Website security is extremely important and demands some close attention. In this post, we examine how you can use our cPanel security tools to enhance the security of your website. This tutorial focuses on these areas:
- How to access cPanel
- cPanel Preferences
- Mail Settings
- Files and FTP
- cPanel Logs and Resource Usage
- cPanel Security Tools
Further reading:
How to Access cPanel
Every Todhost Web Hosting account comes with cPanel completely free of charge for our customers. To access your hosting account or server control panel, please review your hosting account welcome email which you received on account activation.. You should be able to locate your cPanel URL, cPanel username and password. If you have missed the email, you can access it in the email section of your Todhost Client Area
Further reading:
- Getting Familiar With the cPanel User Environment
- How to Reset or Change to a New CPanel Password
- How to force your website url with www or non-www using htaccess
By default cPanel is globally accessible on cPanel/WHM-based servers by typing any domain or IP associated/pointed to the server. If you domain name is already pointed to the server simply type:
https://example.com/cpanel
Remember to change 'example.com' with your actual domain name. Alternatively, you can use the server hostname or the server IP address to access your cPanel. Both the server hostname and the server IP address are included in your welcome email if you have signed up with Todhost web hosting.
When you access the cPanel URL you will be directed to a secure login page to input your cPanel username and password.
To login, please enter your cPanel username and password and click on the 'Log in' button. Be advised that your cPanel username and password may be different from your Client Area login details.
If you are not able to access your cPanel by using /cpanel with your domain name, the issue might be caused by the non-standard cPanel port 2082/2083 which is sometimes blocked by local Internet service providers. As an alternative to the standard URL you may use the so-called cPanel Proxy URL which uses the standard HTTP port 80. To access the cPanel via the cpanel proxy, simply use:
https://cpanel.example.com -- remember to replace 'example.com' with your actual domain name.
Further reading:
- CPanel Account Information Tutorial
- Cannot See My Website Online After Upload, Why?
- Default Home Directory Folders
cPanel Preferences
How to Update Contact Information
cPanel supports notifications on certain events. If you would like to receive an email notification upon one of the following events you will need to configure your Contact Information:
- When you are reaching your disk quota
- When you are reaching your bandwidth usage limit
- When one of your email accounts approaches or is over quota
To configure your Contact Information simply click on "Contact Information" under your account settings menu.
Under the Contact information and preference section you will need to enter your email address and select the exact events upon which you would like to receive an email notification.
When you are satisfied with your settings simply click on the Save button at the bottom of the page.
Further reading
- Getting Familiar With the cPanel User Environment
- How to Create a Website/Domain Redirect in cPanel
- How to Reset or Change to a New CPanel Password
How to change cPanel Language
By default cPanel language is set to English. Still, you can always change your cPanel language by logging into your cPanel and opening the Change Language page from your account settings menu.
This will redirect you to the change language page on which you can select the desired language for your cPanel from the language drop down menu.
Further reading:
- How to access raw log files
- How to check your PHP version and configure your PHP settings
- Overview of cPanel Paper Lantern Theme
How to manage email accounts
cPanel provides an easy to use interface to manage all aspects of your email accounts. Let's start by creating your first email account. To do so, please login your cPanel and click on the Email Accounts icon under the Mail Section.
This will redirect you to the Email Accounts page via which you can create, delete and manage your existing accounts. To create a new email address, please enter the required details including your email account name, password, and mailbox quota.
We highly recommend to use strong passwords to prevent password brute force attacks. Todhost has special firewall applied to prevent such attacks but passwords based on dictionary words may still be vulnerable.
The Mailbox Quota is the maximum size of your email account. If this quote is reached all new emails will bounce back to the sender until enough space is available.
When you have your first email account created you should be able to see it under the email accounts list.
In this section you can manage your email accounts, change passwords, quotas, access the webmail interface or completely remove the email account.
In order to access your newly created email account via your favorite email client, please check our Email tutorial.
