I take numerous precautions to prevent malicious logins to my WP admin account. None of which will do me a bit of good if my cPanel or FTP accounts get hacked. I don’t even use FTP. On those infrequent occasions when I need to transfer files, I use my cPanel file manager. I would disable FTP completely – except that I can’t find a way to do it. I also can’t find a way to obfuscate cPanel or FTP login, add a reCaptcha, limit login attempts, or add a security question. Very strong passwords are a good start, but I hate relying on just one lock.
I don’t get it. There are so many ways to secure my WP login, but my cPanel and FTP hack vectors lie relatively naked. I can restrict both to SSL access, and that is helpful. And of course I use non-obvious user names and strong passwords. I can use two-factor authentication to secure cPanel, but I’m not a huge fan – I worry about my cell phone being lost, stolen, or broken.
My WP login can be super-duper-secure, but if my cPanel gets hacked – game over. All I want is one more simple thing I can do to secure cPanel and FTP – a security question, a reCaptcha, an obfuscated url, a way to limit login attempts … pretty much anything. It seems to me everyone would want this. But not only can I not find one, I can’t even find much discussion about it. Again, I don’t get it.
Security turns its back on cPanel and FTP
So, here’s my imperfect solutions. I delete the DNS record for FTP. That won’t disable FTP completely – a determined hacker could still try to get in if he or she learns my IP address or server name – but it makes it harder, and I worry a lot more about bad bots than determined human hackers. My cPanel has a DNS record too, but deleting it seems to have no effect – I’m not sure why. With cPanel, I gotta use two-factor authentication – the only way I’ve found to increase security.
Update 2018-12-27: I figured out a way to block direct access to cPanel! Using a Cloudflare firewall rule:
- Field: URI Full
- Operator: contains
- Value: mysite.com/cpanel
- Action: Block
The result … Access denied …
I can still get to cPanel using the relatively secret server name and path provided by my hosting provider – not perfect hack prevention, but makes it much harder. No more unfettered “Here’s my cPanel login screen just for asking. Thank you for your interest in hacking me.”
I figured this out all by myself! Yea me!
WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.