🌐

CPanel WHM

64 notes  •  Web Hosting

Fix Mysql::initcache() Failed Error in cPanel/WHM

The Mysql::initcache() failed error appears in WHM when cPanel attempts to retrieve MySQL disk usage via INFORMATION_SCHEMA and the call fails. Disabling that setting resolves the issue immediately.

Prerequisites

  • Root or reseller access to WHM
  • MySQL/MariaDB running on the server

Steps

  1. Log in to WHM as root.
  2. Navigate to Server Configuration → Tweak Settings.
  3. Select the SQL tab.
  4. Find the option Use INFORMATION_SCHEMA to acquire MySQL disk usage and set it to Off.
  5. Click Save.

Verify

  • Reload the cPanel/WHM interface; the Mysql::initcache() error should no longer appear.
  • Check MySQL status:
    systemctl status mysql

Notes

  • This setting causes WHM to use a slower but more compatible disk-usage query method.
  • If the error persists, restart MySQL and clear the cPanel cache:
    /scripts/restartsrv_mysql
    /usr/local/cpanel/bin/rebuild_sprites

Fix: MySQL Server PID File Could Not Be Found

When restarting MySQL, the error ERROR! MySQL server PID file could not be found! indicates that the PID file is missing or the data directory has incorrect ownership/permissions. Follow these steps to diagnose and resolve the issue.

Prerequisites

  • Root SSH access to the server
  • MySQL/MariaDB installed

Steps

  1. Check the MySQL error log for the root cause:
    tail -100 /var/lib/mysql/$(hostname).err
  2. Fix ownership of the MySQL data directory:
    chown -R mysql:mysql /var/lib/mysql
  3. Fix permissions:
    chmod -R 755 /var/lib/mysql
  4. Start MySQL:
    systemctl start mysql
  5. If MySQL still fails to start, check for a stale PID file and remove it:
    ls /var/lib/mysql/*.pid
    rm -f /var/lib/mysql/*.pid
    systemctl start mysql
  6. Alternatively, use WHM to restart MySQL: Restart Services → SQL Server (MySQL).

Verify

systemctl status mysql
mysqladmin -u root -p status

Notes

  • Full disk space can also prevent PID file creation — check with df -h.
  • InnoDB corruption may require running mysqlcheck or restoring from backup.
  • Always review the error log before making changes: /var/lib/mysql/<hostname>.err.

Set Up Nameservers in a cPanel/WHM Environment

Setting up nameservers correctly in cPanel/WHM ensures that domains hosted on the server resolve properly. This guide covers selecting nameserver software, naming nameservers, creating DNS A records, and registering nameservers with your registrar.

Prerequisites

  • Root access to WHM
  • At least two IP addresses available on the server (one per nameserver)
  • Access to the domain registrar account for the nameserver domain

Steps

  1. Select nameserver software
    In WHM: DNS Functions → Nameserver Selection. Choose BIND, PowerDNS, or NSD based on your requirements. BIND is the default and most compatible choice.
  2. Name your nameservers
    In WHM: Server Configuration → Basic WebHost Manager Setup. Set:
    Primary Nameserver:   ns1.yourdomain.com
    Secondary Nameserver: ns2.yourdomain.com
  3. Create A records for each nameserver
    In WHM: DNS Functions → Edit DNS Zone for yourdomain.com. Add:
    ns1   A   <server-primary-IP>
    ns2   A   <server-secondary-IP>
  4. Register nameservers with your registrar
    Log in to your domain registrar and create "glue records" (also called child nameservers) for ns1.yourdomain.com and ns2.yourdomain.com pointing to your server IPs.
  5. Update the propagation cache:
    /usr/local/cpanel/scripts/updatenameserverips

Verify

dig ns1.yourdomain.com A
dig ns2.yourdomain.com A
whm-api1 --output=jsonpretty viewnsconfig

Notes

  • DNS propagation can take up to 48 hours after registrar-side changes.
  • For redundancy, host ns1 and ns2 on different physical servers or IPs.
  • Check the NS Record Report in WHM: DNS Functions → NS Record Report.

Configure Nameservers on cPanel Servers

This guide explains how nameservers function on cPanel servers and how to configure them so that all hosted domains resolve correctly via your server's DNS infrastructure.

Prerequisites

  • Root access to WHM
  • A working nameserver daemon (BIND/PowerDNS/NSD) installed

Steps

  1. Set nameserver hostnames in WHM
    Go to Server Configuration → Basic WebHost Manager Setup and set Primary and Secondary Nameserver fields.
  2. Verify named is running:
    systemctl status named
    # or for PowerDNS:
    systemctl status pdns
  3. Check the named.conf allow-query directive:
    grep -i "allow-query" /etc/named.conf
    If it is set to localhost, change it to any so external queries are accepted:
    allow-query { any; };
    Then restart named:
    systemctl restart named
  4. Rebuild DNS zones after configuration changes:
    /scripts/rebuilddnsconfig
  5. Update the nameserver IP cache:
    /usr/local/cpanel/scripts/updatenameserverips

Verify

dig @127.0.0.1 yourdomain.com NS
dig @127.0.0.1 yourdomain.com A

Notes

  • The NS Record Report in WHM reads from /var/cpanel/nameserverips.cache; run updatenameserverips after any IP change.
  • Each hosted domain has its zone file in /var/named/ (BIND) or managed by the PowerDNS database.

cPanel Functions and Features Overview

This article provides a reference overview of key cPanel and WHM functions, their locations in the interface, and the underlying scripts and configuration paths sysadmins use most frequently.

