A freshly provisioned cPanel VPS is powerful \u2014 and vulnerable. Default configurations are designed for compatibility, not security. Attackers scan the entire internet for open ports, default passwords, and unpatched services every single day. This checklist covers the 12 most important steps to harden your server before you put a single client site on it.<\/p>\n
Each step is ranked by priority. Complete them in order. If you\u2019re on a Tremhost Fully Managed VPS, steps 1\u20134 and 7\u20138 are handled for you \u2014 but it\u2019s worth understanding what\u2019s been done and verifying the configuration yourself.<\/p>\n
Step 1 \u2014 Change the Default SSH Port<\/strong> | Priority: Critical<\/p>\n Port 22 is hammered by automated bots every minute of every day. Moving SSH to a non-standard port (anything between 1024\u201365535, e.g. 2299) eliminates the vast majority of brute force attempts without any security software required.<\/p>\n How to do it: Edit \/etc\/ssh\/sshd_config, find the line that reads #Port 22, change it to your chosen port number, then restart SSH with: systemctl restart sshd<\/p>\n Important: Before restarting, open the new port in your firewall (CSF) and update the SSH port in WHM under Security Center. Don\u2019t lock yourself out.<\/p>\n Step 2 \u2014 Disable Root SSH Login<\/strong> | Priority: Critical<\/p>\n If an attacker gains SSH access as root, the server is fully compromised. Create a non-root user with sudo privileges, log in as that user, then disable root SSH entirely.<\/p>\n How to do it: Create a new admin user with adduser and add them to the wheel group with usermod -aG wheel. Then in \/etc\/ssh\/sshd_config, set PermitRootLogin to no and restart SSH. Always test your new sudo user in a separate terminal before closing the root session.<\/p>\n Step 3 \u2014 Enable SSH Key Authentication, Disable Password Login<\/strong> | Priority: Critical<\/p>\n Password brute-force attacks are common and effective. SSH key pairs make this entire class of attack mathematically impossible. Generate a key pair on your local machine using ssh-keygen -t ed25519, upload the public key to your server with ssh-copy-id, then in \/etc\/ssh\/sshd_config set PasswordAuthentication to no and PubkeyAuthentication to yes.<\/p>\n Important: Back up your private key. If you lose it with password auth disabled, you\u2019ll need console access to recover the server.<\/p>\n Step 4 \u2014 Configure CSF Firewall<\/strong> | Priority: Critical<\/p>\n CSF (ConfigServer Security & Firewall) is the standard firewall for cPanel servers. It integrates directly with WHM and provides both IP-level blocking and login failure detection. The default configuration is too permissive \u2014 tighten it by setting TESTING to 0, restricting TCP_IN to only the ports your server actually needs, setting LF_TRIGGER to 5 (block after 5 failed logins), and CT_LIMIT to 300 (max connections per IP).<\/p>\n Immediately add your own IP address to the CSF whitelist (csf.allow) before making any changes.<\/p>\n Step 5 \u2014 Enable cPHulk Brute Force Protection<\/strong> | Priority: High<\/p>\n cPHulk is cPanel\u2019s built-in brute force protection. It monitors login attempts across all cPanel services \u2014 including webmail, FTP, and the WHM interface \u2014 and blocks repeat offenders.<\/p>\n Enable it via WHM \u2192 Security Center \u2192 cPHulk Brute Force Protection. Set the maximum failures per IP to 5, block period to 3600 seconds, and maximum failures per account to 10. Add your own IP to the whitelist before enabling.<\/p>\n Step 6 \u2014 Keep Everything Updated<\/strong> | Priority: High<\/p>\n The majority of successful server attacks exploit known vulnerabilities that already have patches available. Running outdated software is one of the most preventable security failures on VPS servers.<\/p>\n Update all system packages regularly using yum update -y (CentOS\/AlmaLinux) or apt update && apt upgrade -y (Ubuntu\/Debian). Update cPanel\/WHM itself using \/scripts\/upcp. In WHM, set automatic updates to Automatic under WHM \u2192 Update Preferences for both version updates and security patches.<\/p>\n Step 7 \u2014 Install Malware Scanning (Imunify360 or ClamAV)<\/strong> | Priority: High<\/p>\n Real-time malware detection prevents compromised sites from spreading to other accounts on your server. Imunify360 is the gold standard \u2014 it combines malware scanning, intrusion detection, a web application firewall, and reputation-based IP blocking in a single WHM-integrated dashboard. It is included on all Tremhost Fully Managed VPS plans.