This is a practical cPanel cheatsheet for beginners, with focus on the commands that may be useful to new sysadmins.

basic cpanel settings
Install Installatron
wget https://data.installatron.com/installatron-plugin.sh
chmod +x installatron-plugin.sh
./installatron-plugin.sh -f 

Install memcache

wget http://pecl.php.net/get/memcache
cd memcache*
phpize
./configure
make && make install
echo "extension=memcache.so" >> /your_path/php.ini 

Set, restore and check backups on cPanel.

cPanel backup account

/scripts/pkgacct username 

Check cPbackup for errors

tail -100 $(ls -dt /usr/local/cpanel/logs/cpbackup/* | head -n1) | grep 'error|warn' 
Check when backup finished
tail -3 $(ls -dt /usr/local/cpanel/logs/cpbackup/* | head -n1) 
Check the number of accounts that were backed up
echo "Total Accounts to backup: $(grep -Li "suspended" $(grep -l "^BACKUP=1" /var/cpanel/users/*) | wc -l)" && echo "Backed up accounts: $(cd "$(grep "BACKUPDIR" /var/cpanel/backups/config | awk '{print $2}')"/"$(date -dlast-sunday +%Y-%m-%d)"/accounts && ls | wc -l)" 
Check when was the last time that Jetbackup ran and it’s status
echo -e "\n~~~~JB accounts backup last job stats~~~\n" && tail -1 $(find /usr/local/jetapps/var/log/jetbackup/backup/ -type f -size +2k | xargs ls -dt | head -n 1) | awk '{print "Job date:"$1"-"$2" "$3", status: "$7" "$8}' | tr '[' ' ' && echo "Start time:" && head -1 $(find /usr/local/jetapps/var/log/jetbackup/backup/ -type f -size +2k | xargs ls -dt | head -n 1) | awk '{print $4}' | cut -d ':' -f 1,2 | awk '{print $0" AM"}' && echo "End time:" && tail -1 $(find /usr/local/jetapps/var/log/jetbackup/backup/ -type f -size +2k | xargs ls -dt | head -n 1) | awk '{print $4}' | cut -d ':' -f 1,2 && echo "" 
(ModSecurity, cPHulk & CSF)
ModSecurity limit website connections per IP
nano /usr/local/apache/conf/modsec2.user.conf
SecConnReadStateLimit 250 
Check if IP is blocked by cPhulk
grep IP /usr/local/cpanel/logs/cphulkd.log 
Check cphulkd or Brute Force Protection Error logs
/usr/local/cpanel/logs/cphulkd_errors.log 
Temporary disable cphulk
/usr/local/cpanel/etc/init/stopcphulkd 
Whitelist an IP on cPHulk
/scripts/cphulkdwhitelist x.x.x.x 
Blacklist an IP on cPHulk
/scripts/cphulkdblacklist x.x.x.x 
CSF check IP
csf -g 8.8.8.8 
Unblock an IP on CSF
csf -dr 8.8.8.8 
Restart CSF
csf -r 
Delete all email accounts
\ls /home/cpanel_user/mail/domain.com/ > /tmp/list
for i in `cat /tmp/list`; do cpapi2 --user=cpanel_user Email delpop domain=domain.com email=$i; done 
Sort email accounts by the number of logins
head -1 /var/log/exim_mainlog | awk '{print $1}' ; egrep -o 'dovecot_login[^ ]+|dovecot_plain[^ ]+' /var/log/exim_mainlog | cut -f2 -d":" | sort|uniq -c|sort -nk 1 ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'2020-10-25 

Check rejected emails for a single email address

exigrep [email protected] /var/log/exim_rejectlog* 

List failed logins for a speciffic email address

grep DOMAIN.com /var/log/maillog | grep failed 
List all logins and messages for a specific email address
grep dovecot_login:[email protected] /var/log/exim_mainlog 

Check who suspended an email account

grep suspend_incoming /usr/local/cpanel/logs/access_log 
List all cPanel accounts and domains
cat /etc/trueuserdomains | awk '{ print $2" "$1}' | sed 's/://' 
Change IP for a cPanel accounts
/usr/local/cpanel/bin/setsiteip -u $user $ip 
Which user owns the domain (addon/allias)
/scripts/whoowns domain.com 
Delete an account
/scripts/killacct username 
Suspend an account
/scripts/suspendacct USERNAME 
Unsuspend an account
/scripts/unsuspendacct USERNAME 
List of suspended accounts
ll /var/cpanel/suspended 
 
cat /usr/local/apache/conf/includes/account_suspensions.conf 

List all POST requests for a cPanel account

grep POST /home/USERNAME/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n 

Check for the most well known WordPress attack methods

egrep -c '(wp-comments-post.php|wp-login.php|xmlrpc.php)' /usr/local/apache/domlogs/* |grep -v "_log" |sort -t: -nr -k 2 |head -5 |tee /tmp/delete_check |cut -d'/' -f6; for domlog in $(cut -d':' -f1 /tmp/delete_check); do echo; echo $domlog; echo; echo wp-login.php :: $(grep -c wp-login.php $domlog); echo; grep wp-login.php $domlog | cut -d' ' -f1|egrep -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo xmlrpc.php :: $(grep -c xmlrpc.php $domlog); echo; grep xmlrpc.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo wp-comments-post.php :: $(grep -c wp-comments-post.php $domlog); echo; grep wp-comments-post.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; done 

Scan files for CWD mailing scripts 

tail -n2000 /var/log/exim_mainlog|grep /home/USERNAME/ 

Scan files for known PHP code injection methods

grep -R "base64_" /home/USERNAME/
grep -lr --include=.php "eval(base64_decode" 
grep -lr --include=.php "eval" 
grep -lr --include=*.php "base64" 

Scan directory with Maldet

maldet -a /path/to/directory 
Check AutoSSL status for user
/usr/local/cpanel/bin/autossl_check --user=USERNAME 
Clear AutoSSL Pending Queue
cd /var/cpanel mv autossl_queue_cpanel.sqlite autossl_queue_cpanel.sqlite.old 
/usr/local/cpanel/bin/autossl_check_cpstore_queue 
Add an DomainKey (DKIM) record
/usr/local/cpanel/bin/dkim_keys_install username 
Add an SPF record
/usr/local/cpanel/bin/spf_installer username 

Check which domain is IP accessing

grep -rle 'IP-GOES-HERE' /usr/local/apache/domlogs/. | uniq 
Who accessed to a certain acc
grep USERNAME /usr/local/cpanel/logs/session_log | grep "NEW .*app=cpaneld" | awk "{print $6}" | sort -u | uniq 

Check IP access for HTTP status 503

grep 11.22.33.44 addon-domain.main-domain-name.extension-ssl_log | grep 503 
Check on which service (cpanel, webdisk, webmail..) a certain IP tried to access
grep IP-GOES-HERE /usr/local/cpanel/logs/login_log 

Check cPanel logins for a specific IP

grep IP-GOES-HERE /usr/local/cpanel/logs/session_log | grep cpanel-user 
Who suspended an email acc
grep suspend_incoming /usr/local/cpanel/logs/access_log 

Check the error logs for a certain IP address

grep 11.22.33.44 /usr/local/apache/logs/error_log 
All cPanel account action
/var/cpanel/accounting.log 
We need your help!

Do you know a useful command that we haven't included in this cPanel CheatSheet?

Help us keep the cPanel CheatSheet up-to-date and enrich it by sharing the useful cpanel commands that you know with other system administrators.