Sites were up, clients were happy, nobody touched anything. Sound familiar?
Here's what the audit revealed:
OpenSSH vulnerable to a remote code execution CVE — the kind you patch the day it's announced, not years later.
SSH open to the world on port 22, root login enabled, password authentication on — brute-force waiting to happen.
PHP versions EOL'd long ago, still serving production sites. No brute-force protection beyond cPHulk defaults.
Backups configured but never test-restored. Two were silently failing. Nobody knew.
None of this is exotic. This is what most long-running cPanel servers look like when nobody owns them.
So here's the audit checklist I use — run it on your own server this week. It takes about an hour.
Are you running vulnerable services?
The single highest-impact check. Start with SSH, since it's the front door:
ssh -V
Compare against the OpenSSH release notes and check the version against known CVEs. If you're on a years-old version, assume it's vulnerable.
On AlmaLinux/CloudLinux/RHEL-family — which is what cPanel runs on — check what security updates are pending:
yum updateinfo list security all
If that list is long, that's your priority for the week. Don't cherry-pick — patch everything.
Harden SSH (15 minutes, massive payoff)
Edit /etc/ssh/sshd_config:
# Move off the default port (reduces noise) Port 2222 # No root over SSH. Ever. Use a sudo user. PermitRootLogin no # Keys only. Passwords get brute-forced. PasswordAuthentication no PubkeyAuthentication yes # Limit who can even try AllowUsers youradminuser
Then restart:
systemctl restart sshd
Important: Test the new connection in a second terminal before closing your current session. Locking yourself out of a production server is a rite of passage you can skip.
Better yet: restrict SSH access to your IP at the firewall level, so the rest of the internet can't even reach the port.
Install and actually configure a firewall
cPanel servers should be running CSF/LFD (ConfigServer Security & Firewall). It's free and integrates directly into WHM:
cd /usr/src wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf && sh install.sh
The minimum to configure after installation:
- Set
TESTING = "0"once you've confirmed you're not locked out - Close every port you don't use — a typical cPanel server needs far fewer open ports than the default
- Enable LFD login failure detection for SSH, FTP, mail, and cPanel itself
- Set
LF_PERMBLOCK = "1"for repeat offenders
Audit your PHP versions
Run this in WHM → MultiPHP Manager, or from the shell:
whmapi1 php_get_installed_versions
Anything EOL (check php.net/supported-versions) is unpatched attack surface. On a shared server, one compromised site is a problem for every site on that server.
Move accounts off EOL versions. If a client's site "needs" PHP 7.4 in 2026, that's a conversation about updating the site — not a reason to keep the server vulnerable.
Test a backup restore. Today.
A backup you've never restored is a hope, not a backup.
Whatever you use — cPanel's native backups, JetBackup, rsync scripts — do this:
- Pick one account
- Restore it to a test location (JetBackup can restore to an alternate account)
- Verify: files there? Database imports? Emails intact?
The agency server had backups "running" for months. Two accounts were silently failing on a database dump error. Nobody knew — because nobody had ever restored one.
While you're at it, check the 3-2-1 basics: are backups stored off the server? A backup on the same disk as production protects you from nothing that matters.
Check who can do what
# Who has shell access? grep -v '/sbin/nologin\|/bin/false' /etc/passwd # Who's in the wheel/sudo group? grep wheel /etc/group
Also check WHM → Edit Reseller Nameservers and Privileges. Audit reseller ACLs — "All features" granted years ago for convenience is privilege escalation waiting to happen.
The quiet ones people skip
- Symlink protection — enable in WHM (EasyApache → Apache symlink protection) so one compromised account can't read other accounts' files
- ModSecurity — should be on, with the OWASP CRS or Comodo ruleset
- cPHulk — enabled, with country-level blocking if your users are geographically predictable
- Disable unused services —
systemctl list-units --type=service --state=runningand ask yourself why each one is there - /tmp mounted with noexec,nosuid — classic and still effective
The real takeaway
None of these steps are hard. The problem is never the difficulty — it's that nobody owns the server.
Sites get built, deployed, and forgotten. The server hums along until the day it doesn't — and that day is expensive: downtime, blacklisted IPs, compromised client data, weekend recovery marathons.
If you're a developer or agency running your own WHM/cPanel box: block one hour, run this checklist, and write down what you find. Worst case, you confirm you're in good shape. Best case, you find the problem before someone else does.
Want me to run this audit on your server?
I offer a free external audit — no server access needed. Full report in 48 hours, no commitment.
Book Free Server Audit →