cPanel Security

The Security section in cPanel includes the following tools - Password Protect Directories, IP Deny Manager, HotLink Protection, Leech Protect and Site Security Check. cPanel security tools allow the customers to protect different parts of their web sites from unauthorized access. All forms of protection generally require the use of passwords. The other requires an authication via a code sent to your email or telephone. Generally, a strong password is used for cPanel authentication and so we will by looking at what is a strong and safe password for a cPanel account.

You will also want to read:

How To Create, Edit, and Delete a File in CPanel Using File Manager
CPanel Login Tutorial
CPanel Account Information Tutorial
Backup mysql database tutorial
I have a full backup of account through cPanel. How do I restore it?

How to Password Protect Directories

Select the Password Protect Directories icon from your cPanel main page. A list of the directories on your account will appear.

Select the directory you wish to limit access to. In the new page, please create a username and a password for your user. Select a name that will appear in the login screen and click on the Save button to activate the protection.

Important Please note that you have to create a directory before you enable the password protection for it. Also, using one and the same directory for the purpose of password protection and FTP storage at the same time is not recommended.

Important It is also important to add that password-protecting your webroot (the www directory) will lead to inability of your website to be displayed directly.

Also read: CPanel Login Tutorial

How to deny or allow IP address access

We now look at how to stop someone from visiting your website or unblock a user you have already restricted. This tool will block anyone from a specified IP address.

First, you will need to find out a visitor's IP address

Use the web statistics tools to find more information on your visitors. We suggest you go to cPanel and click the Latest Visitors icon. Look for the Host information; it could be an IP or a domain name.

How to block or Allow an IP address

Login to cPanel and click IP Deny Manager.
Under "Add an IP to deny", please enter IP address or domain name you wish to block.
Click the Add button.

How to unblock the IP address

Login to cPanel and click IP Deny Manager.
At the bottom, under "Current IP addresses being blocked", click Remove.

Also read:

How Do I Create and Delete a Parked Domain
How do I create and remove an Addon Domain?
How to Backup My Website in cPanel
How to Create a MySQL Database, a User and Delete Database in Cpanel

You can also set an option for deny from all, which will deny everyone.

This must be done by including this code into your .htaccess file as follows:
deny from all
allow from
allow from

Note: It is possible to block access to yourself accidentally by using this method.

Be sure to allow access via your IP otherwise you will be blocked as well. You can find out your current IP address by visiting the What is your IP? page. If you accidentally block yourself, please contact Todhost via ticket or telephone. You will need to confirm your identity ("verify your account") before we can unblock your IP.

How to use IP Deny Manager

The IP Deny Manager allows you to prevent an IP address, domain name, or block of IP addresses from accessing your web site. If someone is using a lot of your bandwidth, posting malicious content, or should not be allowed to access your site for another reason, you can prevent them from doing so in the IP Deny Manager.

Deny access to a domain or IP

Step 1: To access the IP Deny Manager, click on the corresponding icon in the Security section of your cPanel interface.

Step 2: Enter the IP address or domain name you wish to deny access from in the blank field next to IP Address or Domain: (You can enter an IP block such as 1.2.3. to deny access to all IPs that start with 1.2.3.).

Step 3: Click on Add.

Make sure you have entered the IP address or domain in the proper format when adding IPs or domains to deny. IPs should be in the following format, and domains should look like
Allow access to a denied IP address

If you no longer wish to deny access from a specific IP address, you can use the IP Deny Manager to allow access from that IP address.

Step 1: To access the IP Deny Manager, click on the corresponding icon in the Security section of your cPanel interface.

Step 2: Click on the Remove icon next to the blocked IP or IP range, for which you want to allow access.

Also read:
Cannot See My Website Online After Upload, Why?
Character encoding in cPanel file manager
Custom error page is not working
Default Home Directory Folders
Getting Familiar With the cPanel User Environment

HotLink Protection

The HotLink Protection tool allows you to prevent other websites from directly linking to files on your website. This means that when another website is visited, it cannot load pictures from your pages - this is one of the ways for limiting the outbound traffic for your account.

An example of hotlinking would be a different website using HTML code to display an image from your site. In effect, the other website is using up your bandwidth quota.