<\/p>\n If you\u2019re on a semi-managed plan, install ClamAV free via WHM \u2192 Manage Plugins, or purchase an Imunify360 licence for more advanced protection. Schedule daily scans and set up email alerts on detection.<\/p>\n Step 8 \u2014 Install CloudLinux for Account Isolation<\/strong> | Priority: High<\/p>\n On a standard Linux VPS, all cPanel accounts share the same OS environment. One compromised WordPress site can escalate to affect every other account. CloudLinux adds kernel-level isolation (CageFS) that puts each cPanel account in its own virtual environment, completely separated from others.<\/p>\n CloudLinux also adds LVE resource limits, preventing one account from consuming all server CPU or RAM and taking down everyone else. It is included on all Tremhost Fully Managed VPS plans. On semi-managed plans, a CloudLinux licence costs around $13\/month \u2014 one of the best security investments for any shared hosting server.<\/p>\n Step 9 \u2014 Force SSL on WHM, cPanel, and Webmail<\/strong> | Priority: High<\/p>\n WHM and cPanel are accessible over HTTPS by default, but users can still connect on insecure ports. Force HTTPS-only under WHM \u2192 Tweak Settings \u2192 Always redirect to SSL. Install a valid SSL certificate on your server hostname via WHM \u2192 SSL\/TLS \u2192 Manage SSL Hosts \u2192 Install Let\u2019s Encrypt.<\/p>\n Enable AutoSSL to automatically provision and renew Let\u2019s Encrypt certificates for every domain hosted on your server. Your clients get HTTPS without any manual work from you or them.<\/p>\n Step 10 \u2014 Enable Two-Factor Authentication on WHM and cPanel<\/strong> | Priority: Medium<\/p>\n Two-factor authentication is one of the most effective single security controls available. Even if a password is phished or leaked, 2FA stops unauthorised logins without physical access to the authenticator device.<\/p>\n Enable it via WHM \u2192 Security Center \u2192 Two-Factor Authentication. You can enforce 2FA for all cPanel accounts system-wide. Use Google Authenticator, Authy, or any TOTP app. Store your backup codes securely \u2014 losing access to your authenticator without backup codes requires console access to recover.<\/p>\n Step 11 \u2014 Configure Automated Off-Server Backups and Test Them<\/strong> | Priority: Medium<\/p>\n Backups are your last line of defence against ransomware, accidental deletion, and catastrophic failures. A backup stored on the same VPS is destroyed if the server is compromised \u2014 always store backups off-server, using an S3-compatible bucket, Backblaze B2, or a separate VPS.<\/p>\n Configure backups in WHM \u2192 Backup \u2192 Backup Configuration. Set daily backups with 7-day retention and weekly backups with 4-week retention. Schedule them at 3 AM or another low-traffic window.<\/p>\n Most importantly: test a restore at least once a month. Pick a random account, restore it to a test domain, and verify files and database are intact. An untested backup is not a backup.<\/p>\n Step 12 \u2014 Audit Running Services and Set Up Log Monitoring<\/strong> | Priority: Recommended<\/p>\n Every running service is a potential attack vector. Run ss -tlnp or netstat -tulnp to list everything listening on your server and disable anything you don\u2019t use via WHM \u2192 Service Manager. Common candidates include FTP (replace with SFTP) and any mail service if you\u2019re not hosting email.<\/p>\n Set up log monitoring to catch suspicious activity early. Install Logwatch (yum install logwatch) for daily emailed log digests. Set up an uptime monitor using a tool like UptimeRobot, Better Uptime, or Freshping \u2014 sudden unexpected downtime is often a sign of an active attack or compromise.<\/p>\n Priority Summary<\/strong><\/p>\n Steps 1\u20134 (Critical): Complete before putting any site online. These prevent the most common and most damaging attack classes.<\/p>\n Steps 5\u20139 (High): Complete within 24 hours of provisioning. Cover brute force protection, updates, malware scanning, account isolation, and SSL.<\/p>\n Steps 10\u201311 (Medium): Complete within the first week. Two-factor authentication and off-server backups are foundational to long-term security.<\/p>\n Step 12 (Recommended): Ongoing. Service auditing and log monitoring are habits, not one-time tasks.<\/p>\n Skip Steps 1\u20138 \u2014 Get a Tremhost Managed VPS<\/strong><\/p>\n Tremhost Fully Managed VPS ships with CloudLinux, Imunify360, CSF firewall, LiteSpeed web server, automated cPanel updates, and 24\/7 WhatsApp support \u2014 all pre-configured and hardened from day one. Unlimited cPanel accounts, NVMe storage, and root access included.<\/p>\n