Further reading:
- How to Check and Send Emails Using Webmail
- How to Solve Email Bounce Back Issues
- How to configure Email Client
How to Create MX Records
MX records make our lives easier as they let us be flexible with our emails and mail structure. As a lot of users want to configure the email accounts hosted with us to work with Google Apps, we will show you just that, this time via cPanel. This way your domain's incoming email will appear in Gmail.
The first thing you will need to do is to log into your cPanel account and navigate to the Email ? MX Entry option or simply type MX Entry in the search field.
Now you must choose the domain for which you wish to change your MX records.
For the email routing option you can go with Automatically Detect Configuration, but we suggest to use Remote Mail Exchanger just to be 100% sure your emails will go where you specify.
In the Add new Record fields, input the priority and destination. In our case we will use the top priority mail server - ASPMX.L.GOOGLE.COM
Don't forget to remove all unnecessary MX records once you are done using them. This will guarantee a smooth transition each time you decide to make a change. Also note, that you will experience a small propagation period once you change your MX records. If you also add the alternative Google MX records and by some chance the main server is unavailable, your mail will be redirected to another Google mail server and still reach its destination. Here are the alternative MX records with their respective priority:
ALT1. ASPMX.L.GOOGLE.COM - 5
ALT2. ASPMX.L.GOOGLE.COM - 5
ALT3. ASPMX.L.GOOGLE.COM - 10
ALT4. ASPMX.L.GOOGLE.COM - 10
Specifically for this example, you will also have to use the Google Apps Setup Wizard in configuring the email you want to use, after you have changed your MX records.
Further reading:
- How to Setup Google Apps MX, CNAME and SPF records
- How Did My Email Get Compromised and What Can I Do to Stop It?
- How to fix error 500 no such user here
How to setup Email Forwarders
Email Forwarders allow you to have all received emails to an additional email address. For example, if you would like to send an email to all your employees in your sales department you can create an email account called sales@yourdomain.com and create forwarders from sales@yourdomain..com to the personal email accounts of all employees working in the sales department. This way when you send an email to sales@yourdomain.com all your employees will receive the email under their personal mail box.
It is important to note that the original email will be delivered to the recipient mail box before being forwarded to any additional email addresses. You should have this in mind in order to avoid situations in which your mail box run out of quota and your mails are not forwarded. If an email account is out of quota all further messages are not delivered thus they will not be forwarded as well. Email fowarders are a smart way to maintain healthy backups for your mails.
To create an email forwarder, please click on the Forwarders icon under the Mail section in your cPanel.
Click on the Add Forwarder button. Next, input the name of the email account that will be forwarded and the destination email address to which your emails will be directed.
When you are satisfied with your configuration, please click on the Add Forwarder button. Now your emails will be forwarded to the destination email account.
Further reading::
- How to grow your mailing list ethically
- Managing the Mail Function in CPanel
- Webmail Programs in CPanel
How to create Email Auto Responder
The auto responder tool is a great cPanel feature that allows you to send a message back automatically to anyone who sends an email to a specified account. This can be useful for times when you are on vacation or unavailable, or if you have a generic message that you wish to send from a support email address.
Please note that if you do not create a forwarder or email account with the same address as the auto responder, mail will only be handled by the auto responder before it is discarded.
To create an auto responder, please login your cPanel and refer to the Auto Responders icon under the Mail section.
Click on the Add Auto Responder button on the next page. This will load the form required to create an auto responder. Fill in all the fields and setup the time frame for which your auto responder will be active by editing the start /end options.
When you are ready, click on the Create/Modify button to complete the process.
Set Default/Catch-all Email Address
Default email address is another useful email related feature in cPanel. This tool allows you to configure a single email address to receive all incoming messages for your account. For example, if you would like to have several email addresses such as support@ sales@ and billing@ but still you prefer to receive all incoming emails into a single email account, you can set it as default/catch-all address.