To use the tool, click on the HotLink Protection icon on cPanel's main page and follow the instructions. Include the websites you wish to have access to your files - those may be affiliates or friends linking to your banners, etc.

in order to block certain file types from being accessed, enter their extensions in the space provided - this way you can allow other websites to reach for your images, but disallow video or audio files from being accessed.

cPanel attempts to add all the domain names that you own with SiteGround to the allowed list. Still, if you have accounts on other servers you may need to have some of those added manually.

Make sure that you include all sites that need to access your protected files in the first field or they will not be able to view the files. If you still cannot view a file, try disabling Hotlink Protection to see if it is the cause of the problem.

Leech Protect - Leech Protect allows you to prevent your users from giving out or publicly posting their password to a restricted area of your site. This feature will redirect (and suspend if selected) accounts which have been compromised to a url of your choice.

Site Security Check - Website Security is probably the most important aspect of web site administration. It is essential for your public reputation, business growth and even income. The automated Site Security Check verifies that your domain names are not marked as possible threats by Google Safe Browsing and similar tools.

I Cannot View my Site/Login to cPanel

Server will Not necessarily be down for you not to be able to login. There are few things you must know when you face this kind of problem.

1) If you have continuously keyed-in wrong username, password, etc.. the firewall will identify this as an intrusion attempt. Your IP will be blocked permanently.

2) If your connection with the server is too high (more than 250 connection from your PC into the server), firewall will identify this 'Attacks'. Your IP will be blocked for 30 minutes for every offence.

3) You could be a victim of an attack leading to a white screen of death or completely taing your site off the internet.

Also read: Default Home Directory Folders

* If you are blocked by the reason above, you may fix it immediately by turning your modem 'OFF' and 'ON' (by disconecting & connecting), to get a new IP. You can also contact us, stating your PC IP. If you are using a dedicated IP, you need to contact us to unblock the IP.

* If you are using a Dynamic IP, maybe the IP has been blocked due to misuse by previous user. Try to reset it & contact us, together with the IP info.

If you suffer a White Screen of Death, then take steps to recover your site by following this blog post guide.

How to allow access to specific files in a protected directory

There are times you want to protect an entire directory or folder but you want access to some files within the directory. This can be done by inserting a code into the .htaccess file.

If you do not know how to create a .htaccess file, then you can go back to our tutorial on How To Create, Edit, and Delete a File in CPanel Using File Manager

This tutorial takes you through the process to allow access to specific files in a protected directory. We will use the .htaccess file to achieve this in cpanel. The following steps will show us how to perform this task.

To allo access to specific files in a protected directory, please follow these instructions:

Log into your cPanel cPanel dashboard.
From the main cPanel page, use the File Manager to access the root folder of your domain. Be sure you have the Show Hidden Files (dotfiles) option selected as we will be editing the .htaccess file.

Now that you are in the root folder for the directory, find the folder you wish to protect and click it to enter that directory.
Once inside the folder you want to protect, check to see if there is an existing . .htaccess file. If not, you will need to create a new one by clicking the New File button in the upper toolbar and naming it .htaccess (be sure to place the . at the front!). Once you find or create the .htaccess file, open the file for editing.

Now that you are in the editor, we will set the directory to be very secure, denying access for all file types. Below is the code you want to insert into the .htaccess file.

Order Allow,Deny
Deny from all

Since we have now set the security, we now want to allow access to our desired file types. In this example we want to allow access only to the PDF and JPG files. You will need to insert this code into the .htaccess file:

deny from all
<FilesMatch "\.(pdf|jpg)$">
Satisfy Any
Allow from all

You can create as many of this file in as many directories to allow access to specific file types.

The first line of code is the one you will need to modify to add or change the file types you wish to allow. Our example allows image types that end with file extensions jpg, gif, or png) You can replace those or add to them to allow more. Be sure to include the pipe character,|, between the file types.
After you enter the code for the file types you wish to allow access to, click the Save Changes button to activate the code.

Strong Password Rule

Here are some techniques for creating a strong password:

  • Choose a password that is at least eight characters in lenght. Having a longer password is better. The longer the password, the less susceptible it is to brute-force attacks.
  • Use a mixture of lowercase and uppercase characters, numbers, and punctuation marks.
  • Place a punctuation mark in the middle of a word (for example, pref_erential).
  • Use some unusual way of contracting a word. You don't have to use an apostrophe.