Prerequisites

  • Root or reseller access to WHM/cPanel

Key WHM Functions and Paths

FunctionWHM Location / Command
NS Record ReportDNS Functions → NS Record Report
/usr/local/cpanel/scripts/updatenameserverips
Rebuild Apache config/scripts/rebuildhttpdconf
Build NAT IP map/scripts/build_cpnat
Generate system info/scripts/gensysinfo
Force backup run/usr/local/cpanel/bin/backup --force
Restart PHP-FPM/scripts/restartsrv_apache_php_fpm
View account infowhmapi1 accountsummary user=USERNAME
Tweak SettingsServer Configuration → Tweak Settings
EasyApache 4Software → EasyApache 4
MultiPHP ManagerSoftware → MultiPHP Manager

Common cPanel User Functions

  • File Manager — browser-based file management at ~/public_html
  • Email Accounts — create/manage mailboxes
  • MySQL Databases — create databases, users, and assign privileges
  • Softaculous — one-click WordPress/application installs
  • SSL/TLS — install certificates and manage AutoSSL
  • Cron Jobs — schedule automated tasks
  • Error Logs — view /home/USER/logs/

Notes

  • All WHM API calls are available via whmapi1 on the command line.
  • cPanel user API calls are available via cpapi2 and uapi.
  • Configuration files for accounts live in /var/cpanel/userdata/USERNAME/.

File Permission Guidelines in cPanel

Incorrect file and directory permissions cause Apache to return 403 Forbidden errors or allow security vulnerabilities. This guide covers the correct ownership and permission settings for cPanel-hosted accounts.

Prerequisites

  • Root SSH access
  • The cPanel username for the account being fixed

Recommended Permission Settings

PathOwner:GroupPermissions
/home/USERNAME/public_htmlUSERNAME:nobody750
Subdirectories inside public_htmlUSERNAME:USERNAME755
Files inside public_htmlUSERNAME:USERNAME644
PHP/CGI scriptsUSERNAME:USERNAME755
.htaccessUSERNAME:USERNAME644

Steps

  1. Set the correct ownership on public_html itself (must be nobody as group so Apache can read it):
    chown USERNAME:nobody /home/USERNAME/public_html
  2. Fix ownership recursively for contents:
    chown -R USERNAME:USERNAME /home/USERNAME/public_html
  3. Set directory permissions:
    find /home/USERNAME/public_html -type d -exec chmod 755 {} \;
  4. Set file permissions:
    find /home/USERNAME/public_html -type f -exec chmod 644 {} \;
  5. Re-apply the public_html group after the recursive chown:
    chown USERNAME:nobody /home/USERNAME/public_html

Verify

ls -la /home/USERNAME/
ls -la /home/USERNAME/public_html/

Notes

  • World-writable files (777) are a security risk and should never be used in production.
  • If using suPHP or PHP-FPM, the group on public_html may differ — consult your PHP handler configuration.
  • The WHM Fix Permissions tool at Account Functions → Fix cPanel User Permissions automates this process.

Grant cPanel/WHM Access to a User

This guide explains how to grant cPanel access to a standard user and optionally give them sudo privileges, as well as how to enable password-based WHM access.

Prerequisites

  • Root access to the server
  • The target username already exists in cPanel or as a system user

Steps: Grant cPanel Access

  1. Log in to WHM as root.
  2. Navigate to Account Functions → Create a New Account (for new users) or List Accounts to manage existing ones.
  3. To allow a system user to log in to cPanel, ensure their account appears under List Accounts.

Steps: Grant Sudo Privileges

  1. Open the sudoers file safely:
    visudo
  2. Add the following line below the root entry:
    USERNAME  ALL=(ALL)  ALL
  3. Save and exit.

Steps: Enable Password-Based WHM Access

  1. In WHM: Security Center → Security Advisor — review SSH configuration recommendations.
  2. To allow password auth for WHM logins, ensure the user has a valid cPanel account with reseller or root privileges.
  3. Assign reseller privileges: Resellers → Setup Reseller Accounts → Edit Reseller Nameservers and Privileges.

Verify

# Test sudo access as the user
su - USERNAME -c "sudo whoami"

Notes

  • Granting sudo access gives the user full root-level control — apply the principle of least privilege.
  • Use WHM's ACL system to grant limited WHM access without full root: Resellers → Edit Reseller Nameservers and Privileges.

DNS Configuration in named.conf for cPanel

An incorrect allow-query directive in /etc/named.conf can block all external DNS resolution for domains hosted on the server. This guide explains how to diagnose and correct named.conf DNS configuration issues on cPanel servers.

Prerequisites

  • Root SSH access
  • BIND (named) installed and running

Steps

  1. Check the current allow-query setting:
    grep -i "allow-query" /etc/named.conf
    If the output is allow-query { localhost; };, external DNS queries are being rejected.
  2. Edit /etc/named.conf:
    nano /etc/named.conf
    Change:
    allow-query { localhost; };
    To:
    allow-query { any; };
  3. Validate the configuration syntax:
    named-checkconf /etc/named.conf
  4. Restart named:
    systemctl restart named
  5. If cPanel manages named.conf, apply the change via a custom config include to survive rebuilds:
    # Add to /etc/named.conf.local or use WHM DNS cluster settings

Verify

# Query from an external machine or use a different DNS server
dig @YOUR_SERVER_IP yourdomain.com A
dig @YOUR_SERVER_IP yourdomain.com MX

Notes

  • cPanel may overwrite /etc/named.conf during updates; use /etc/named.conf.local for custom directives.
  • If using WHM DNS clustering, changes should be applied through WHM to propagate to all cluster nodes.
  • After fixing, check firewall rules to ensure UDP/TCP port 53 is open.

Initial WHM/cPanel Server Setup

This guide walks through the initial WHM/cPanel setup wizard steps that must be completed immediately after a fresh cPanel installation before the server is put into production.