To achieve this, please login your cPanel and refer to the Default Address icon under the Mail Section.
On the next page select your domain name from the drop down menu for which you would like to have your emails rerouted. Additionally, please make sure you have the correct option selected - Forward to email address and input the desired destination email.
Be advised that in order to have all emails directed to this default email address the destination emails should not exist. In other words, if an email account exist, a message sent to it will not be directed to the catch-all mail box. You will need to set an email forwarder for your existing accounts if you would like to have their mails forwarded as well.
When you are satisfied with your settings click on the Change button to save your default email configuration.
Setup Email Filters
Email filters is another feature of the cPanel control panel which can help you manage your email delivery. Email filters are very similar to the Email Forwarders with two significant differences.
First, the email filters apply before the message is delivered to the destination email address. This means that if you have an email filter to redirect a mail to another account the email will be delivered to the third account and the email will not be present into the original destination email account inbox.
The second difference is that the email filters can have rules so you can configure an email filter to match only certain emails. For example, you can configure an email filter to redirect all messages sent from admin@example.com to another mail box. Still, any other emails sent will not match this rule and will be delivered into your email account.
To setup an email filter, please click on the Email Filters icon in your cPanel.
On the next page, select the email account for which you would like to setup your email filter by clicking on the Manage Filters link and proceed by clicking on Create a new Filter. Next, you need to configure your rule by inputting the rule name, the matching rule and the actions that will be taken upon matching the rules.
For example, lets redirect the email admin@example.com to john@example.com.
From the Actions drop down menu select Redirect to email and input john@example.com. When you are satisfied with your settings you can click on the Create button to save your configuration.
cPanel File Manager
If you are looking for an easy way to manage your account's files and folders without the need to install third party FTP clients such as WSFTPPro, FileZilla or CuteFTP, the cPanel File Manager is the ideal solution for you.
The cPanel File Manager provides an easy to use fully featured interface accessible via any browser that allows you to perform a wide range of actions on your account hosted data. To access the File Manager, please login into your cPanel and refer to the Files and FTP section.
Clicking for the first time on the cPanel File Manager icon will prompt you with a Directory Selection box to choose the desired directory you would like to access.
The Home Directory option will lead you to the root directory of your hosting account. If you choose the Web Root option you will be directed to your public_html folder which is the main publicly accessible folder of your account. If you do not want to have this box displayed again in the future, please uncheck the "Always open this directory..." checkbox and click on the Go button.
This will redirect you to the cPanel File Manager interface. On the left side of your screen you will see the directory tree of your hosting account and on the right side will be the content of your current folder. Above the two sections are the available tools to manage your account files and folders.
To view your files located under the public_html directory simply click on the icon on the left. This will reload the content on the right part of the file manager.
The first few icons from file manager navigation menu allows you to create a new file or folder, copy, move or upload a new file on your hosting account. If you would like to download a specific file to your local computer simply click on the file in question and use the Download icon at the top. Following the same steps you can also remove a file or folder of your hosting account by using the Delete icon.
If you would like to edit a file under your account simply click on the file and use the edit tools available. Depending on the file type you can use the simple editor, the code editor or the HTML editor. For simple text files you can use the Edit icon, for PHP files you may use the code editor. In case you would like to edit a simple html page, you may use the HTML editor.
If you are looking for a fast way to upload multiply files or a whole folder under your hosting account you may compress it on your local computer and upload the archive using the upload option. When the archive is uploaded under your account click on the newly uploaded file and use the Extract icon from the top to unzip the archive on your hosting account.
In case you would like to generate an archive of an existing folder simply select the folder and click on the Compress icon to generate a new archive.
Further reading:
- Filezilla usability and functionality
- How to Change File Permissions
- How to Fix FTP Connectivity Issues
- How to check the log of an FTP client
- Understanding FTP and How to Use it for File Transfer
How to review the disk space usage of your account
cPanel provides detailed statistics on your account disk usage. Using the Disk Usage tool available in your account's control panel you can optimize your disk usage utilization and free additional space if needed. Maintaining your hosting account improves the general shared hosting health and optimize the backup process for all shared hosting customers.
