Introduction
Keeping your cPanel account secure is essential to protecting your website, email, and data from unauthorised access. This guide covers the key steps you should take to secure your hosting account.
1. Use a Strong Password
Your cPanel password is the first line of defence. A strong password should:
- Be at least 12 characters long
- Include a mix of uppercase and lowercase letters, numbers, and symbols
- Not be a dictionary word or common phrase
- Not be reused from other accounts
To change your cPanel password:
- Log into your Webfort client area
- Go to Services > My Services
- Click on your hosting package
- Click Change Password
2. Enable Two-Factor Authentication (2FA)
Two-factor authentication adds an extra layer of security by requiring a code from your mobile device in addition to your password.
- Log into cPanel
- Go to Security > Two-Factor Authentication
- Scan the QR code with an authenticator app (such as Google Authenticator, Authy, or Microsoft Authenticator)
- Enter the 6-digit code from the app to confirm
- Click Configure Two-Factor Authentication
See our detailed guide: How to Set Up Two-Factor Authentication
3. Keep Software Up to Date
Outdated software is one of the most common ways websites get compromised:
- WordPress, Joomla, or other CMS: Always update to the latest version
- Plugins and themes: Keep all plugins and themes updated, and remove any you're not using
- PHP version: Use a supported PHP version (check in cPanel under Software > MultiPHP Manager)
4. Set Correct File Permissions
Incorrect file permissions can allow unauthorised users to access or modify your files:
- Files: Should be set to 644
- Directories: Should be set to 755
- wp-config.php (WordPress): Should be set to 600 or 640
Never set files or directories to 777 — this gives everyone full read, write, and execute access.
5. Password Protect Sensitive Directories
Use cPanel's Directory Privacy feature to add password protection to admin areas or sensitive directories:
- Go to Files > Directory Privacy
- Select the directory you want to protect
- Tick Password protect this directory
- Create a username and password for access
6. Use IP Address Blocking
If you notice suspicious activity from specific IP addresses, you can block them:
- Go to Security > IP Blocker
- Enter the IP address or range you want to block
- Click Add
7. Install and Configure an SSL Certificate
SSL encrypts data between your website and visitors. All Webfort hosting accounts include free SSL via Let's Encrypt:
- Go to Security > SSL/TLS Status
- Click Run AutoSSL to install certificates for all your domains
8. Review and Secure Email Accounts
- Use strong, unique passwords for each email account
- Set up SPF, DKIM, and DMARC records to prevent email spoofing
- Enable spam filtering with SpamAssassin
- Remove any email accounts that are no longer in use
9. Monitor Your Account
Regularly check for signs of compromise:
- Review your error logs and access logs in cPanel (Metrics section)
- Check for unfamiliar files in your File Manager
- Monitor your resource usage for unusual spikes
- Review your cron jobs for anything you didn't create
10. Create Regular Backups
In case the worst happens, having a recent backup means you can quickly restore your website:
- Go to Files > Backup Wizard
- Create a full backup regularly
- Download backups to your local computer for safekeeping
What to Do If You Suspect a Compromise
- Change your cPanel password immediately
- Change all email account passwords
- Change your FTP and database passwords
- Review and remove any suspicious files
- Contact our support team — we can help investigate and clean up any issues
