Setup a WHM/CPanel Server

This guide will tell you how to setup WHM/Cpanel on a fresh sever. This guide is specifically for web hosting resellers as it is aim to tune/optimize and secure the server for selling purpose.

    Cpanel condition: swap to be 4 GB

Croc Web
Device Mount Point Usage Status
/boot /boot 28% (133,214 of 499,492)
/var/tmp /var/tmp 8% (318,684 of 4,059,840)
/tmp /tmp 8% (318,684 of 4,059,840)
/ / 78% (1,188,088,984 of 1,612,302,348)

All tmp are created by themselves so dedicated server with 32 GB RAM is ordered from WSI with 4GB Swap as recommended by Capnel.

  1. FQDN

Loginto New Dedi

  1. yum update
  2. nano /etc/ssh/sshd_config
    Port 2244
  3. hostname
  4. Disable NetworkManager (ifconfig -a) for all networks

systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
OR for centos6
service NetworkManager stop

cd /etc/sysconfig/network-scripts
Open the ifcfg-eth0 and ifcfg-lo files with your preferred text editor and, if they exist, set the following keys’ values: /etc/sysconfig/network-scripts/ifcfg-ethX
ifcfg-eth0 and ifcfg-lo OR ifcfg-eno1, ifcfg-eno2(Skipped as on boot was set as no despite being Type Ehternet it was ipv6), ifcfg-lo
cp ifcfg-eno1 ifcfg-eno1:0

systemctl enable network.service
systemctl start network.service
systemctl status network

ip a
cd /etc/sysconfig/network-scripts

cd /etc/sysconfig/network-scripts/


cp ifcfg-eno1 ifcfg-eno1:0

cp ifcfg-eno1:0 ifcfg-eno1:1
Centos 6

cp ifcfg-eth0 ifcfg-eth0:0 63

cp ifcfg-eth0 ifcfg-eth0:1 64

cp ifcfg-eth0 ifcfg-eth0:2 65



/etc/init.d/network restart

  1. cd /home && curl -o latest -L && sh latest
    Run the one time url given by cpanel

DNS Zone
Add a DNS ZONE //To resolve Nameserver is not authoritative error

Edit DNS Zone

I added A records as well NS A records and NS records inside the DNS of main damain of reseller. then it was resolved.


  1. Upgrage to MariaDB before installing CL MysqlGoverner otherwise run
    To remove MySQL Governor :

$ /usr/share/lve/dbgovernor/ –delete

/usr/share/lve/dbgovernor/ –install

Open Remote Connection Port on MySQL / MariaDB

  1. Feature Manager »Edit Feature ListDocumentation
  2. Install CL
    cd /root
    $ wget
    If you have activation key:
    $ sh cldeploy -k
    If you have IP-based license:
    $ sh cldeploy -i
    $ reboot

Run Wizard and install CageFS, LSAPI,MysqlGoverner

  1. MYSQL MYCNF File in Guides folder
    service mysql restart

pid-file=/var/run/mysqld/ This one not worked.

  1. Install CLAMAV THEN ConfigServer cxs Script Installer
    cd /usr/src
    rm -f cxs*
    tar -xzf cxsinstaller.tgz
    perl ipv4
    rm -fv cxsinstaller.*

Run Wizard
Enable IP Reputation after cSF firewall

You should be able to edit
Code: Select all
Then add:-
Code: Select all
hdir is relative to the users home folder.

Then restart cxs:-
Code: Select all
service cxswatch restart

  1. ConfigServer Security & Firewall (csf)
    cd /usr/src
    rm -fv csf.tgz
    tar -xzf csf.tgz
    cd csf

Next, test whether you have the required iptables modules:

perl /usr/local/csf/bin/

Resutl all ok

Enable Firewall
Check Basic Security
Change incoming outgoing TCP_IN & TCP_OUT port as of your ssh port.

  1. Remove All PHP versions from EA4.

Dealing with cPanel’s MultiPHP and CloudLinux’s PHP Selector.
July 8th, 2018 — whplus
If you are using PHP-FPM you cannot use Cloudlinux’s PHP selector so you may want to scrap PHP selector off the bat if that is the case, unless you plan on only using PHP-FPM for some account and not all.

