The Complete Guide to cPanel Installation and Setup

The Complete Guide to cPanel Installation and Setup

In this guide, I will install cPanel and then perform some basic steps that I recommend for every new cPanel installation.

  1. Install cPanel
  2. Set server time
  3. Install ConfigServer Firewall (CSF) and whitelist your IP
  4. Change SSH port and allow it in the firewall
  5. Disable root login and add wheel user
  6. Limit WHM and SSH access
  7. Disable all LFD email alerts
  8. Enable Shell Fork protection
  9. Enable SMTP Restrictions
  10. Install PHP and needed extensions
  11. Upgrade to a newer MySQL version or switch to MariaDB
  12. Tweak Email and Security Settings
  13. Install free SSL provider: Let’s Encrypt
  14. Change Apache configuration
  15. Install FTP server (PureFTP)
  16. Install WP Toolkit
  17. Enable All features (FTP, WPTtoolkit, AutoSSL, etc.)
  18. Increase limits in MultiPHP INI editor
  19. Consult cPanel Security Advisor
  20. Create a new package
  21. Create a new cPanel account

Install cPanel

Set FQDN as hostname and then in screen start the cpanel installation script:

hostname srv.domain.tld
screen
cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest && sh latest
image 23 - The Complete Guide to cPanel Installation and Setup

After about 15 minutes cPanel will be installed and we can start tweaking it. First login to WHM (open in browsers IP:2087), and accept the terms of service

image 24 - The Complete Guide to cPanel Installation and Setup

add your email address and nameservers (optionally)

image 25 - The Complete Guide to cPanel Installation and Setup

Set server time

timedatectl set-timezone UTC

or

cp /usr/share/zoneinfo/Europe/Belgrade /etc/localtime

or WHM > Server Configuration > Server Time

server time whm - The Complete Guide to cPanel Installation and Setup

Install CSF

ConfigServer Security & Firewall (CSF) is an advanced open-source firewall that contains a stateful packet inspection (SPI) firewall, a login and intrusion detection mechanism, and a general security application for Linux servers.

Another useful feature of CSF is LFD deamon that will alert you when processes get stuck, someone logs to ssh, RAM usage is high, etc.

cd /usr/src  && wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf && ./install.sh

After the installation navigate to WHM > Plugins > ConfigServer Security & Firewall

image 17 1024x517 - The Complete Guide to cPanel Installation and Setup

Under Firewall Configuration set TESTING = Off then Save & restart CSF.

image 32 - The Complete Guide to cPanel Installation and Setup

If you use a static IP whitelist it in the firewall:

image 49 - The Complete Guide to cPanel Installation and Setup

Change SSH port

nano /etc/ssh/sshd_config

Uncomment port 22 and change it to some random number, e.g. 2629

image 50 - The Complete Guide to cPanel Installation and Setup

Go back to CSF > Firewall Configuration and allow the new port under TCP_IN then Save & restart CSF.

image 33 - The Complete Guide to cPanel Installation and Setup

Disable root SSH login

To disable root login edit the sshd_config file

nano /etc/ssh/sshd_config

and remove the hashtag ( # ) from the beginning of the line #PermitRootLogin yes

image 51 - The Complete Guide to cPanel Installation and Setup

Restart the sshd service afterwards:

service sshd restart

Limit WHM and SSH access

With Host Access Control you can limit access to the WHM, SSH or even cPanel service to only selected IP’s. If you use a dynamic IP I recommend disabling at least WHM access to the public and only allow it for your IP.

Edit /etc/hosts.allow file and allow access to all services to your IP and deny WHM to everyone else:

ALL : 3.4.5.6 : allow
#allows access to all services to the above IP


ALL : 192.168.0.0/255.255.255.0 : allow
#allows access to services from localhost

sshd : ALL : deny
#deny SSH access to everyone else

whostmgrd : ALL : deny
#deny WHM access to everyone else

cpaneld : ALL : deny
#deny cPanel access to everyone else

DENY ALL
WM Host Access Control
WM Host Access Control

Disable LFD email alerts

Aldo these email alerts can be useful, If you plan on using another monitoring solution instead, then I recommend disabling them.

To disable all LFD email alerts navigate to CSF > Firewall Configuration then find&change the following settings:

Disable LFD email alerts
Disable LFD email alerts
PT_USERMEM 0
PT_USERTIME 0
LF_INTEGRITY 0
PT_LIMIT 0
LF_EMAIL_ALERT Off
LF_PERMBLOCK_ALERT Off
LF_NETBLOCK_ALERT Off
LF_DISTFTP_ALERT Off
LF_DISTSMTP_ALERT Off
LT_EMAIL_ALERT Off
LF_QUEUE_ALERT 0
LF_SCRIPT_ALERT 0
PT_USERPROC 0
LF_SSH_EMAIL_ALERT 0
X_ARF Off
LF_SELECT Off
LF_WEBMIN_PERM 0
LF_SU_EMAIL_ALERT Off
LF_WEBMIN_EMAIL_ALERT Off
LF_APACHE_ERRPORT 0
LF_DISTFTP_PERM 0
LT_IMAPD 0
LF_CPANEL_ALERT Off

Enable Shell Fork Protection

/usr/local/cpanel/bin/install-login-profile --install limits
/usr/local/cpanel/bin/install-login-profile --uninstall limits

or from WHM > Security Center > Shell Fork Bomb Protection

image 16 1024x390 - The Complete Guide to cPanel Installation and Setup

Enable SMTP Restrictions

You should disable outgoing SMTP connections if you are not planning to send emails from another server, e.g. running a website on this VPS and then sending emails through contact forms using a gmail account.

