cPHulk is a brute force protection system developped by the cPanel team and is exclusive to cPanel / WHM control panels. It has been integrated with cPanel version 11. With cPHulk, you can set a threshold for authentication attempts on services like POP3, cPanel, WHM, FTP, etc. After a certain amount of attempts, the attacker will no longer be able to authenticate
Enabling cPHulk is pretty easy. Simply log into your WHM control panel as root. From the main menu on the left, click on Security Center from the Security section. When you’re done, simply click on the Enable button at the top.
Click on the cPHulk Brute Force Detection link at the top of the page. Now you may want to configure cPHulk before you enable it. The configuration parameters are pretty much self-explanatory. Basically you set the number of failed attempts before an IP or an account is blocked and you set how long you want it to be blocked.
cPanel 11 marks the debut for the much anticipated cPHulk Protection system. cPHulk protects your vital services by disabling authentication to those services after a brute force attack is detected.
IMAP, and POP3
from brute force authentication attacks. cPHulk will remain transparent to the attacker whose authentication attempts will feel normal, even while authentication is disabled. Thus, you can get substantial information about the attack.
You can even customize authentication thresholds and lock out times!
It is an Apache module that allows you to create a separate website for each user on a server. These sites can all be accessed by going to,
The module is installed on most Apache setups by default, but isn’t necessarily always enabled. Most mass-hosted cPanel servers make extensive use of it for a variety of reasons.
Apache’s mod_userdir allows users to view their sites by entering a tilde(~) and their username as the URL on a specific host. For example http://test.cpanel.net/~test will bring up the user Test’s domain
How To Enable
1. To access the Server Setup Menu, click on Server Setup, on the main screen of your WebHost Manager interface. Then, click on Tweak Security.
2. Click on Configure in the mod_userdir Tweak section.
3. Click on the Checkbox next to Enable mod_userdir Protection to enable mod_userdir Protection.
4. Click on a checkbox next to a domain’s name to allow them to access their domain using ~username, if necessary.
5. Enter the name of any user you wish to be able access the domain using ~username, other than the domain’s owner, in the blank field next to the domain’s name, if necessary.
6. Click on Save.
The disadvantage of this feature is that any bandwidth usage used by the site will be put on the domain it is accessed under .
Mod_userdir protection prevents access to a domain through domain.com/~user. You may however want to disable it on specific virtual hosts (generally shared SSL hosts).
Set open_basedir to only allow access to required portions of the filesystem, like your web site’s documents and any shared libraries.
You can set open_basedir in the php.ini file:
; Set open_basedir to the
open_basedir = “/var/www/foo.bar/:/usr/local/php/“
The setting can also be applied in apache’s httpd.conf file, or an .htaccess file:
# Set open_basedir to a safe location
php_value open_basedir /var/www/foo.bar/:/usr/local/php
1. To access the PHP open_basedir Tweak feature, click on Security, on the main screen of your WebHost Manager interface.
2. Then click on Security Center.
3. Then click on PHP open_basedir Tweak.
4. Click on Configure in the PHP’s open_basedir section.
5. Click on the check box next to Enable PHP open_basedir Protection to enable Enable PHP open_basedir Protection.
6. Click on a check box next to a domain name to allow them to open files outside of their home directory with PHP, if necessary.
7. Click on Save.
Plesk : If you’re using Plesk hosting control panel, you may need to manually edit Apache configuration file of vhost.conf and vhost_ssl.conf, and add in or edit the following php_admin_value open_basedir lines to the following:
php_admin_value open_basedir none
php_admin_value open_basedir /full/path/to/dir:/full/path/to/directory/httpdocs:/tmp
Note: For SSL hosts in the vhost_ssl.conf file, the Directory path will end with “httpsdocs” instead of “httpdocs”
Open up the httpd.conf file, and search for the lines that starts with the following characters:
php_admin_value open_basedir …..
Replace the whole line under the virtual host for the domain user account
php_admin_value open_basedir none.
Add Additional Directories
You can also opt to allow your PHP scripts to access additional directory instead without disabling the protection.For example, to add /new_directory to the allow list.
php_admin_value open_basedir “/home/user_account/:/usr/lib/php:/usr/local/lib/php:/tmp”
php_admin_value open_basedir “/home/user_account/:/usr/lib/php:/usr/local/lib/php:/tmp:/new_directory”
Restart the Apache after finished editing
Article Authored by Ajith KK
Author, Ajith KK, is a Systems Engineer with SupportPRO. Ajith specializes in L1 and L2 Linux/Windows administration. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers.