Securing cPanel on shared hosting

[Jared23]

I'm looking to secure my cPanel login page (beyond just a strong password) and much of what I've read on Google points to using WebHost Manager options but my shared host (GoDaddy) doesn't include WHM in their economy Linux cPanel plan.

Besides changing hosts or upgrading plans, do I have any other options (such as .htaccess or IP-restriction) for my domain's cPanel login page, or even a way to disable the common redirects to it (such as example.tld/cpanel/) would make it a bit more difficult for less-experienced attackers to find?

Also for those on shared hosting plans without WebHost Manager options, is there any way to restrict cPanel access after a number of unsuccessful login attempts to help deter bruteforce attempts?

Thanks in advance for any insight and ideas.

 

[Infopro]

Two-Factor Authentication should be useful. You can find it under the Security section of your cPanel.

 

[Jared23]

Under 'Security' in my cPanel (11.58.0.19) I only see:

SSH Access
IP Blocker
SSL/TLS
Hotlink Protection
Leech Protection

Would it be somewhere else or if not is there anything else you'd recommend? Thanks!

 

[Infopro]

It looks like you'll need to enable it on the Features list for the Package your cPanel account is on:

WebHost Manager »Packages »Feature Manager » Edit Feature List, Two-Factor Authentication

Once you do that, you should see it in your cPanel.

 

[Jared23]

Hmm.. if I go to example.tld/whm/ I see the WHM Login page but my cPanel account doesn't work for it, so I figured since I'm on shared (versus VPS or dedicated) hosting I won't be able to access the WebHost Manager.

I notice GoDaddy's WebHost Manager page falls under their 'VPS & Dedicated Servers' section and isn't mentioned on their Economy Linux cPanel area... does this sound correct, or do you think I should be able to access WHM and follow-up with them on this? Thanks again!

 

[Infopro]

You'll need to ask them if you've got root, or Reseller access to WebHost Manager, that's correct.

GL!

 

[Jared23]

It appears I'm back to square one, as they confirmed only their VPS and dedicated servers offer WebHost Manager not their shared economy cPanel Linux plans.

That said, without WHM access is it safe to say there is no other way to restrict or protect my cPanel login page?

 

[Infopro]

Yes sure. Go back to GoDaddy and ask them to enable Two-Factor Authentication for your account. I can't imagine why they wouldn't so am anxious to hear what they tell you.

 

[Jared23]

I'm not sure how knowledgeable the person I chatted with was, but this is what I was told:

"Only Reseller, VPS or Dedicated hosting packages include WHM, and only VPS or Dedicated have the option for two-factor authentication."

When I asked if they could just enable 2FA for my shared account I got this response:

"That is not possible for shared hosting packages. Shared hosting includes user level access to a single cPanel account, and there are several php limitations. There is no WHM, and no root user access for these accounts."

That leaves me wondering why there isn't a way on shared hosting that doesn't have WHM/2FA to protect or restrict the cPanel login page... it's hard to believe some thrifty but clever person hasn't sorted a way around it.

I've tried creating /cpanel/, /whm/ and so on directories hoping they'd take precedence over cPanel's hardcoded shortcuts but with no success unfortunately. If you have any other ideas I'd definitely be interested in giving them a try and thanks!

 

[cPanelMichael]

Hello,

The decision to enable security features such as two-factor authentication is generally left to the hosting provider. This allows them to take factors specific to their company into consideration and determine if a feature is suitable for their shared hosting plans.

I recommend consulting with your hosting provider again to see what additional steps they take for the security of the server, as most solutions require root access to the system to implement.

Thank you.