To access your Disk Usage statistics, please login your cPanel and refer to the Files section.
This will redirect you to a dedicated page in your cPanel with detailed overview of your account disk space utilization showing the exact size of each file and folder of your account. Depending on the number of files hosted on your account and its size the disk space calculation may take up to a few minutes to display the data.
Below the disk space graphic you may review your account directory tree and sort your list by name or disk usage to locate the biggest files and folders of your account.
Using the directory tree you may expand the parent folders of your account to locate the biggest files or subfolders.
Due to the nature of how files are stored electronically, most files occupy slightly more disk space than their actual size. For example, a 300 byte file may occupy 4 kB of actual disk space. This may cause discrepancies between the data you see in the File Manager versus the information you find in the table. Moreover, the disk space usage in the table indicates how much space the directories' contents use, not how much space the directory itself uses.
Directories themselves usually use a negligible amount of disk space unless they contain a large number of files or subdirectories.
How to Manage FTP Accounts in cPanel
All hosting accounts can be accessed via FTP using your default cPanel username and password. As a master account, the cPanel logins provides you with full access to your files and folders hosted under your account. For more information on how to access your account using a FTP client, please check our FTP tutorial.
If you would like to create an additional FTP accounts with different access to your account you can do so via your cPanel ? FTP Accounts section.
Via the cPanel FTP Accounts page you can create new or modify existing FTP accounts. To create a new FTP account you will need to fill in the login details and the access directory of the account as well as the allowed disk space quote for the account.
The Login field is used to form your new FTP account username. For example, if your domain name is mydomain.com and you fill in 'myftp' in the login field, your FTP account username will be:
myftp@mydomain.com
The password field determines the FTP password for the newly created FTP account.
Next, you should input the home directory of your FTP account. By default the folder will be filled in automatically but you can change the path. The FTP account directory determines the root folder that will be accessible to the FTP account. If you would like to have all files and folders of your account accessible via the new FTP account just leave the Directory field empty. This will give root access to the new FTP account.
In case you would like to have only your public folder accessible, please set public_html. To limit the access of the FTP account to a specific folder just input the path to the directory in question. This way the FTP account will not be able to access files or folders outside the its home directory.
Last, please input the desired quota for your FTP account. If you would like to limit the total size of the files that can be uploaded by this FTP account simply input the value in megabytes.
When you are ready with your new FTP account configuration click on the Create FTP account.
Via this section you can modify or completely remove your FTP account. The available options allows you to change the password or quota of your FTP account as well as configure a FTP client such as FileZilla, Core FTP or Cyberduck
For more information on how to download and configure your FTP client, please check our FTP clients tutorial.
Reviewing Logs in cPanel
Another important part of the cPanel is the Metrics Section which contains several tools to review the activity on your website and hosting account.
The first tool available under the Metrics section is the Visitors icon. This feature displays up to 1000 of the most recent entries in the web server log for any of your configured domains. To review the logs simply click on the icon next to your domain name.
This will display the latest lines of your access logs which include the IP address of your website visitor, the exact URL, the request date, request size, referring URL and the visitor's user agent.
Another useful icon in the cPanel Metrics section is the Raw Access Logs icon. Raw Access allow you to see who has visited your website without displaying graphs, charts or other graphics. You can use the Raw Access menu to download a zipped version of the server's access log for your site. This can be very useful when you want to quickly be able to see who is visiting your site.
To download the Raw Access log of your domain name simply click on the domain name from the Download section.
If you are debugging your application or script and need access to your error log, the cPanel Error Log icon can be a good start.
It will display the last 300 lines of your site's error log with the exact date and error type as well as the IP address of the visitor that generated the error.