If PHP-FPM isn’t a worry, then what I would recommend you doing is going into:

WHM > EasyApache4

Installed CL+OPCACHE+Modlasapi+All PHP (Then customised ioncube for php)

Then go into

WHM > CloudLinux LVE Manager > Selector

Set your ‘Default php version’ to PHP 7.2(not native).

Then below that, I personally uncheck “native” all together.

at the very bottom click the “Panel Default” option and click “Save”.

This will select all the PHP extensions you chose for the PHP version in EasyApache.

You will want to do this for each PHP version there.

Next, go to

WHM > MultiPHP Manager

Make sure you set “System PHP Version” to EA-PHP70 (or whichever EA version you chose in EasyApache).

Make sure ALL cPanel accounts are set to the inherited version of PHP. This will make sure all cPanel accounts are now only able to use PHP versions from Cloudlinux’s PHP Selector.

I would also go to

WHM > Feature Manager

Edit your default and other feature list’s that you use and disable both the:

MultiPHP INI Editor
MultiPHP Manager

  1. nano /opt/alt/php51/etc/php.ini

Change the already existing options. enable_dl = Off
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open

We are often asked how to prevent particular php function from being used by all clients. This is especially true about functions like exec, passthru, etc… This is something that can be easily done with php-selector. Your customers are only allowed to modify directives listed in /etc/cl.selector/php.conf file. For example if you want to block system command like ‘exec’ for php53 you have to add ‘disable_functions=exec’ in /opt/alt/php53/etc/php.ini file. As long as this directive is absent in /etc/cl.selector/php.conf file, users will not be able to use ‘exec’ in their scripts.

Do you want a quick check of what directives your users may customize? Execute the following command as root on your server:

grep Directive /etc/cl.selector/php.conf

Yet, trying to secure your hosting with php.ini is wrong approach. It might work for php processes, but it will not work for CGI scripts. The secure environment is already established by CageFS which limits what processes can see or do to only safe actions.

Install a Node.js application
yum install lvemanager lve-utils ea-apache24-mod-alt-passenger

  1. Install Imunify AV
  2. Installation using an SSH client such as Terminal or Putty
    HOST_API_KEY will look similar to 56yt8x9s987dfy4324bnv.
    ‘YOUR_COMPANY_NAME’ should be wrapped in quotes like so ‘Awesome Hosting’
    bash<(curl -s -k 0ed0828a859f2de15fbd2d5c3bedf391 -n ‘Host Mayo’

bash <(curl -s -k 0ed0828a859f2de15fbd2d5c3bedf391 -n ‘Host Mayo’

  1. Nginx
    cd /; rm -f; wget –no-check-certificate; bash install
  2. Apache Optimisation
    curl -sL | sudo perl
    curl -sL | perl Not working on nginx
    Max Request Workers 200 (Dont know why but error under apache log AH00286: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

We had the same problem on Apache 2.4.6. After monitoring the server and adjusting the setting for several hours it appears to us that Apache may have a bug. What appears to happen is that the server processes occasionally goes into the G state (Gracefully finishing) and restarts to accept new requests, that’s normal. What is not normal is that for some reason this can take up to a few minutes to restart. If you only have a few server process running and they all go into the G state at the same time then your scoreboard fills up and you won’t be able to server any more requests.

What we did was increase the number of servers so there is a less of a chance that they will all go into the G state at the same time. Also make sure you allocate at least 25 threads (MaxRequestWorkers) for each server process because that appears to be the default (i.e. if 5 Servers x 25 ThreadsPerChild = 125 MaxRequestWorkers). You can change ThreadsPerChild if you like, we left it at default. If you don’t allocate enough threads the additional servers will not start. We left MinSpareThreads at the default value which is 25 and the default for MaxSpareThreads which is 75. If you do modify these settings, the value for MaxSpareThreads must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild. Also MaxRequestWorkers must be equal to or less than the ServerLimit.

  1. I change apache from event mpm to worker mpm and my server problem solved.
  2. Switch to MPM Prefork

Apache MPMs – Prefork vs Worker vs Event
By default, Apache servers typically have 3 threads available:


Implements a non-threaded, pre-forking web server.
The default one, most stable and also compatible with older software. Unfortunately, also the slowest.
I’m guessing it’s called that because it’s the original version before they forked off into the other versions.
You will almost always find this one installed by default as many companies are too lazy to reconfigure hundreds of their servers. There’s also a shady skepticism that they don’t want your server to perform that well since they want to upsell you to a bigger server sooner.

