Security cPanel

cPanel Security Essentials: IP Blocker, ModSecurity & Hotlink Protection

You don't need a security plugin to lock down the basics — cPanel's built-in tools cover most of what a small business site needs.

Most successful attacks on small business websites are automated bots trying common passwords or exploiting known vulnerabilities. cPanel's built-in security tools stop the majority of this without needing any extra plugin.

1. Use the IP Blocker

Under Security, open IP Blocker. If you notice repeated suspicious login attempts in your logs, add the offending address here to block it directly.

2. Enable ModSecurity

Also under Security, check that ModSecurity is switched on. It's a web application firewall that filters out common attack patterns before they ever reach your site's code.

3. Review ModSecurity events

If a plugin or theme feature suddenly stops working after enabling ModSecurity, check the ModSecurity event log — a legitimate request can occasionally get flagged and needs a rule exception.

4. Turn on Hotlink Protection

Hotlink Protection stops other websites from embedding your images directly and eating your bandwidth. Enable it under Security and list your own domain as allowed.

Key takeaway: Check your IP Blocker and ModSecurity logs every few weeks — a sudden spike in blocked requests is often the first sign your site is being actively targeted.

5. Enforce strong passwords

When creating email accounts or additional cPanel users, always aim for the "Very Strong" rating on the built-in password strength meter rather than the minimum accepted.

6. Set up Two-Factor Authentication

Under Security, Two-Factor Authentication adds a second login step using an authenticator app, protecting your cPanel account even if your password is ever compromised.

7. Keep everything updated

Security tools only work as well as the software behind them. Set Softaculous's auto-updates for WordPress and check for cPanel panel update notifications regularly.