/scripts/smtpmailgidonly on

or from WHM > Security Center > SMTP Restrictions

image 18 1024x353 - The Complete Guide to cPanel Installation and Setup


Install PHP and extensions

To install the needed PHP version and extensions navigate to EasyApache4 and click on the customize button next to the “All PHP Options + OpCache” section.

EasyApache 4 WHM
EasyApache 4 WHM

under Apache modules select mod_http2

image 28 - The Complete Guide to cPanel Installation and Setup

Install needed PHP versions with all recommended extensions

image 31 - The Complete Guide to cPanel Installation and Setup

or add custom extensions on next step

image 30 - The Complete Guide to cPanel Installation and Setup

and finally, click on Provision

image 29 - The Complete Guide to cPanel Installation and Setup

TIP: Save the EA profile template afterward and reuse it on new cpanel installations.


Upgrade MySQL

By default cPanel installs MySQL 5.7, but if you want to use ay newer version, or even switch to MariaDB then you can do so from SQL Services > MySQL/MariaDB Upgrade

WHM MariaDB or MySQL Upgrade
WHM MariaDB or MySQL Upgrade

After selecting the desired version click on the Continue button and on the next step check all warnings:

WHM MariaDB Upgrade Warnings
WHM MariaDB Upgrade Warnings

Select Unattended Upgrade, click on Continue button

WHM MariaDB Unattended Upgrade
WHM MariaDB Unattended Upgrade

and wait for the process to finish.

WHM MariaDB Installation Completed
WHM MariaDB Installation Completed

Tweak Settings

Under Tweak Settings edit email and security settings such as allowing creation of document roots outside public_html folder, disabling password reset from cpanel etc.

WHM Tweak Settings
WHM Tweak Settings

I recommend setting the following:

Restrict document roots to public_htmlOff
Reset Password for cPanel accountsOff
Email delivery retry time5m
Max hourly emails per domain5000
The percentage of email messages to queue and retry for delivery.150
Number of emails a domain may send per day before the system sends a notification. 10000
Default user-defined quota value for new email accounts2048MB
Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)On
Prevent “nobody” from sending mailOff
cPanel PHP loaderioncube
Allow unregistered domainsOn
Allow Remote DomainsOn
cPanel PHP max execution time180s
cPanel PHP max POST size512MB
cPanel PHP max upload size156MB
Reset Password for cPanel accountsOff

Install Let’s Encrypt

By default, cPanel uses Sectigo as a free SSL provider but due to recent rate-limiting and often technical problems with SSL renewals, I recommend using Let’s Encrypt instead.

To install Let’s Encrypt run the following command:

/usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider

Then navigate to WHM > SSL/TLS > Manage AutoSSL select Let’s Encrypt™ agree to the terms and create a registration:

Set Let’s Encrypt SSL provider in WHM
Set Let’s Encrypt SSL provider in WHM

Change Apache configuration

Under WHM > Service Configuration> Apache Configuration > Global Configuration increase Max Request Workers and Server Limit:

Global Apache configuration in WHM
Global Apache configuration in WHM

Install FTP

By default, no FTP server is installed on cPanel, so if you need one navigate to FTP > FTP Server Selection and select one – I personally recommend PureFTP.

Install PureFTPd in WHM
Install PureFTPd in WHM

Install WP Toolkit

WPToolkit has a free version, to install it run the following command:

sh <(curl https://wp-toolkit.plesk.com/cPanel/installer.sh || wget -O - https://wp-toolkit.plesk.com/cPanel/installer.sh)

Afterward go to WHM > Plugins > WordPress Toolkit and modify settings.

WordPress Toolkit
WordPress Toolkit

Enable Features

Under WHM > Packages >Feature Manager select the newly created feature list and enable all features except WP Toolkit Delux:

WHM Feature Manager
WHM Feature Manager

MultiPHP INI Editor

Inside WHM > Software > MultiPHP INI Editor change PHP limits, under Basic Mode increase limits for the PHP versions that you will be using, for example WP Toolkit requires a memory_limit of minimum 128M

Basic Mode in MultiPHP INI Editor
Basic Mode in MultiPHP INI Editor

and under Editor Mode add custom settings per need, for example, set the date.timezone to the same as in WHM.

Advanced Mode in MultiPHP INI Editor
Advanced Mode in MultiPHP INI Editor

Consult cPanel Security Advisor

WHM has a useful tool called cPanel Security Advisor that will check for security issues and recommendations.

Run the check by opening the Security Advisor page or by clicking the Scan Again button on that page.

cPanel Security Advisor
cPanel Security Advisor

Create a new Package

Packages > Add a Package create a new package and set limits:

Create a new Package
Create a new Package

Create a new cPanel account

The last step is to create a new cPanel account under WHM > Account Functions click on Create a New Account then add the domain name and username, generate a strong password, and add the package that we created earlier.

Create a new cPanel account
Create a new cPanel account

Now you can open your cPanel domain name at the 2083 port number on your web browser and log into your cPanel using the new user account you just created above.

cpanel login screen
cpanel login screen
whoami
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.