Multi-Processing Module implementing a hybrid multi-threaded multi-process web server.
Faster than prefork and can handle more visitors.

A variant of the worker MPM with the goal of consuming threads only for connections with active processing.
The fastest MPM and considered least stable…although fine for most people in real-world practices.
Uses the least resources and can handle the most visits.

An effective method used by the administrators is the reverse proxying method.
Here Nginx is served as a static web server front and Apache processing the back end utilizing the advantages of two web servers to great effect.
Nginx acts as a web traffic proxy serving all static contents like CSS, JS, images etc. by default.
This significantly reduces the CPU/RAM resources consumed by Apache. Apache serves the dynamic contents like PHP, PERL, etc.

Enable HTTP/2 in Cpanel Server

The HTTP/2 increases the speed as well as security.

To Install or uninstall the mod_http2 Apache module with WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4). If your server requires that you run websites as the user, you must also install the mod_suexec Apache module. Check if http2 is enabled using following website.

Q. Will it work with CloudFlare?
A. Yes, but there is a minor gotcha. You need to adjust your “custom_rules” Nginx configuration file a bit.
When you open that file via Engintron’s WHM app, you’ll see examples of the rules to add for Engintron to work seamlessly with CloudFlare.
To briefly explain the process, you need to set your server’s shared (main) IP and/or any additional dedicated IPs matching certain domains
(everything is documented with examples in there).

For Memcache
chmod +x /usr/local/src/engintron/utilities/

Edit your custom_rules for Nginx
set $PROXY_DOMAIN_OR_IP “”; # Use your cPanel’s shared IP address

* If your server has a single shared IP ONLY and you wish to use CloudFlare for any (or all) of your sites you will have to specify this shared IP address below otherwise you’ll get errors from CloudFlare. This change will simply tell Nginx to skip DNS resolving and simply forward traffic to the shared IP.

Within your “Custom Rules” file, add the following line if all your sites on the shared (main) IP of your server are on CloudFlare:

set $PROXY_DOMAIN_OR_IP “XXX.XXX.XXX.XXX”; # Use your cPanel’s shared IP address here

set $PROXY_DOMAIN_OR_IP “”; # Use your cPanel’s shared IP address
Only using one ip lets see.

Restrict access to ports 8080 & 8443 used by Apache only for Nginx

(originally posted by Engintron user @speegs in Engintron’s Issues)

To restrict access to ports 8080 & 8443 used by Apache only for Nginx, follow these steps:

  1. Install ConfigServer Firewall (CSF) from – it’s the best IPTables GUI for cPanel (and not only)!
  2. Edit the file /etc/csf/csf.allow (either via terminal or via CSF’s WHM app) and append these lines:(Fireweall Allow ips)
tcp|in|d=8080|s= # The loopback address
tcp|in|d=8080|s= # Replace with your server's shared IP - if you have multiple IPs, clone this line and edit the IP
tcp|in|d=8080|s= # Replace with your server's shared IP - if you have multiple IPs, clone this line and edit the IP

tcp|in|d=8443|s= # The loopback address
tcp|in|d=8443|s= # Replace with your server's shared IP - if you have multiple IPs, clone this line and edit the IP
tcp|in|d=8080|s= # Replace with your server's shared IP - if you have multiple IPs, clone this line and edit the IP
  1. Edit /etc/csf/csf.deny (either via terminal or via CSF’s WHM app) and append this line: (Fireweall deny ips)
# Block all connections to port 8080 except those already allowed in csf.allow
tcp|in|d=8080|s= # do not delete
# Block all connections to port 8443 except those already allowed in csf.allow
tcp|in|d=8443|s= # do not delete

CT_LIMIT = 150 Default: 0 [0 or 10-1000]
PT_USERMEM = 1024 Default: 256 [0-1024]

NFS for file sharing. No harm in disabling but dont need to as per cpanel special due to quota but I disabled it
You can disable them by running the following commands as root:

systemctl disable rpcbind

Mailman Excessive Resources
added the following to csf.pignore

pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*

pcmd:/usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*
pcmd:/usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
cmd:spamd child


NFS for file sharing
rpcbind is a close analog of BIND I think WP uses this for remote procedure calls using xml. Anyways looks a legit processor so disabling its execution alert.