Prerequisites

  • cPanel/WHM freshly installed on a supported OS (AlmaLinux, CloudLinux, or Ubuntu)
  • Root access via SSH or direct WHM login at https://<server-ip>:2087
  • A valid cPanel license (trial or purchased)

Steps

  1. Accept the license agreement — Click I Agree/Go to Step 2.
  2. Configure network settings:
    • Server Contact Email Address
    • Hostname (must be a valid FQDN, e.g., server1.yourdomain.com)
    • Primary and Secondary Resolvers (nameservers for the server itself)
  3. Set up nameservers — Enter ns1.yourdomain.com and ns2.yourdomain.com. Select nameserver software (BIND recommended).
  4. Configure services — Enable/disable FTP, mail, and cPHulk brute-force protection as needed.
  5. Set the root password and review the security advisor recommendations.
  6. Finish setup and proceed to WHM dashboard.
  7. Run the post-setup hardening script:
    /scripts/securetmp
    /scripts/fixetchosts
  8. Update all cPanel components:
    /scripts/upcp --force

Verify

whmapi1 version
/usr/local/cpanel/cpanel -V

Notes

  • The hostname must resolve to the server's main IP address before setup completes.
  • Run Security Center → Security Advisor after setup to address any outstanding issues.
  • AutoSSL should be enabled to automatically issue SSL certificates for all hosted domains.

Configure AWS Security Group Ports for cPanel/WHM

When hosting cPanel/WHM on an AWS EC2 instance, the default security group blocks many ports required for cPanel services. This guide lists all required ports and explains how to open them.

Prerequisites

  • AWS account with EC2 management access
  • cPanel/WHM installed on the EC2 instance

Required Ports

ServiceProtocolPort(s)
SSHTCP22
HTTPTCP80
HTTPSTCP443
WHMTCP2087
WHM (SSL)TCP2086
cPanelTCP2083
cPanel (non-SSL)TCP2082
WebmailTCP2096, 2095
FTPTCP21
FTP PassiveTCP49152–65534
SMTPTCP25, 465, 587
IMAPTCP143, 993
POP3TCP110, 995
DNSTCP/UDP53
MySQL (remote)TCP3306

Steps

  1. Log in to the AWS Management Console and navigate to EC2 → Security Groups.
  2. Select the security group attached to your cPanel instance.
  3. Click Edit Inbound Rules.
  4. Add each required port as a Custom TCP Rule with Source 0.0.0.0/0 (or restrict to specific IPs for sensitive ports like 22 and 2087).
  5. Click Save Rules.

Verify

# From an external machine:
nc -zv YOUR_SERVER_IP 2087
nc -zv YOUR_SERVER_IP 443

Notes

  • Restrict port 22 (SSH) and 2087 (WHM) to your admin IP range for security.
  • If using CSF firewall on the server, also open ports there: edit /etc/csf/csf.conf.
  • FTP passive port range must match Pure-FTPd or ProFTPd configuration on the server.

Manually Backup, Migrate, and Restore cPanel Accounts

Use the pkgacct and restorepkg scripts to create portable backups of cPanel accounts and restore them on any cPanel server. This method is the safest way to migrate accounts between servers.

Prerequisites

  • Root SSH access to both source and destination servers
  • Sufficient disk space on both servers
  • The destination server must have a cPanel license

Steps: On the Source Server

  1. Create the account backup package:
    /scripts/pkgacct USERNAME
    This creates /home/cpmove-USERNAME.tar.gz.
  2. Move the archive to the user's public_html for download:
    mv /home/cpmove-USERNAME.tar.gz /home/USERNAME/public_html/
    chmod 644 /home/USERNAME/public_html/cpmove-USERNAME.tar.gz

Steps: On the Destination Server

  1. Download the backup package:
    cd /home
    wget http://USERDOMAIN/cpmove-USERNAME.tar.gz
  2. Restore the account:
    /scripts/restorepkg USERNAME
  3. Verify the account was restored:
    whmapi1 accountsummary user=USERNAME

Steps: Cleanup on Source Server (after successful migration)

/scripts/removeacct USERNAME

Verify

ls /var/cpanel/users/USERNAME
cat /etc/userdomains | grep USERNAME

Notes

  • The package includes all files, databases, email accounts, DNS zones, and configuration.
  • For large accounts, transfer via scp or rsync directly between servers rather than through public_html.
  • WHM's Transfer Tool automates this process: Transfers → Transfer Tool.

Enable or Disable Direct Root SSH Login on cPanel

Allowing direct root SSH login is a security risk. This guide explains how to disable (or re-enable) direct root SSH access on a cPanel server, following security best practices.

Prerequisites

  • Root SSH access or WHM access
  • A non-root sudo user configured before disabling root login

Steps: Disable Root SSH Login

  1. Ensure a non-root user with sudo access exists before proceeding.
  2. Edit the SSH configuration:
    nano /etc/ssh/sshd_config
  3. Find and change:
    PermitRootLogin yes
    To:
    PermitRootLogin no
  4. Save the file and restart SSH:
    systemctl restart sshd
  5. Alternatively, use WHM: Security Center → SSH Password Authorization Tweak and set Permit Root Login to No.

Steps: Re-enable Root SSH Login

  1. If locked out, use the server's console (VNC/KVM) or hosting provider rescue mode.
  2. Set PermitRootLogin yes and restart sshd.

Verify

grep PermitRootLogin /etc/ssh/sshd_config
ssh root@YOUR_SERVER_IP  # should be rejected if disabled

Notes

  • cPanel's Security Advisor flags active root SSH login as a vulnerability.
  • Use key-based authentication for all SSH access: PasswordAuthentication no.
  • WHM's Restart SSH option is at Restart Services → SSH Server (OpenSSH).

Fix Apache Issues on a cPanel VPS

Apache failures on cPanel VPS servers can stem from misconfiguration, resource exhaustion, or a corrupted httpd.conf. This guide covers systematic diagnosis and resolution steps.

