A freshly provisioned cPanel VPS is powerful — and vulnerable. Default configurations are designed for compatibility, not security. Attackers scan the entire internet for open ports, default passwords, and unpatched services every single day. This checklist covers the 12 most important steps to harden your server before you put a single client site on it.
Each step is ranked by priority. Complete them in order. If you’re on a Tremhost Fully Managed VPS, steps 1–4 and 7–8 are handled for you — but it’s worth understanding what’s been done and verifying the configuration yourself.
Step 1 — Change the Default SSH Port | Priority: Critical
Port 22 is hammered by automated bots every minute of every day. Moving SSH to a non-standard port (anything between 1024–65535, e.g. 2299) eliminates the vast majority of brute force attempts without any security software required.
How to do it: Edit /etc/ssh/sshd_config, find the line that reads #Port 22, change it to your chosen port number, then restart SSH with: systemctl restart sshd
Important: Before restarting, open the new port in your firewall (CSF) and update the SSH port in WHM under Security Center. Don’t lock yourself out.
Step 2 — Disable Root SSH Login | Priority: Critical
If an attacker gains SSH access as root, the server is fully compromised. Create a non-root user with sudo privileges, log in as that user, then disable root SSH entirely.
How to do it: Create a new admin user with adduser and add them to the wheel group with usermod -aG wheel. Then in /etc/ssh/sshd_config, set PermitRootLogin to no and restart SSH. Always test your new sudo user in a separate terminal before closing the root session.
Step 3 — Enable SSH Key Authentication, Disable Password Login | Priority: Critical
Password brute-force attacks are common and effective. SSH key pairs make this entire class of attack mathematically impossible. Generate a key pair on your local machine using ssh-keygen -t ed25519, upload the public key to your server with ssh-copy-id, then in /etc/ssh/sshd_config set PasswordAuthentication to no and PubkeyAuthentication to yes.
Important: Back up your private key. If you lose it with password auth disabled, you’ll need console access to recover the server.
Step 4 — Configure CSF Firewall | Priority: Critical
CSF (ConfigServer Security & Firewall) is the standard firewall for cPanel servers. It integrates directly with WHM and provides both IP-level blocking and login failure detection. The default configuration is too permissive — tighten it by setting TESTING to 0, restricting TCP_IN to only the ports your server actually needs, setting LF_TRIGGER to 5 (block after 5 failed logins), and CT_LIMIT to 300 (max connections per IP).
Immediately add your own IP address to the CSF whitelist (csf.allow) before making any changes.
Step 5 — Enable cPHulk Brute Force Protection | Priority: High
cPHulk is cPanel’s built-in brute force protection. It monitors login attempts across all cPanel services — including webmail, FTP, and the WHM interface — and blocks repeat offenders.
Enable it via WHM → Security Center → cPHulk Brute Force Protection. Set the maximum failures per IP to 5, block period to 3600 seconds, and maximum failures per account to 10. Add your own IP to the whitelist before enabling.
Step 6 — Keep Everything Updated | Priority: High
The majority of successful server attacks exploit known vulnerabilities that already have patches available. Running outdated software is one of the most preventable security failures on VPS servers.
Update all system packages regularly using yum update -y (CentOS/AlmaLinux) or apt update && apt upgrade -y (Ubuntu/Debian). Update cPanel/WHM itself using /scripts/upcp. In WHM, set automatic updates to Automatic under WHM → Update Preferences for both version updates and security patches.
Step 7 — Install Malware Scanning (Imunify360 or ClamAV) | Priority: High
Real-time malware detection prevents compromised sites from spreading to other accounts on your server. Imunify360 is the gold standard — it combines malware scanning, intrusion detection, a web application firewall, and reputation-based IP blocking in a single WHM-integrated dashboard. It is included on all Tremhost Fully Managed VPS plans.
If you’re on a semi-managed plan, install ClamAV free via WHM → Manage Plugins, or purchase an Imunify360 licence for more advanced protection. Schedule daily scans and set up email alerts on detection.
