Use the following checklists as quick references for the security settings that we recommend.
Tweak Settings checklist
We recommend the following settings for WHM's Recommended Security Settings Checklist interface (WHM >> Home >> Server Configuration >> Tweak Settings):
|Hide login password from cgi scripts||This setting allows you to hide the ||On|
|Initial default/catch-all forwarder destination||Select Fail to automatically discard un-routable email that your server's new accounts receive. This option helps to protect your server from mail attacks.||Fail|
|Verify signatures of 3rdparty cPaddons||Enable this option to verify GPG signatures of all third-party cPAddons. To use this setting, you must enable the Signature validation on assets downloaded from cPanel & WHM mirrors option.||On|
|Prevent "nobody" from sending mail||Enable this option to block email that the ||On|
|Add X-POPBeforeSMTP header for mail sent via POP-before-SMTP||Enable this option to include a list of POP-before-SMTP senders in the X-POPBeforeSMTP header for outgoing email.||On|
|Enable SPF on domains for newly created accounts||Enable this option to deny spammers the ability to send email when they forge your domain’s name as the sender (spoofing).||On|
|Proxy subdomain override||Disable this option to prevent automatically-generated proxy domains when a user creates a cPanel, Webmail, Web Disk, or WHM subdomain.||Off|
|Proxy Subdomain Creation||Disable this option to prevent the addition of cPanel, Webmail, Web Disk, and WHM proxy subdomain DNS entries to new accounts.||Off|
|Cookie IP validation|
Disable this option to allow logins regardless of the user's IP address.
We strongly recommend that you do not rely on cookie-based IP validation.
Security Center checklist
We recommend the following settings for WHM's Security Center section (WHM >> Home >> Security Center):
|Password Strength Configuration||This feature allows you to specify a minimum password strength for accounts that your server hosts. hosted by your server.||A value of |
|PHP open_basedir Tweak||This option requires users to manually specify the ||Enable|
|Apache mod_userdir Tweak||If you enable this option, users can not bypass bandwidth limits when they use the Apache |
We recommend that you exclude the Default Virtual Host from
|Compiler Access||This option disables compiler access for unspecified users in order to help prevent attacks on your server.||Disable|
|Manage Wheel Group Users||This feature allows you to set a list of users who can use the ||Remove all users except for |
|Shell Fork Bomb Protection|
This option limits the amount of server resources that users with terminal access may use.
If you enable this option, it may cause resource shortage problems because this setting heavily limits various resources.
|FTP Server Configuration|
This interface allows you to configure your FTP server.
|Disable Anonymous FTP.|
|Manage Shell Access|
This interface allows you to select which users will have shell access on your server and whether that shell access is Normal or Jailed.
|Disable shell access for all other users.|
|cPHulk Brute Force Protection||This interface allows you to configure Brute Force Protection on your server.|
If you enable this option, we strongly recommend that you add trusted IP addresses to the White/Black List Management tab so that you do not lock yourself out of your server.
EasyApache configuration checklist
When you configure EasyApache, we strongly recommend that you include the following modules:
|suPHP||This module causes PHP scripts to run as the owner of the script instead of as the |
|Suhosin||This module is an advanced protection system for PHP installations. For more information, read the Suhosin website.|
This module is an open-source web application firewall. For more information, read our ModSecurity documentation.
EasyApache modules to avoid
We suggest that you do not include the following modules unless they are absolutely necessary:
|FrontPage||We no longer provide FrontPage® in EasyApache by default. The option will only be available in EasyApache if you install the Custom Module. We do not recommend that you install FrontPage because it may introduce a vulnerability to your server. Microsoft® announced FrontPage's end of life on June 30, 2006. Microsoft no longer releases updates or security patches for FrontPage.|
|mod_perl||This module grants unlimited control to scripts over the website, which is unsafe in a shared hosting environment.|
This module runs code as a shared user and presents a security risk.
|mod_Mono||This module runs code as a shared user and presents a security risk.|
|mod_Mono2||This module runs code as a shared user and presents a security risk.|
|Xcache||This module has shared caching logic and EasyApache disables it by default.|
|EAccelerator||This module has shared caching logic and EasyApache disables it by default.|
- We strongly recommend that you avoid any other modules that we mark as End-Of-Life or Deprecated.
- We strongly recommend that you ensure that your software is up-to-date with the most recent stable versions of software. For example, the last release of PHP 5.3 was on August 14, 2014 and has reached end of life. Even though PHP may backport security patches for this version, you should not consider it secure and should update it to PHP 5.4 or higher.
For more information, read our EasyApache PCI and Security documentation.
Global Configuration checklist
This checklist pertains to the Global Configuration section of WHM's Recommended Security Settings Checklist interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Global Configuration).
| File ETag |
Set this option to None to receive a more concise output than the other options.