I take numerous precautions to prevent malicious logins to my WP admin account. None of which will do me a bit of good if my cPanel or FTP accounts get hacked. I don’t even use FTP. On those infrequent occasions when I need to transfer files, I use my cPanel file manager. I would disable FTP completely – except that I can’t find a way to do it. I also can’t find a way to obfuscate cPanel or FTP login, add a reCaptcha, limit login attempts, or add a security question. Very strong passwords are a good start, but I hate relying on just one lock.
I don’t get it. There are so many ways to secure my WP login, but my cPanel and FTP hack vectors lie relatively naked. I can restrict both to SSL access, and that is helpful. And of course I use non-obvious user names and strong passwords. I can use two-factor authentication to secure cPanel, but I’m not a huge fan – I worry about my cell phone being lost, stolen, or broken.
My WP login can be super-duper-secure, but if my cPanel gets hacked – game over. All I want is one more simple thing I can do to secure cPanel and FTP – a security question, a reCaptcha, an obfuscated url, a way to limit login attempts … pretty much anything. It seems to me everyone would want this. But not only can I not find one, I can’t even find much discussion about it. Again, I don’t get it.
Security turns its back on cPanel and FTP
So, here’s my imperfect solutions. I delete the DNS record for FTP. That won’t disable FTP completely – a determined hacker could still try to get in if he or she learns my IP address or server name – but it makes it harder, and I worry a lot more about bad bots than determined human hackers. My cPanel has a DNS record too, but deleting it seems to have no effect – I’m not sure why. With cPanel, I gotta use two-factor authentication – the only way I’ve found to increase security.
Update 2018-12-27: I figured out a way to block direct access to cPanel! Using a Cloudflare firewall rule:
- Field: URI Full
- Operator: contains
- Value: mysite.com/cpanel
- Action: Block
The result … Access denied …
I can still get to cPanel using the relatively secret server name and path provided by my hosting provider – not perfect hack prevention, but makes it much harder. No more unfettered “Here’s my cPanel login screen just for asking. Thank you for your interest in hacking me.”
I figured this out all by myself! Yea me!