For NodeJS10
or exe/home/thereapn/.nvm/versions/node/v13.12.0/bin/node

If you use Cpanel & easy apache 3 then the location is the second set. If you use easy apache 4 then it is the first set

  1. Install Comodo WAF
    cd /root
    bash /root/ Check :
  2. Install clamav
  3. Install Solr
  4. Why Mod_lsapi Better than suexe
    drop-in replacement for SuPHP, FCGID, RUID2, and ITK.
    Doesn’t suffer from stability issues in process management like PHP FPM and mod_fcgid.
    Includes the full benefits of opcode caching.
    PHP-FPM not only provides better security than suPHP, but it also processes PHP scripts much more efficiently than suPHP
    DSO(mod_php)>suPHP>FastCGI (FCGI)>PHP-FPM>Mod_lsapi
  5. Installing Softaculous
    Step 1: Enable IonCube
    wget -N
    chmod 755
    WHM > Plugins (Add-Ons on older versions than 11) > Softaculous – Instant Installs
    Tweak Settings enable ioncube’

Bult profitl for EA for CL+Mod_lsapi+OPCACHE+IONCE10 php7,71,72,+NodeJS

  1. Install Kernel Monitor by CL and script Both to see reason for server crashing.

Imunify MYSQL NGINX MEMCACHE Softaculous cloudflare


  1. Stop CPhulk
    display_errors = off
    allow_url_fopen = On
    asp_tags = off
    display_errors = off
    enable_dl = on
    file_uploads = on
    max_execution_time 30 default 90
    max_input_time = -1
    memory_limit = 128
    post_max_size = 8M
    safe_mode = on

register_argc_argv = OFF instead of on
serialize_precision = 100 instead of -1
ereg not enabled
mcrypt The PHP developers deprecated mcrypt in version 7.1, and removed support in version 7.2. Applications should use either sodium or openssl for encryption needs.


sslv3 not enabled due to poodle attack
Registered Stream Filters: mcrypt., mdecrypt.

  1. Stop email notification of Expired SSL of Users.
    Home »SSL/TLS »Manage AutoSSLDocumentation memory_limit = 1024M
    post_max_size = 512M
    upload_max_filesize = 256M
    max_execution_time = 300. max_input_vars = 3000 Not set Its depend on server settings but there is one thing always remember while setting upload_max_filesize <= post_max_size if you are not doing that will be throws an error.

For example, Your configuration allows user to upload 50MB file but you post_max_size is 20MB.That mean you request doesn’t fullfill because you can post only 20MB for single request.


To upload large files, post_max_size value must be larger than upload_max_filesize.
memory_limit should be larger than post_max_size
Guide line of PHP offical site
Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize.
Generally speaking, memory_limit should be larger than post_max_size.

I think it is unlikely that your email account is currently compromised. (But keep checking, anything can happen in the future 😀 )

You can use the Exim Blacklist to refuse all SMTP traffic from an IP
WHM >> Service Configuration >> Exim Configuration Manager
Basic Editor
Access Lists
Blacklisted SMTP IP addresses (IP addresses from which SMTP connections are dropped unconditionally)

Install SSL for other domains CAA 1 issue “”

For any questions please ask in the comment section or in our forum.

Install Softaculous

wget -N
chmod 755

Change SSH port from 22 to 2233 or anything else in centos.
[root@srv ~]# nano /etc/ssh/sshd_config

Install CpCleaner


  • Clean out files by extensions or name.
  • Clean out the “tmp” and “.trash” folders.
  • Support cPanel, cPanel with CloudLinux. CentOS 5/6/7.

Go To


Run the following shell commands as root via SSH:

wget -O cpc-1.0.3.tar ""
tar -xf cpc-1.0.3.tar
cd cpc-1.0.3
sh cpc-installer -install
cd ..
rm -Rfv cpc-1.0.3/ cpc-1.0.3.tar


Run the update by the following shell commands as root:


Section 2 Tweaking WHM Server

Increase upload size in PHPMYADMIN for cPanel Accounts

Notify of
Newest Most Voted
Inline Feedbacks
View all comments

[…] There are three popular solutions right now which can help you fight malicious content/viruses for web hosting servers. This article is part of our series in setting up WHM server. […]

8 months ago

Good Work. Is there any other recommendation for litespeed server to perform better and high security