Prerequisites

  • Root SSH access
  • cPanel/WHM installed with Apache (EasyApache 4)

Steps

  1. Check the Apache service status:
    systemctl status httpd
    # or
    /etc/init.d/httpd status
  2. Check the Apache error log for specific error messages:
    tail -50 /usr/local/apache/logs/error_log
  3. Test the Apache configuration for syntax errors:
    httpd -t
    # or
    apachectl configtest
  4. If the config is corrupt, rebuild it:
    /scripts/rebuildhttpdconf
  5. Restart Apache:
    systemctl restart httpd
  6. Check for resource exhaustion (RAM/CPU):
    free -m
    top -bn1 | head -20
  7. If mod_ruid2 is causing conflicts, remove it via EasyApache 4:
    yum remove ea-apache24-mod_ruid2

Verify

curl -I http://localhost
systemctl status httpd

Notes

  • Common culprits: a bad .htaccess file, a module conflict, or hitting MaxRequestWorkers.
  • Check /usr/local/apache/logs/suexec_log for permission-related issues.
  • WHM's Restart Services → HTTP Server (Apache) is equivalent to systemctl restart httpd.

cPanel Log Locations and Useful Scripts

Knowing where cPanel logs are located and which scripts to run is essential for rapid diagnosis and maintenance. This is a quick-reference guide for the most frequently needed paths and commands.

Prerequisites

  • Root SSH access

Key Log File Locations

LogPath
Apache error log/usr/local/apache/logs/error_log
Apache access log/usr/local/apache/logs/access_log
Exim mail log/var/log/exim_mainlog
Exim reject log/var/log/exim_rejectlog
cPanel backup log/usr/local/cpanel/logs/cpbackup/
PHP-FPM error log (per user)/var/cpanel/php-fpm/USER/logs/error.log
PHP-FPM slow log (per user)/var/cpanel/php-fpm/USER/logs/slow.log
cPanel update log/var/cpanel/updatelogs/
MySQL error log/var/lib/mysql/<hostname>.err

Useful Maintenance Scripts

# Rebuild Apache config
/scripts/rebuildhttpdconf

# Rebuild DNS config
/scripts/rebuilddnsconfig

# Map local IP to public IP (NAT)
/scripts/build_cpnat

# Update nameserver IP cache
/usr/local/cpanel/scripts/updatenameserverips

# Generate system info
/scripts/gensysinfo

# Force a cPanel backup run
/usr/local/cpanel/bin/backup --force

# Restart PHP-FPM
/scripts/restartsrv_apache_php_fpm

# Full cPanel update
/scripts/upcp

# Fix cPanel account permissions
/scripts/fixperm USERNAME

Notes

  • Per-domain access logs are at /home/USERNAME/logs/.
  • Use grep -i error /usr/local/apache/logs/error_log | tail -50 for quick error scanning.
  • The cPanel update log helps diagnose failed upcp runs.

Fix Emails Sent But Not Received on cPanel

When outgoing email leaves the cPanel server but recipients never receive it, the problem is usually a blocked port, a missing DNS record (MX/SPF/DKIM), or a firewall rule. This guide covers systematic diagnosis.

Prerequisites

  • Root SSH access
  • Access to the domain's DNS zone

Steps

  1. Check if port 25 is accessible from outside the server:
    telnet YOUR_SERVER_IP 25
    If the connection times out, port 25 is blocked by a firewall or the cloud provider (e.g., AWS blocks port 25 by default).
  2. Check the Exim mail log for delivery attempts:
    tail -100 /var/log/exim_mainlog | grep DOMAIN
  3. Verify MX records are correct:
    dig MX yourdomain.com
  4. Check SPF record:
    dig TXT yourdomain.com | grep spf
  5. Verify DKIM is enabled in WHM: Email → Email Deliverability.
  6. If port 25 is blocked by the cloud provider, request that the restriction be lifted or use port 587 (submission) or a relay service (e.g., SendGrid, SES).
  7. Check if the server IP is blacklisted:
    curl https://api.abuseipdb.com/api/v2/check?ipAddress=YOUR_IP
    Or use MXToolbox Blacklist Check online.

Verify

# Send a test email and trace it
echo "Test" | mail -s "Test" test@gmail.com
tail -f /var/log/exim_mainlog

Notes

  • AWS EC2 blocks port 25 by default; submit a request to AWS support to unblock it.
  • Ensure RDNS/PTR records are set for the server IP to avoid spam filtering.
  • Check WHM Email → Mail Queue Manager for stuck or bounced messages.

Fix ClamAV Not Working on the cPanel Command Line

After installing ClamAV through WHM, the clamscan binary may not be in the system PATH, causing command not found errors. On cPanel servers, ClamAV is installed under a non-standard path.

Prerequisites

  • Root SSH access
  • ClamAV installed via WHM: Security Center → Install ClamAV Antivirus

Steps

  1. Locate the cPanel ClamAV binary:
    find /usr/local/cpanel -name "clamscan" 2>/dev/null
    Typical path: /usr/local/cpanel/3rdparty/bin/clamscan
  2. Run a scan using the full path:
    /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/USERNAME/public_html/
  3. Create a symlink so clamscan is available system-wide:
    ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/bin/clamscan
    ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/local/bin/freshclam
  4. Update virus definitions:
    /usr/local/cpanel/3rdparty/bin/freshclam
  5. Run a full scan on all accounts:
    /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/ --log=/var/log/clamav_scan.log

Verify

clamscan --version
clamscan /tmp/eicar_test.com

Notes

  • The ClamAV daemon (clamd) runs as a service; check its status with systemctl status clamd@scan.
  • Schedule regular scans with a cron job: 0 2 * * * /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/ --log=/var/log/clamav_daily.log
  • Large scans consume significant CPU — schedule during off-peak hours.

Install and Configure Linux Malware Detect (maldet) on cPanel

Linux Malware Detect (LMD/maldet) is a malware scanner designed specifically for shared hosting environments. It integrates with ClamAV for improved detection and can be configured to run automatically.

Prerequisites

  • Root SSH access
  • CentOS/AlmaLinux with wget installed

Steps: Install maldet

  1. Download and extract maldet:
    cd /usr/local/src
    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
    tar -xzf maldetect-current.tar.gz
    cd maldetect-*/
  2. Run the installer:
    ./install.sh

Steps: Configure maldet

  1. Edit the configuration file:
    nano /usr/local/maldetect/conf.maldet
  2. Key settings to configure:
    email_alert="1"
    email_addr="admin@yourdomain.com"
    quarantine_hits="1"
    quarantine_clean="1"
    clamscan_system="1"   # use ClamAV engine for better detection
  3. Save the file.

