Making Websites

cPanel Security Tips for a Safer Website

Cai EllisRobert Brandl

By Cai & Robert

cPanel is one of the most popular control panels widely used among web hosting providers and trusted by webmasters worldwide to assist them in managing their web hosting account and website. According to cPanel, a cPanel hosting account is created online every 14.5 seconds. Because cPanel is so popular, it’s also a popular target for hackers to attack. Hacks to a website can be detrimental to anyone, which is why website security is so vital.

Where to Start in Securing Your Website with the cPanel Platform?

At first glance, cPanel may appear complicated and challenging – it even has a whole section dedicated to security! Fortunately, securing your website is fairly simple with cPanel. Here are some great tips to get you jump started with a safe and secure cPanel.

Tip 1: Use Strong, Frequently-Updated Passwords

One can’t stress enough the importance of having a strong password to log into cPanel with. Create a password that contains a variety of characters, including letters, numbers, & symbols. The longer you password is, the better. Use a password that cPanel considers to be “Very Strong”.

Creating a strong cpanel password

Frequently updating your cPanel password is advisable for website security. You should update your password every few months or even more frequently. Also, remember to always use different passwords for the rest of your site, such as your web hosting account, ftp accounts, or even website logins.

Tip 2: Securely Upload Files with FTPS or SFTP

What is the most secure way to transfer files to your hosting server? FTP without SSL does not encrypt your login credentials or files being transferred. This means that they could potentially be intercepted and files could even modified by a hacker. Most hosting providers and file transfer applications support more secure methods to transfer files, such as FTPS (FTP over a secure connection) and SFTP (FTP over SSH). These methods significantly improve security by ensuring that your credentials and all of your files are encrypted while being sent to the server.

Tip 3: Enable Hotlink Protection

In order for your website to contain images, you need to store them somewhere on your server. What stops someone from finding the URL to that image and then directly embedding it onto another website that you don’t own? This steals from your own bandwidth resources. This is called “hotlinking”. The hotlinking problem exists for any file type, not just images. cPanel provides a simple solution called “Hotlink Protection” which protects your files from being embedded on a third-party website.

  1. Go to the “Security” section and click “Hotlink Protection”. Ensure that it is enabled.
  2. If there are any other domain names that must have access to your files, add them to “URLs to allow access”. Note that cPanel will automatically include your website’s domain name.
  3. Within “Block direct access for the following extensions”, enter a list of file types you want to protect from hotlinking. For a quick start, enter the following list to prevent hotlinking of images, several popular media formats, and some other file types: jpg,jpeg,gif,png,bmp,mov,mp4,mp3,wav,wmv,webm,ogg,swf,xml,pdf,js,css,ico,txt
  4. Check “Allow direct requests”. Keeping this unchecked may cause issues with your website’s functionality.

Tip 4: Create Limited-Functionality Database Users

In order for your website to access a database, you must supply database user credentials. Which credentials should you use? If your hosting company provided credentials for the “root” database user, never use these within your application’s code. The root user gives full access to your database, which can cause security vulnerabilities. cPanel provides an option to create database users that are limited to specific functionality for each database.

  1. Go to the “Databases” section. For MySQL databases, click “MySQL Databases”. For PostgreSQL databases, click “PostgreSQL Databases”.
  2. In the page that appears, fill out the required fields in the “Add New User” section. Keep note of the inputted username and password – you will need them later.
  3. You now need to associate the user you created with your application’s database. In the “Add User to Database” section, select your application’s database and the user you just created. Click “Add”.
  4. In the screen that appears, select only the database privileges that your user needs. Limiting functionality to INSERT, SELECT, UPDATE, and DELETE is usually acceptable for an application.
  5. Add the newly-created user credentials to the application’s code. You should store these credentials in a secure location. (See the following section.)

Tip 5: Store Credentials Outside of the Web Root

If your website has any dynamic content (sending emails, storing to a database, etc.), you likely need to store credentials somewhere on your server. You should always store credentials outside of the public website folder for security. Servers using cPanel usually store all public website files in a folder named “public_html”. Every file outside of this folder is not publicly accessible. For this reason, always store your credentials files outside of the “public_html” folder. Your backend processor (such as PHP) can still reference the credentials when needed.

  1. Go to the Files section and click “File Manager”.
  2. Select “Home Directory” and click “Go”.
  3. Create a new folder in the home directory (outside of the “public_html” directory) and store all of your credentials within the newly-created folder.

