As someone who runs a web hosting company in Nigeria (XclusiveCloud — xclusivecloud.com)
and is doing postgraduate research in Cyber Threat Intelligence, server security isn't
theoretical for me — it's something I implement and maintain daily.
Here's a practical hardening checklist for cPanel/WHM servers, based on what actually
works in Nigerian hosting environments.
## 1. Enable and Configure CSF (ConfigServer Security & Firewall)
CSF is the go-to firewall for cPanel servers. Install it:
bash
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Critical CSF settings to change in `/etc/csf/csf.conf`:
properties
TESTING = "0" # Disable test mode
LF_SSHD = "5" # Block IP after 5 failed SSH attempts
LF_CPANEL = "10" # Block after 10 failed cPanel logins
CT_LIMIT = "100" # Max connections per IP
## 2. Restrict SSH Access
Never leave SSH open to the world. In `/etc/ssh/sshd_config`:
ssh
Port 2222 # Change from default 22
PermitRootLogin no # Disable root SSH login
PasswordAuthentication no # Use key-based auth only
MaxAuthTries 3
Generate and use SSH keys instead of passwords:
bash
ssh-keygen -t ed25519 -C "xclusivecloud-server"
## 3. Install ModSecurity WAF
In WHM → ModSecurity Tools, enable ModSecurity and install OWASP CRS rules:
bash
/scripts/modsec_vendor_install
This blocks common web attacks: SQL injection, XSS, remote file inclusion, and directory
traversal — all of which are common targets for Nigerian websites.
## 4. Enable cPGuard (Malware Scanner)
cPGuard integrates directly into cPanel and scans for malware across all hosted accounts.
Enable it in WHM → cPGuard Malware Scanner.
Set up automated daily scans and email alerts to: alert@yourdomain.com
## 5. Force HTTPS for All Hosted Sites
In WHM → Apache Configuration, ensure all cPanel accounts redirect HTTP → HTTPS:
In each user's cPanel → .htaccess:
apache
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
## 6. Configure Automated Backups
In WHM → Backup Configuration:
- Enable: Yes
- Backup type: Compressed
- Daily backups: Retain 7 days
- Weekly backups: Retain 4 weeks
- Backup destination: Remote (S3 or Backblaze B2)
Never store backups only on the same server. One ransomware attack will encrypt both.
## 7. Disable Unused PHP Versions and Functions
In WHM → PHP Configuration:
- Only enable PHP versions your clients actually use (typically 8.1, 8.2)
- Disable dangerous functions in php.ini:
ini
disable_functions = exec, passthru, shell_exec, system, proc_open, popen
## 8. Enable Two-Factor Authentication on WHM
WHM → Security Center → Two-Factor Authentication
This is mandatory. cPanel credentials are a primary target in credential stuffing attacks.
## 9. Monitor Login Attempts with LFD
CSF's Login Failure Daemon (LFD) monitors and blocks brute-force attacks. Configure
alerts to your email in csf.conf:
properties
LF_ALERT_TO = "security@xclusivecloud.com"
LF_ALERT_FROM = "csf@yourserver.com"
## 10. Regular Security Audits
Monthly checklist:
- [ ] Run `rkhunter --check` to detect rootkits
- [ ] Review CSF block list for persistent attackers
- [ ] Check for accounts with weak passwords (WHM → Password Strength)
- [ ] Review error logs in `/usr/local/cpanel/logs/`
- [ ] Verify all SSL certificates are valid and auto-renewing
---
If you're running a Nigerian hosting business or self-hosting your own cPanel server,
implementing all of the above should be your first priority before onboarding clients.
I cover server security in more depth on the XclusiveCloud blog at xclusivecloud.com/blog —
including guides specific to Nigerian hosting environments.
What security measures are you running on your servers? Happy to discuss in the comments.
For further actions, you may consider blocking this person and/or reporting abuse