Steps: Run a Scan

# Scan all home directories
maldet -a /home/

# Scan a specific account
maldet -a /home/USERNAME/public_html/

# View recent scan report
maldet --report list

Steps: Update Signatures

maldet -u

Verify

maldet -v
cat /usr/local/maldetect/event_log | tail -20

Notes

  • maldet installs a daily cron job at /etc/cron.daily/maldet automatically.
  • Quarantined files are stored in /usr/local/maldetect/quarantine/.
  • To restore a quarantined file: maldet --restore FILENAME.

GoMyMobi Mobile Site Integration with cPanel

GoMyMobi requires that all subdomains (wildcard) point to the server so custom mobile domains can resolve. This guide covers the Apache VirtualHost configuration needed to support wildcard subdomain routing in cPanel.

Prerequisites

  • Root SSH access and WHM access
  • A GoMyMobi account with the domain configured

Steps: Add Wildcard Apache Include

  1. In WHM: Service Configuration → Apache Configuration → Include Editor.
  2. Select Pre VirtualHost Include and add:
    <VirtualHost *:80>
        ServerName www.gomymobi.com
        ServerAlias *
        DocumentRoot /home/CPANELUSERNAME/public_html
    </VirtualHost>
  3. Alternatively, create a custom include file:
    mkdir -p /etc/apache2/conf.d/userdata/std/2_4/CPANELUSERNAME/DOMAIN.TLD/
    nano /etc/apache2/conf.d/userdata/std/2_4/CPANELUSERNAME/DOMAIN.TLD/gomymobi.conf
    Add:
    ServerAlias *
  4. Rebuild Apache config and restart:
    /scripts/rebuildhttpdconf
    systemctl restart httpd

Steps: Add Wildcard DNS Record

  1. In WHM: DNS Functions → Edit DNS Zone for gomymobi.com.
  2. Add a wildcard A record:
    *   A   YOUR_SERVER_IP

Verify

dig subdomain.gomymobi.com A
curl -I http://subdomain.gomymobi.com

Notes

  • Using ServerAlias * is broad; ensure it does not conflict with other VirtualHost definitions.
  • Custom include files in /etc/apache2/conf.d/userdata/ survive rebuildhttpdconf.

Fix 404 Error When Visiting a Site by IP Address in cPanel

When mod_userdir is enabled in WHM alongside mod_ruid2, cPanel refuses the configuration change and sites accessed by IP return a 404. The fix is to remove mod_ruid2 before enabling mod_userdir.

Prerequisites

  • Root access to WHM
  • EasyApache 4 installed

Steps

  1. Remove mod_ruid2 via EasyApache 4:
    yum remove ea-apache24-mod_ruid2
    Or in WHM: Software → EasyApache 4 → Customize, deselect mod_ruid2, and save.
  2. Rebuild the Apache configuration:
    /scripts/rebuildhttpdconf
  3. Now enable mod_userdir in WHM: Security Center → Apache mod_userdir Tweak, set to Enabled.
  4. Restart Apache:
    systemctl restart httpd
  5. To serve a specific site when accessing by IP, set a default VirtualHost or add a direct A record for the IP.

Verify

curl -I http://YOUR_SERVER_IP
# Should return 200 or redirect, not 404

Notes

  • Removing mod_ruid2 affects PHP process ownership; consider switching to PHP-FPM or suPHP as an alternative.
  • Apache serves the first VirtualHost in httpd.conf for requests to the bare IP address.
  • WHM's Default Address setting controls what happens for undefined IP requests: Main → DNS Functions → Change Default DNS Zone Template.

cPanel Backup Configuration and Verification

Verifying that cPanel backups are completing successfully and that the configuration is correct prevents data loss. This guide covers checking backup status, reviewing logs, and validating backup settings.

Prerequisites

  • Root SSH access
  • cPanel backups enabled in WHM

Steps: Check Backup Status

  1. Check recent backup logs for success or failure:
    grep -i 'state' /usr/local/cpanel/logs/cpbackup/*
    A successful run shows: Final state is Backup::Success (0)
  2. View the backup configuration:
    cat /var/cpanel/backups/config
  3. List available backups:
    ls -lh /backup/

Steps: Configure Backups in WHM

  1. Navigate to Backup → Backup Configuration.
  2. Enable backups and set:
    • Backup type: Compressed
    • Schedule: Daily/Weekly/Monthly
    • Retention: number of days to keep
    • Backup directory: e.g., /backup
  3. Enable Backup Accounts, Backup MySQL Databases, and Backup Email.
  4. Optionally configure a remote destination (FTP, SFTP, S3).
  5. Click Save Configuration.

Steps: Force a Backup Run

/usr/local/cpanel/bin/backup --force

Verify

tail -f /usr/local/cpanel/logs/cpbackup/$(ls -t /usr/local/cpanel/logs/cpbackup/ | head -1)
ls -lh /backup/*/

Notes

  • Always test restores periodically — a backup that cannot be restored is not useful.
  • Ensure the backup destination has sufficient disk space (df -h).
  • For per-account restores: WHM Backup → Restore a Full Backup/cpmove File.

Add Security Headers in cPanel/Apache

HTTP security headers protect against common web attacks like XSS, clickjacking, and MIME sniffing. This guide explains how to add them globally or per-domain on a cPanel server.

Prerequisites

  • Root SSH access
  • Apache mod_headers enabled (standard in EasyApache 4)

Steps: Add Headers via WHM Global Include

  1. In WHM: Apache Configuration → Include Editor → Pre Main Include.
  2. Add the following security headers:
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  3. Click Update, then rebuild and restart Apache:
    /scripts/rebuildhttpdconf
    systemctl restart httpd

Steps: Add Headers via Custom Include (per domain)

  1. Create the include file:
    mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/USERNAME/DOMAIN.TLD/
    nano /etc/apache2/conf.d/userdata/ssl/2_4/USERNAME/DOMAIN.TLD/security_headers.conf
  2. Add the headers above to the file, then rebuild:
    /scripts/rebuildhttpdconf && systemctl restart httpd

Steps: Add Headers via .htaccess (per site)

<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

Verify

curl -I https://yourdomain.com | grep -i "x-frame\|x-content\|strict-transport"

Notes

  • Test headers with securityheaders.com.
  • The Content-Security-Policy header requires per-site customization and should not be set globally.
  • HSTS (Strict-Transport-Security) should only be set on domains with valid SSL certificates.