Step 8 — Install CloudLinux for Account Isolation | Priority: High
On a standard Linux VPS, all cPanel accounts share the same OS environment. One compromised WordPress site can escalate to affect every other account. CloudLinux adds kernel-level isolation (CageFS) that puts each cPanel account in its own virtual environment, completely separated from others.
CloudLinux also adds LVE resource limits, preventing one account from consuming all server CPU or RAM and taking down everyone else. It is included on all Tremhost Fully Managed VPS plans. On semi-managed plans, a CloudLinux licence costs around $13/month — one of the best security investments for any shared hosting server.
Step 9 — Force SSL on WHM, cPanel, and Webmail | Priority: High
WHM and cPanel are accessible over HTTPS by default, but users can still connect on insecure ports. Force HTTPS-only under WHM → Tweak Settings → Always redirect to SSL. Install a valid SSL certificate on your server hostname via WHM → SSL/TLS → Manage SSL Hosts → Install Let’s Encrypt.
Enable AutoSSL to automatically provision and renew Let’s Encrypt certificates for every domain hosted on your server. Your clients get HTTPS without any manual work from you or them.
Step 10 — Enable Two-Factor Authentication on WHM and cPanel | Priority: Medium
Two-factor authentication is one of the most effective single security controls available. Even if a password is phished or leaked, 2FA stops unauthorised logins without physical access to the authenticator device.
Enable it via WHM → Security Center → Two-Factor Authentication. You can enforce 2FA for all cPanel accounts system-wide. Use Google Authenticator, Authy, or any TOTP app. Store your backup codes securely — losing access to your authenticator without backup codes requires console access to recover.
Step 11 — Configure Automated Off-Server Backups and Test Them | Priority: Medium
Backups are your last line of defence against ransomware, accidental deletion, and catastrophic failures. A backup stored on the same VPS is destroyed if the server is compromised — always store backups off-server, using an S3-compatible bucket, Backblaze B2, or a separate VPS.
Configure backups in WHM → Backup → Backup Configuration. Set daily backups with 7-day retention and weekly backups with 4-week retention. Schedule them at 3 AM or another low-traffic window.
Most importantly: test a restore at least once a month. Pick a random account, restore it to a test domain, and verify files and database are intact. An untested backup is not a backup.
Step 12 — Audit Running Services and Set Up Log Monitoring | Priority: Recommended
Every running service is a potential attack vector. Run ss -tlnp or netstat -tulnp to list everything listening on your server and disable anything you don’t use via WHM → Service Manager. Common candidates include FTP (replace with SFTP) and any mail service if you’re not hosting email.
Set up log monitoring to catch suspicious activity early. Install Logwatch (yum install logwatch) for daily emailed log digests. Set up an uptime monitor using a tool like UptimeRobot, Better Uptime, or Freshping — sudden unexpected downtime is often a sign of an active attack or compromise.
Priority Summary
Steps 1–4 (Critical): Complete before putting any site online. These prevent the most common and most damaging attack classes.
Steps 5–9 (High): Complete within 24 hours of provisioning. Cover brute force protection, updates, malware scanning, account isolation, and SSL.
Steps 10–11 (Medium): Complete within the first week. Two-factor authentication and off-server backups are foundational to long-term security.
Step 12 (Recommended): Ongoing. Service auditing and log monitoring are habits, not one-time tasks.
Skip Steps 1–8 — Get a Tremhost Managed VPS
Tremhost Fully Managed VPS ships with CloudLinux, Imunify360, CSF firewall, LiteSpeed web server, automated cPanel updates, and 24/7 WhatsApp support — all pre-configured and hardened from day one. Unlimited cPanel accounts, NVMe storage, and root access included.
[View Managed VPS Plans →] (link to: https://tremhost.com/clientarea/store/virtual-private-server)
Fully Managed from $50/month · Semi-Managed from $228/year · $7 setup fee
