As someone who runs a web hosting company in Nigeria (XclusiveCloud — xclusivecloud.com)
and is doing postgraduate research in Cyber Threat Intelligence, server security isn't
theoretical for me — it's something I implement and maintain daily.
Here's a practical hardening checklist for cPanel/WHM servers, based on what actually
works in Nigerian hosting environments.
## 1. Enable and Configure CSF (ConfigServer Security & Firewall)
CSF is the go-to firewall for cPanel servers. Install it:
bash
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Critical CSF settings to change in `/etc/csf/csf.conf`:
properties
TESTING = "0" # Disable test mode
LF_SSHD = "5" # Block IP after 5 failed SSH attempts
LF_CPANEL = "10" # Block after 10 failed cPanel logins
CT_LIMIT = "100" # Max connections per IP
## 2. Restrict SSH Access
Never leave SSH open to the world. In `/etc/ssh/sshd_config`:
ssh
Port 2222 # Change from default 22
PermitRootLogin no # Disable root SSH login
PasswordAuthentication no # Use key-based auth only
MaxAuthTries 3
Generate and use SSH keys instead of passwords:
bash
ssh-keygen -t ed25519 -C "xclusivecloud-server"
## 3. Install ModSecurity WAF
In WHM → ModSecurity Tools, enable ModSecurity and install OWASP CRS rules:
bash
/scripts/modsec_vendor_install
This blocks common web attacks: SQL injection, XSS, remote file inclusion, and directory
traversal — all of which are common targets for Nigerian websites.
## 4. Enable cPGuard (Malware Scanner)
cPGuard integrates directly into cPanel and scans for malware across all hosted accounts.
Enable it in WHM → cPGuard Malware Scanner.
Set up automated daily scans and email alerts to: alert@yourdomain.com
## 5. Force HTTPS for All Hosted Sites
In WHM → Apache Configuration, ensure all cPanel accounts redirect HTTP → HTTPS:
In each user's cPanel → .htaccess:
apache
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
## 6. Configure Automated Backups
In WHM → Backup Configuration:
- Enable: Yes
- Backup type: Compressed
- Daily backups: Retain 7 days
- Weekly backups: Retain 4 weeks
- Backup destination: Remote (S3 or Backblaze B2)
Never store backups only on the same server. One ransomware attack will encrypt both.
## 7. Disable Unused PHP Versions and Functions
In WHM → PHP Configuration:
- Only enable PHP versions your clients actually use (typically 8.1, 8.2)
- Disable dangerous functions in php.ini:
ini
disable_functions = exec, passthru, shell_exec, system, proc_open, popen
## 8. Enable Two-Factor Authentication on WHM
WHM → Security Center → Two-Factor Authentication
This is mandatory. cPanel credentials are a primary target in credential stuffing attacks.
## 9. Monitor Login Attempts with LFD
CSF's Login Failure Daemon (LFD) monitors and blocks brute-force attacks. Configure
alerts to your email in csf.conf:
properties
LF_ALERT_TO = "security@xclusivecloud.com"
LF_ALERT_FROM = "csf@yourserver.com"
## 10. Regular Security Audits
Monthly checklist:
- [ ] Run `rkhunter --check` to detect rootkits
- [ ] Review CSF block list for persistent attackers
- [ ] Check for accounts with weak passwords (WHM → Password Strength)
- [ ] Review error logs in `/usr/local/cpanel/logs/`
- [ ] Verify all SSL certificates are valid and auto-renewing
---
If you're running a Nigerian hosting business or self-hosting your own cPanel server,
implementing all of the above should be your first priority before onboarding clients.
I cover server security in more depth on the XclusiveCloud blog at xclusivecloud.com/blog —
including guides specific to Nigerian hosting environments.
What security measures are you running on your servers? Happy to discuss in the comments.
Top comments (0)