Update to PHP CGI Handler in cPanel

When running PHP tools like Composer or Artisan from the CLI on a cPanel server, the wrong PHP binary may be invoked. Ensuring the correct PHP version is used for CLI operations prevents version-mismatch errors.

Prerequisites

  • SSH access (root or cPanel user)
  • EasyApache 4 with multiple PHP versions installed

Steps: Set PHP Handler in WHM (per domain)

  1. In WHM: Software → MultiPHP Manager.
  2. Find the domain and set the PHP version and handler (CGI, DSO, suPHP, or PHP-FPM).
  3. Save changes.

Steps: Fix PHP CLI for Composer/Artisan

  1. Find the correct PHP binary path:
    ls /opt/cpanel/ea-php*/root/usr/bin/php
  2. Run Composer or Artisan with the explicit path:
    /opt/cpanel/ea-php83/root/usr/bin/php /usr/local/bin/composer install
    /opt/cpanel/ea-php83/root/usr/bin/php artisan migrate
  3. Or create an alias in ~/.bashrc:
    alias php='/opt/cpanel/ea-php83/root/usr/bin/php'
    Then reload: source ~/.bashrc

Steps: Set PHP CGI in cPanel (per account)

  1. Log in to cPanel.
  2. Go to Software → MultiPHP Manager.
  3. Select the domain, set PHP version and handler to CGI.
  4. Save.

Verify

php -v   # check which version the 'php' alias resolves to
/opt/cpanel/ea-php83/root/usr/bin/php -v

Notes

  • CGI handler runs PHP as the cPanel user, which is more secure than DSO (which runs as Apache).
  • PHP-FPM is recommended for performance on busy sites.

Install cPMalScan Malware Scanner on cPanel

cPMalScan is a lightweight malware scanner for cPanel servers that scans directories for known malware signatures. This guide covers installation and basic usage.

Prerequisites

  • Root SSH access
  • wget and unzip installed

Steps: Install cPMalScan

  1. Change to the source directory and download:
    cd /usr/local/src
    rm -rf cPMalScan*
    wget http://downloads.tijeers.com/cpmalscan/cPMalScan.zip
  2. Unzip and install:
    unzip cPMalScan.zip
    cd cPMalScan
    chmod 755 install.sh
    ./install.sh

Steps: Run a Scan

# Scan a specific folder
cpmalscan -a /home/USERNAME/public_html/

# Scan all accounts
cpmalscan -a /home/

# Scan and output to log file
cpmalscan -a /home/ > /var/log/cpmalscan_$(date +%Y%m%d).log 2>&1

Steps: Update Signatures

cpmalscan --update

Verify

which cpmalscan
cpmalscan --version

Notes

  • Schedule daily scans via cron:
    0 3 * * * /usr/local/bin/cpmalscan -a /home/ >> /var/log/cpmalscan.log 2>&1
  • Combine with maldet and ClamAV for layered malware protection.
  • Review scan results carefully before deleting flagged files — false positives occur.

Fix WordPress Media Upload Issues After cPanel Upgrade

After a cPanel upgrade, WordPress sites may fail to upload images, returning an HTTP error. This is typically caused by changed file/directory permissions, PHP handler changes, or broken tmp directory access.

Prerequisites

  • cPanel user account access (or root)
  • SSH access preferred

Steps

  1. Check and fix permissions on the uploads directory:
    chmod 755 /home/USERNAME/public_html/wp-content/uploads/
    find /home/USERNAME/public_html/wp-content/uploads/ -type d -exec chmod 755 {} \;
    find /home/USERNAME/public_html/wp-content/uploads/ -type f -exec chmod 644 {} \;
  2. Verify correct ownership:
    chown -R USERNAME:USERNAME /home/USERNAME/public_html/wp-content/uploads/
  3. Check PHP upload settings in WHM: Software → MultiPHP INI Editor, ensure:
    upload_max_filesize = 64M
    post_max_size = 64M
    max_execution_time = 300
  4. Check that the PHP tmp directory is accessible:
    ls -la /tmp
    # Should be writable by PHP process user
  5. If using PHP-FPM, restart it:
    /scripts/restartsrv_apache_php_fpm
  6. Check the PHP error log for details:
    tail -50 /var/cpanel/php-fpm/USERNAME/logs/error.log

Verify

  • Log in to WordPress admin and attempt a media upload.
  • Check the browser console for HTTP response codes during the upload request.

Notes

  • The wp-content/uploads/ directory must exist and be writable by the web server user.
  • GD or ImageMagick must be installed for WordPress to process images. Check: cPanel → PHP Info.
  • Deactivate all plugins temporarily to rule out plugin conflicts.

Fix cPanel Transfer Tool Issues

When the WHM Transfer Tool fails using root password authentication, switching to SSH key-based authentication resolves the most common connectivity issues.

Prerequisites

  • Root access to both source and destination cPanel servers
  • WHM Transfer Tool initiated on the destination server

Steps: Switch to SSH Key Authentication

  1. On the destination server, generate or retrieve the WHM SSH public key:
    cat /root/.ssh/id_rsa.pub
    If no key exists, generate one:
    ssh-keygen -t rsa -b 4096 -f /root/.ssh/id_rsa -N ""
  2. Copy the public key to the source server's authorized_keys:
    ssh-copy-id -i /root/.ssh/id_rsa.pub root@SOURCE_SERVER_IP
    Or manually append to /root/.ssh/authorized_keys on the source.
  3. On the destination, open WHM: Transfers → Transfer Tool.
  4. Enter the source server IP and select SSH Key as the authentication method.
  5. Select the key and initiate the transfer.

