A password alone is no longer enough protection for an account that controls your website, email, and databases. Two-factor authentication (2FA) adds a second, time-based code that only your phone can generate — meaning a leaked password alone is no longer enough to break in.
Why this matters more than you'd think
Hosting accounts are a common target precisely because one compromised login can expose everything: your files, your customer emails, and your databases all at once. Enabling 2FA is a five-minute task that closes off the single most common attack path.
Step 1: Install an authenticator app
Download Google Authenticator, Microsoft Authenticator, or Authy on your phone before you begin — you'll need it to scan a QR code in the next step.
Step 2: Open Two-Factor Authentication in cPanel
Log in to cPanel and go to Security → Two-Factor Authentication.
Step 3: Scan the QR code
Click Set Up Two-Factor Authentication. cPanel will display a QR code — open your authenticator app, tap "Add account," and scan it.
Step 4: Confirm with a generated code
Your app will now display a rotating six-digit code. Enter the current code into cPanel and click Configure Two-Factor Authentication to finish setup.
Key takeaway: Save your backup codes somewhere safe outside your phone — if you lose your device, they're the only way back into your account without contacting support.
Step 5: Repeat for WHM (if you have reseller or VPS access)
The process in WHM is nearly identical, found under Security Center → Two-Factor Authentication, and it's worth enabling separately since WHM controls multiple accounts at once.
What happens if you're locked out
If you lose access to your authenticator app and don't have your backup codes, contact your host's support team to verify your identity and reset 2FA manually — this is exactly why keeping those backup codes somewhere safe matters.