Think of an uncommon phrase, and then take the first, second or last letter of each word. Throw in a capital letter, a punctuation mark, and a number or two, and you might have XtYsn887ResaT.

  • You can deliberately misspell one or more words to make the password harder to crack.
  • Combine several of the above techniques.
  • Use something that no one but you would ever think of. The best password is one that is totally random to everyone else but you. Since this is highly dependent on the individual, it is difficult to tell you how to come up with these, but use your imagination!

What to Avoid When Creating Passwords

How not to choose a strong password

Here are some guidelines for what you should not do when creating a password:

  • Avoid using words in a dictionary.
  • Avoid using your username or real name.
  • Dont use anyone else's name.
  • Dont use any word in a cracking dictionary. A cracking dictionary contains lists of words that attackers use to try to crack passwords (this is also known as a dictionary attack). These lists include abbreviations, cartoons, character patterns, machine names, famous names, female names, male names, Bible citations, movies, myths, numeric patterns, short phrases, places, science fiction, Shakespeare, songs, surnames, and just about anything else you can think of.
  • Avoid using any of the above techniques with a single character before or after it (for example, trader1).
  • Don't use any of the above techniques with capitalization (for example, Catering or Walnut).
  • Don't use any of the above reversed (for example, reversing cat to tac), doubled (cat to catcat), or mirrored (cat to cattac).
  • Avoid selecting a word and substituting some characters (for example, changing password into p@ssw0rd, or supersecret into sup3rs3cr3t). Attackers are well aware of these substitutions, and can crack them.
  • Don't try to use keyboard patterns (for example, qwerty or nbvcx). Cracking programs look for these types of patterns in passwords.

How to Keep Your Passwords Safe

Keeping your password safe from being accessed by the wrong prople is as important as having a strong password that cannot be craced. KKeeping these simple rules will help keep your password safe.

  1. Never never share your password with anyone else.
  2. Never write down your password any where. Writing down your password can epose it to the wrong person who will share it with another person and on and on.
  3. if you receive an e-mail message from someone who claims to be an administrator, a security specialist, or some other important-sounding position who asks you to change your password, don't do it. Scammers are well nown to use this technique to get password of users

How to enable public access to a file within a protected directory

There are imes you may want to allow access to a file located within a password protected directory. Password protecting a directory prevents any user from accessing a subdirectory of your site, and its files, without a username and password. There may be a time, however, when you want to allow access to a single file within a password directory and it is not feasible to move the file to an unprotected directory or folder. The steps below will guide you in how to allow access to a single file in a password protected directory using your .htaccess file.

How to allow access to a file in a protected directory

Log into your cPanel dashboard.
Access the File Manager and navigate to the password protected folder. Make sure you enable the ability to show hidden files.
Within the password protected folder will be an .htaccess file that contains the security code to activate the password popup. Highlight the .htaccess file and click on the Edit icon from the toolbar across the top of the page.

Once inside the editor, you will see the security code. It will appear similar to the example below. Our example directory was test, so attempting to access resulted in a popup box asking for username and password.

Also read: How to access raw log files

AuthName "test-protect"
AuthUserFile "/home/userna5/.htpasswds/public_html/test/passwd"
AuthType Basic
require valid-user

You will need to add the following code for each file you want to allow access to after the code above. In this example, we are allowing access to a file named test.php. Note the \ before the . in the filename and the $ at the end. You will want to do this for your file name as well to ensure access is given to that exact file.

<FilesMatch "test\.php$">
Satisfy Any
Allow from all

Click on the Save Changes button in the upper right corner to finalize and activate the code. Now you will be able to access the specific file named test.php but no other files within that directory.

Order Web Hosting with Todhost

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

I have a full backup of account through cPanel. How do I restore it?

It is recommended that you maintain healthy backup of your website and possibly download the...

How To Create, Edit, and Delete a File in cPanel Using File Manager

This tutorial will be useful for you to understand how to create a file, edit a file or delete...

How to Create and Manage a MySQL Database

Create MySQL Database and User via cPanel The MySQL Database Wizard is another useful tool...

How do I create and remove an Addon Domain?

An add-on domain is a separate domain name that you add to your web hosting subscription with...

How to Set Up and Delete a Cron Job

A cron job allows you to run a certain command at times set by the job. For example, you could...