How to Remove Awstats Logs
While you can remove only the IP address list of your visitors, it is also possible to completely erase all of the statistics for a certain month. However, to make any of these actions, you will first have to find the Awstats file containing all of the data.
As with most tutorials, you will start by logging in the cPanel of your hosting account. Once there, click on the File Manager icon which should be one of the first icons you see in cPanel.
As an example, if we now check the Hosts section in Awstats for a domain for the month of May, we will see a list of visitor IP addresses like the one below.
To access the file containing that information, navigate from your File Manager to the /tmp/awstats folder with a path home/yourusername/tmp/awstats. Here you will have to look for the appropriate file, especially if you have multiple domains and subdomains. In our case, the file's name is awstats052018.test.com.txt. As you can see the month and year are part of the name of the file, for an easy search.
In the file editor, you can use Ctr+F to search for "BEGIN_VISITOR". This is the start of the IP address list, and there will be all of the IP addresses that have accessed that domain.
To remove them all, select all of the IP addresses from "BEGIN_VISITOR" until you get to "END_VISITOR". Don't forget to click on the Save Changes button to save the file.
Now if you go again in your Awstats and click on the same domain, you will see an empty Hosts section.
If you wish to remove all of the statistics for that month and that domain, delete the entire text file. Please note, that removing the file without creating a backup of it will result in that statistic information being lost.
With this, you now know how to remove sensitive information and entire months of logs from Awstats.
cPanel Security
How to Manage SSH Keys
SSH keys are strings of encrypted symbols, used for authenticating access to accounts on a server. As they are not susceptible to brute force attacks and are not human-friendly, they are a preferred method by advanced users for securely accessing their hosting environment. In this tutorial, we will show you how to create an SSH key for your account via cPanel and then automate the login via the PuTTY client.
To manage your SSH Keys, you need to:
Step 1: Find the SSH Key options
Step 2: Create and Authorize SSH Keys
Step 3: Use SSH Keys
Step 4: Automate SSH Keys usage
Find the SSH Key options
To start off, log in to your cPanel account and navigate to the Security section where you will find the SSH Access icon or simply type the latter in the search field at the top.
Here you will see a short description of what SSH and SSH keys are along with the Manage SSH Keys button.
Press it to continue onwards.
Create and Authorize SSH Keys
Now you will Generate a New Key, but you can also Import a Key you have already generated via another method, like from within the server itself.
The fields which you will have to populate here are:
Key Name -The name of the key for internal recognition
Key Password - A password to protect the key (we recommend using the Password Generator for creating a strong password). Also referred to as passphrase
Key Type - Choose between DSA and RSA depending on your preference (we recommend RSA)
Key Size -Choose between 1024, 2048 or 4096bit length (2048 being a default value)
Click Generate Key, and you will see a similar confirmation.
When you create the public key, a private key will be created automatically as keys need to work in pairs. However, before you can use the Public key, you will have to authorize it.
Note that you are only authorizing the Public key as it will be situated on the server. The private key will be with you, and you will configure it with the PuTTY client. To proceed, click on the Manage option.
Now click Authorize and then Go Back after the key has been authorized.
Now let's convert the Private Key to a .ppk (PuTTY Private Key) format and download it locally for use in the next step. Click on the View/Download button for your Private Key.
Type your passphrase to unlock the key and click Convert.
Once the key is converted, click on the Download Key button.
With this, you are ready for the next step of the tutorial.
Use SSH Keys
To use the SSH Key as described above, you will need a client like PuTTY to make the connection to the server. In our
To configure PuTTY with your hosting account, start the client and navigate to the Session section:
- Host Name (IP Address) - The host name or IP address of the server on which your hosting account is located. This can be seen by going into your cPanel and reviewing the Server Information from the located on the right panel. If the Server Name specified there is tx1, your hostname would be tx1.domainname.com
- Port - Contact support for our custom port for SSH access
- Connection type - Select the SSH option here
- Saved Session - The name of the session which you are saving or have loaded
Now you can add your cPanel's username as that will be used as a username in order to make the connection. To do that, navigate to the Connection ? Data section.
