Most successful attacks on small business websites are automated bots trying common passwords or exploiting known vulnerabilities. cPanel's built-in security tools stop the majority of this without needing any extra plugin.
1. Use the IP Blocker
Under Security, open IP Blocker. If you notice repeated suspicious login attempts in your logs, add the offending address here to block it directly.
2. Enable ModSecurity
Also under Security, check that ModSecurity is switched on. It's a web application firewall that filters out common attack patterns before they ever reach your site's code.
3. Review ModSecurity events
If a plugin or theme feature suddenly stops working after enabling ModSecurity, check the ModSecurity event log — a legitimate request can occasionally get flagged and needs a rule exception.
4. Turn on Hotlink Protection
Hotlink Protection stops other websites from embedding your images directly and eating your bandwidth. Enable it under Security and list your own domain as allowed.
Key takeaway: Check your IP Blocker and ModSecurity logs every few weeks — a sudden spike in blocked requests is often the first sign your site is being actively targeted.
5. Enforce strong passwords
When creating email accounts or additional cPanel users, always aim for the "Very Strong" rating on the built-in password strength meter rather than the minimum accepted.
6. Set up Two-Factor Authentication
Under Security, Two-Factor Authentication adds a second login step using an authenticator app, protecting your cPanel account even if your password is ever compromised.
7. Keep everything updated
Security tools only work as well as the software behind them. Set Softaculous's auto-updates for WordPress and check for cPanel panel update notifications regularly.