Verify

# Test SSH key authentication to source server
ssh -i /root/.ssh/id_rsa root@SOURCE_SERVER_IP "hostname"

Notes

  • Ensure port 22 is open on the source server's firewall for the destination server's IP.
  • For large account transfers, pkgacct/restorepkg is more reliable than the Transfer Tool GUI.
  • Check the transfer log in WHM for specific error messages if the transfer fails.

Shell Script to Backup All cPanel Accounts with pkgacct

This script iterates over all cPanel accounts on a server and creates a restorable backup package for each using pkgacct. The resulting archives can be transferred to another server or stored offsite.

Prerequisites

  • Root SSH access
  • Sufficient disk space in /home or a dedicated backup directory

Script

#!/bin/bash
# Backup all cPanel accounts using pkgacct
BACKUP_DIR="/backup/cpanel-accounts"
LOG="/var/log/cpanel-pkgacct-backup.log"

mkdir -p "$BACKUP_DIR"
echo "Starting backup: $(date)" | tee -a "$LOG"

for user in $(ls /var/cpanel/users/); do
    echo "Backing up: $user" | tee -a "$LOG"
    /scripts/pkgacct "$user" "$BACKUP_DIR" 2>&1 | tee -a "$LOG"
done

echo "Backup complete: $(date)" | tee -a "$LOG"
echo "Packages in $BACKUP_DIR:"
ls -lh "$BACKUP_DIR"

Steps

  1. Save the script:
    nano /root/backup_all_accounts.sh
  2. Make it executable:
    chmod 755 /root/backup_all_accounts.sh
  3. Run it:
    /root/backup_all_accounts.sh

Verify

ls -lh /backup/cpanel-accounts/
cat /var/log/cpanel-pkgacct-backup.log | tail -20

Notes

  • Each pkgacct archive includes files, databases, emails, DNS zones, and account configuration.
  • To restore an account: /scripts/restorepkg /backup/cpanel-accounts/cpmove-USERNAME.tar.gz
  • Schedule weekly backups via cron: 0 1 * * 0 /root/backup_all_accounts.sh

Script to Backup All cPanel Accounts at Once

A one-liner or short script using the cPanel account list to run pkgacct on every account is the fastest way to create full backups of all hosted accounts.

Prerequisites

  • Root SSH access
  • Adequate disk space for all account archives

Method 1: One-liner

for backup in $(ls /var/cpanel/users/); do /scripts/pkgacct $backup; done

Method 2: With status output and custom destination

DEST="/backup"
mkdir -p "$DEST"
for user in $(cat /etc/trueuserdomains | awk -F: '{print $2}' | sort -u | tr -d ' '); do
    echo "Packaging $user ..."
    /scripts/pkgacct "$user" "$DEST"
done

Method 3: Parallel backups (faster on multi-core servers)

for user in $(ls /var/cpanel/users/); do
    /scripts/pkgacct "$user" /backup &
done
wait
echo "All backups complete."

Verify

ls -lh /home/cpmove-*.tar.gz 2>/dev/null
ls -lh /backup/cpmove-*.tar.gz 2>/dev/null

Notes

  • Archives are created in the current directory or specified destination as cpmove-USERNAME.tar.gz.
  • The parallel method can overload I/O on servers with many accounts; use with caution.
  • Move completed backups offsite using rsync or scp to a remote backup server.

Find DKIM Private Key Location in cPanel/WHM

DKIM keys on cPanel servers are stored in predictable filesystem locations. This guide shows where to find them and how to enable DKIM for an account if keys have not yet been generated.

Prerequisites

  • Root SSH access
  • DKIM enabled in WHM: Email → Email Deliverability

Key File Locations

# Public key
/var/cpanel/domain_keys/public/DOMAINNAME

# Private key
/var/cpanel/domain_keys/private/DOMAINNAME

Steps: View a DKIM Key

cat /var/cpanel/domain_keys/public/yourdomain.com
cat /var/cpanel/domain_keys/private/yourdomain.com

Steps: Generate DKIM Keys if Missing

/usr/local/cpanel/bin/dkim_keys_install USERNAME

Steps: Enable DKIM for All Accounts

for user in $(ls /var/cpanel/users/); do
    /usr/local/cpanel/bin/dkim_keys_install "$user"
done

Verify

# Check the DNS TXT record
dig TXT default._domainkey.yourdomain.com

# Verify key file exists
ls -la /var/cpanel/domain_keys/private/yourdomain.com

Notes

  • DKIM keys should be 2048-bit minimum. Check key length: wc -c /var/cpanel/domain_keys/private/yourdomain.com
  • After generating keys, ensure the DNS TXT record is published and propagated before sending email.
  • WHM's Email Deliverability interface automates key generation and DNS record creation.

Enable FTP Passive Mode in cPanel

FTP passive mode allows FTP clients behind firewalls to initiate both control and data connections, solving common FTP timeout issues. cPanel supports both Pure-FTPd and ProFTPd.

Prerequisites

  • Root SSH access
  • Pure-FTPd or ProFTPd running on the cPanel server
  • FTP passive port range opened in the server firewall (default: 49152–65534)

Steps: Configure Pure-FTPd

  1. Create or edit the Pure-FTPd custom configuration:
    nano /etc/pure-ftpd/conf/PassivePortRange
    Add:
    49152 65534
  2. Restart Pure-FTPd:
    systemctl restart pure-ftpd

Steps: Configure ProFTPd

  1. Edit the ProFTPd configuration:
    nano /etc/proftpd.conf
    Add inside the server block:
    PassivePorts 49152 65534
  2. Restart ProFTPd:
    systemctl restart proftpd

Steps: Open Passive Ports in CSF Firewall

nano /etc/csf/csf.conf
# Find TCP_IN and add: 49152:65534
csf -r

Verify

# Connect with an FTP client in passive mode and attempt a directory listing
ftp -p YOUR_SERVER_IP

Notes

  • Default passive port range for cPanel FTP: 49152–65534.
  • AWS security groups must also allow the passive port range (TCP 49152–65534).
  • WHM provides FTP configuration under Service Configuration → FTP Server Configuration.