Make sure to go into the Session section again and re-save your session, so the username you added is applied to that session.
After this, you can upload the SSH Private key which we downloaded earlier. This is done by navigating to SSH ? Auth, clicking on the browse button and selecting the .ppk file.
Don't forget to go to the Session section and click Save again.
Automate SSH Keys usage
Whenever you use your key-based login now, you still have to specify your key passphrase. This can be time-consuming if you are connecting via SSH server multiple times a day or if you have multiple accounts which you maintain.
Fortunately, PuTTY comes in pair with a few separate executables one of which is Pageant (an SSH authentication agent for PuTTY, PSCP, PSFTP, and Plink). If for some reason you don't have this installed with PuTTY and the rest of the executables, you can download it separately from here. Pageant can be fed a passphrase and then provide the same whenever you log in to your SSH server. However, usually when you stop Pageant, it forgets all of the keys as a security measure, so the next time you start Pageant, you must re-add them. We will prevent this by creating a shortcut on the desktop to the Pageant executable.
Note that after startup, Pageant will run minimized in the system tray. Double click on the icon to open the key list or right click on the icon and select either Add Key or View Keys. Both options will allow you to add a new key.
Browse for the .ppk file which you have already download in Step 2, and you will be prompted to enter the passphrase. Once you have done that, the key will be loaded in Pageant.
Now to make sure Pageant does not "forget" all of the keys and passphrases which are added to it. This will only prompt the passphrase for each key at the initial start of Pageant.
Go to the installation location of PuTTY and right click on the Pageant icon, then click on Properties and you will see the next screen.
Now you will have to edit the Target field and add the key or keys location to it. As an example, if the key is on your desktop the field will look like this:
"C:\Program Files\PuTTY\pageant.exe" C:\Users\Admin\Desktop\ssh1access.ppk
Where "Admin" is the username of the windows account which you are currently using. Click on the Apply and then on the OK buttons.
To automate even further, we can exclude the manual startup of PuTTY in the beginning and just make Pageant start it when being run. To do this, you will also have to add PuTTY's system path at the end of the command in the Target field along with a -c command:
"C:\Program Files\PuTTY\pageant.exe" C:\Users\Admin\Desktop\ssh1access.ppk -c "C:\Program Files\PuTTY\putty.exe"
Again, hit the Apply and OK buttons and you are done. You can now access your hosting account in an SSH session or even multiple hosting accounts on different servers securely with just a few clicks.
How to Password Protect folders via cPanel
We will now show you how to password protect your directories and restrict web access. Password protection can be useful when you would like to have certain resources accessible only by a certain group of people.
To password protect a directory login your account's cPanel and refer to the Security section in your cPanel where you will locate the Directory Privacy icon.
Select the Web Root directory during the Directory selection and click on the Go button to proceed.
You will be redirected to the Directory Privacy page where you can see the directory tree of your hosting account. To expand a folder click on the yellow folder icon. If you would like to password protect the directory, click on the directory name.
For the purpose of this tutorial we will password protect the public_html directory. Password protecting the public_html folder will protect any file or folder on your hosting account and the public access will be denied, only people having the correct login details will be able to open your website and access files hosted on your account.
Password protecting your public_html directory is a good idea if your website is still under development and you do not want to have it accessible by visitors or search engine bots.
To activate the password protection on the directory click on the check box "Password protect this directory" and input a short message that will be displayed just above the login box when someone access this folder.
When you are ready click on the Save icon to apply your settings. Now you have your directory password protected and it is not accessible for your visitors. To give access to someone to access this folder via their web browser you will need to add a user and password pair. To do so, please click on the Go Back button to return to the Password Protected Directories page.
Scroll down to the Create User section and input the desired username
Hope this guide was useful.