip 5: Review Security Center Settings
WHM’s “Security Center” section provides various settings that should be reviewed to improve your server’s security.
- Compiler Access. Disable compilers for unprivileged users to prevent attacks through compiler vulnerabilities.
- cPHulk Brute Force Detection. A brute force attack is when a hacker attempts to log in to a server by sequentially entering various password combinations. Enable cPHulk to protect against these attacks. cPHulk blocks a hacker’s IP address when a brute force attack is detected. If you also enable the cPHulk setting entitled “Send a notification upon successful root login when the IP address is not on the whitelist”, you can be notified by email if an unauthorized user logs into your account.
- Manage Wheel Group Users. Wheel group users have the ability to obtain superuser server access, which is a major security threat. To ensure that no users have superuser access, simply remove all users from the list within the section entitled “Remove a user from the wheel group”.
- Shell Fork Bomb Protection. Enable this setting to prevent terminal connections from using unlimited resources. This reduces the risk of a server crash.
- SMTP Restrictions. Enable this setting to allow only trusted sources to connect to a remote SMTP server. This helps reduce the risk of spam being sent from your email addresses.
- Traceroute Enable / Disable. Disable this setting to help hide the server network’s topology. Disclosing this network information can assist in hacking.
Tip 6: Disable User Shell Access
If your server’s cPanel accounts do not need SSH access, you should disable access for security reasons. Note that users can still upload files with SFTP even with shell access disabled. To disable SSH for all current users, find the “Account Functions” section in WHM and click “Manage Shell Access”. Under “Disabled Shell”, click “Apply to All”.
Tip 7: Tweak Server Settings
Several options within the “Tweak Settings” interface should be set properly in order to improve security. Find the “Server Configuration” section and click “Tweak Settings”. Update the following settings.
- Mail → Max hourly emails per domain. You may want to consider setting a maximum number of permitted outgoing emails per hour. This helps to prevent your system from potentially being used to send mass spam email if hacked. Ensure that the value is large enough that your server can still uninterruptedly send legitimate emails.
- Mail → Prevent “nobody” from sending mail → Off. Assuming you have configured PHP to use the suPHP handler, turn this off. This will ensure that only those processes running as a specific user can send emails. This works to help prevent spam.
- Redirection → Always redirect to SSL → On. Protect server credentials by allowing access to cPanel-related services only over a secure connection.
- Security → Blank referrer safety check → On, and Security → Referrer safety check → On. By enabling these settings, access to cPanel-related services is granted only if the browser sends a valid referrer value. This helps prevent a hack called the CSRF attack.
Tip 8: Install and Configure ModSecurity
ModSecurity is a web application firewall that serves to filter HTTP requests, log events, patch applications (to prevent hacks through poorly written code), and more. ModSecurity can be installed while building your profile with EasyApache (WHM → Software → EasyApache). Once installed, configure ModSecurity with a rule set to help defend against hacks. The OWASP Foundation provides a protective rule set that is free to use. To add it, find the “Security” section in WHM and click “ModSecurity™ Vendors”. Then install the “OWASP ModSecurity Core Rule Set”. Finally, click “Install and Restart Apache”.
Tip 9: Install CSF
ConfigServer Security & Firewall (CSF) works as a customizable server firewall, and it is also used for intrusion detection, login notifications, and other security functions. Another useful feature of CSF is its security check, which lists recommended security modifications based on your server’s current configuration. It is advisable to install CSF in order to enhance your server’s security.
To install CSF, you will need to connect to the server via the command-line. Start by opening a SSH client (such as “PuTTY” for Windows or “Terminal” for Mac). Then type the following command, replacing “servername.domain.com” with your server’s name: “ssh [email protected]”. Press the Enter key on your keyboard to connect. If prompted, proceed past the message saying that the authenticity of the host can’t be established. You will then be prompted to enter your password; use your WHM password and press Enter.
Now, run the following commands to download and install CSF. Enter each line one at a time into the command-line, and press the Enter key after entering each line to run it:
rm -fv csf.tgz
tar -xzf csf.tgz
It’s that easy! If you are currently logged in to WHM, log out and back in to update the interface. Find the “Plugins” section of WHM and click “ConfigServer Security&Firewall”. On the page that appears, click “Check Server Security”. CSF will then list several settings that you can modify to improve your server’s security.
Tip 10: Install ClamAV
ClamAV is an antivirus software that detects threats in emails. To install ClamAV, find the “cPanel” section in WHM and click “Manage Plugins”. Find the “clamavconnector” plugin and check “Install and keep updated”. Click Save. Now find the “Plugins” section in WHM and click “ClamAV Connector”. Check the “Scan Mail” option and save.
Tip 11: Last but Not Least: Security Advisor
WHM’s “Security Advisor” generates a list of potential server vulnerabilities as well as information about how to resolve these issues. “Security Advisor” can be found in the “Security Center” section of WHM. You should perform this step last, since the preceding tasks will remove several of the advisories.
Keeping your server secure and safe from hackers is an important step to protect your business reputation. Customers of resellers will be satisfied knowing that their website’s server security is being taken seriously. By using the simple user interface and tools WHM offers to enhance security, your server is much further along in staying secure and safe from hacks.