To access these credentials from your application, create a relative reference to them. For example, a PHP file directly within the “public_html” folder can access the credentials using the code “require_once(“../credentials_folder/credentials”);”. The “../” moves directory traversal to the home directory (the directory that contains “public_html”). The credentials are accessed within a folder named “credentials_folder”.

Tip 6: Disable File Indexing

File indexing is a public listing of all of the files in a specific folder on your server. For example, if in your public website folder you have a folder named “purchase”, and there is no index file within that folder, then browsing to “” would list all of the files in the folder if file indexing is enabled. This is a security threat since a listing your files can assist in hacking. Follow these steps to disable file indexing:

  1. Go to the Preferences section and click “Indexes”.
  2. Select “Web Root (public_html/www)” and Click “Go”.
  3. Click the “public_html” text link (don’t click the folder icon). This is the first link in the list.
  4. In the page that appears, select “No Indexing” and click “Save”.

Tip 7: Password-Protecting Files

If you have files that you want to share with a limited group of people, cPanel allows you to password-protect those files.

  1. Go to the “Files” section and click “Directory Privacy”.
  2. Select “Web Root (public_html/www)” and click “Go”.
  3. Navigate to the folder you want to password-protect and click its name.
  4. In the page that appears, check “Password protect this directory” and enter a name. This name will appear in the login popup that appears when accessing the files.
  5. Press “Save”. The folder is now password-protected.
  6. You now need to create a username and password to access this folder. Enter all the required fields in the “Create User” section and press “Save”.

You can now navigate in your browser to a file in this folder. Simply enter the credentials when prompted, and you will then have access to the file.

Note: If you are accessing files using a URL that starts with http://, then the username and password entered into the prompt will not be transferred securely, which can result in interception by a hacker. If you have SSL installed on your server, always access your files with a https:// URL for security.

Tip 8: Email Protection: Enable SpamAssassin

SpamAssassin is a service that automatically filters and removes detected spam from your email’s inbox. To enable this feature, go to the “Email” section and click “Apache SpamAssassin”. In the page that appears, click “Enable Apache SpamAssassin”.

Tip 9: Email Protection: Enable SPF and DKIM

SPF (Sender Policy Framework) helps prevent spam from being received by what appears to be your email address (email spoofing). It does so by listing the servers and IP addresses that are truly authorized to send emails from your email addresses. This information is then validated with the server or IP that actually sent the email to check whether or not it is spam. DKIM (DomainKeys Identified Mail) is another email security measure that adds authenticity to emails sent from your email addresses. This ensures that emails are unmodified and not spoofed. When enabling these features, cPanel automatically takes care of creating the values for you to add to the DNS records.

  1. Go to the “Email” section and click “Email Authentication”.
  2. Enable DKIM and SPF.
  3. Enter the provided text records into your domain name’s DNS records.

Enable DKIM and SPF for cPanel email


Securing your website is not necessarily as complicated as it sounds. Platforms such as cPanel serve to simplify the process by providing a simple interface and means to help keep your site secure and eliminate vulnerabilities. Securing your site is well worth the time, since it keeps your business reputation from being impacted by a hack. By using the tools cPanel offers to enhance website security, your website is much further along in staying secure and safe from hacks.

Cai Ellis

SEO Manager

Hi! My name is Cai. Over the years, I've used countless hosting providers, built innumerable ecommerce stores and picked up a bit of SEO know-how too. If you've got questions about these or any related subjects, I'll be happy to help!

Robert Brandl

Founder and CEO

Hi, my name is Robert Brandl, and I am the founder of Tooltester. I used to work in a digital marketing agency where I managed website and email marketing projects. To optimize my client's campaigns, I always had to find the optimal web tools. Tooltester (founded in 2010) opens this knowledge to you, hopefully saving you endless hours of research. If you have any questions, please leave a comment. You can also find me on LinkedIn.

Learn more about us


This article has been written and researched following a precise methodology.

Our methodology


ebook cover

The Step-by-Step Guide to Website Creation

Are you keen to learn the basics before you get started? In our ebook, “Website Creation for Absolute Beginners” we’ll show you the steps you need to take to create your own business website.

Note: We will never share your email address with anyone except our email service provider. Of course, you can unsubscribe at any time.