Use SSI Virtual Includes in cPanel HTML Files

Server Side Includes (SSI) allow HTML files to include content from other files using the <!--#include virtual="..." --> directive. On cPanel, SSI must be explicitly enabled via .htaccess.

Prerequisites

  • cPanel account access
  • Apache mod_include enabled (standard in EasyApache 4)

Steps

  1. Add the following to the site's .htaccess file in public_html:
    AddHandler server-parsed .shtml .shtm .html .htm
    Options +Includes
  2. In your HTML file, use the include directive:
    <!--#include virtual="/includes/header.html" -->
  3. Ensure the included file exists at the correct path relative to the document root.

Verify

curl http://yourdomain.com/page.html | grep "expected-content-from-include"

Notes

  • SSI adds server overhead for each request; for high-traffic sites, consider using PHP includes or a static site generator instead.
  • The Options +Includes directive must not be disabled by a higher-level Apache configuration.
  • SSI errors appear in the Apache error log: /usr/local/apache/logs/error_log.

Fix Composer Using the Wrong PHP Version in cPanel

On cPanel servers with multiple PHP versions installed via EasyApache 4, Composer may invoke an older PHP version from the system PATH instead of the one configured for the account. The fix is to call Composer using the correct PHP binary explicitly.

Prerequisites

  • SSH access (as the cPanel user or root)
  • EasyApache 4 with multiple PHP versions installed
  • Composer installed

Steps

  1. Identify the PHP version configured for the domain in WHM: Software → MultiPHP Manager.
  2. Find the correct PHP binary path:
    ls /opt/cpanel/ea-php*/root/usr/bin/php
  3. Run Composer with the explicit binary:
    /opt/cpanel/ea-php83/root/usr/bin/php /usr/local/bin/composer install
  4. To make this permanent for the session, update the PATH:
    export PATH="/opt/cpanel/ea-php83/root/usr/bin:$PATH"
    php -v   # confirm correct version
  5. Add the export to ~/.bashrc for persistence:
    echo 'export PATH="/opt/cpanel/ea-php83/root/usr/bin:$PATH"' >> ~/.bashrc
    source ~/.bashrc

Verify

php -v
/opt/cpanel/ea-php83/root/usr/bin/php -v
composer --version

Notes

  • The system php binary (/usr/bin/php) on cPanel typically points to an older default version.
  • For cPanel-managed scripts (e.g., cron jobs), always use the full path to the PHP binary.
  • Composer can be configured to use a specific PHP version per project via the COMPOSER_ALLOW_SUPERUSER=1 env var and the --php flag.

Fix SetEnv Not Working with Apache 2.4 in cPanel

After upgrading Apache from 2.2 to 2.4 via EasyApache 4, the SetEnv directive may cause an Invalid command error because mod_env must be explicitly loaded. This guide explains the fix.

Prerequisites

  • Root SSH access and WHM access
  • EasyApache 4 with Apache 2.4

Steps

  1. Verify mod_env is installed and enabled:
    httpd -M | grep env_module
    If not listed, install it via EasyApache 4.
  2. In WHM: Software → EasyApache 4 → Customize, search for mod_env and enable it. Save and provision.
  3. Rebuild the Apache configuration:
    /scripts/rebuildhttpdconf
  4. If SetEnv is in a .htaccess file, ensure AllowOverride All (or at minimum AllowOverride FileInfo) is set for the directory in Apache config.
  5. Alternative: use SetEnvIf (from mod_setenvif) which is loaded by default:
    SetEnvIf Request_URI ".*" MY_VAR=value
  6. Restart Apache:
    systemctl restart httpd

Verify

httpd -t   # check for config syntax errors
httpd -M | grep env_module

Notes

  • Apache 2.4 changed default module loading behavior; many modules that were auto-loaded in 2.2 must now be explicitly included.
  • Environment variables set with SetEnv are accessible in PHP via $_SERVER['VAR_NAME'] or getenv('VAR_NAME').

Install FFmpeg on WHM/cPanel CentOS 7

FFmpeg enables server-side audio and video processing. On cPanel/CentOS 7 servers, it is installed via the Nux Dextop or RPMFusion repository since it is not available in standard repos.

Prerequisites

  • Root SSH access
  • CentOS 7 (or AlmaLinux 8) cPanel server
  • EPEL repository installed

Steps: Install via WHM Terminal (CentOS 7)

  1. Log in to WHM as root and open Server Configuration → Terminal, or SSH as root.
  2. Install the EPEL and Nux Dextop repositories:
    yum install -y epel-release
    rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
  3. Install FFmpeg:
    yum install -y ffmpeg ffmpeg-devel

Steps: Install via RPMFusion (AlmaLinux 8/9)

dnf install -y epel-release
dnf install -y --nogpgcheck https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-8.noarch.rpm
dnf install -y ffmpeg ffmpeg-devel

Steps: Install PHP FFmpeg Extension (optional)

# Install via PECL for the relevant PHP version
/opt/cpanel/ea-php83/root/usr/bin/pecl install ffmpeg

Verify

ffmpeg -version
which ffmpeg

Notes

  • FFmpeg can be CPU-intensive; monitor server load after enabling video processing.
  • Store the FFmpeg path (typically /usr/bin/ffmpeg) in your application configuration.
  • On managed cPanel servers, yum/dnf repos may need to be whitelisted in WHM: Software → Update Preferences.

Export and Import All MySQL Databases at Once

Exporting all MySQL databases with a single mysqldump command and importing them on another server is the fastest way to migrate all databases during a server move.

Prerequisites

  • Root SSH access to both source and destination servers
  • MySQL root password
  • Sufficient disk space for the SQL dump

Steps: Export All Databases

mysqldump -u root -p   --all-databases   --single-transaction   --routines   --triggers   --events   > /root/all-databases-$(date +%Y%m%d).sql

Steps: Transfer to Destination Server

scp /root/all-databases-*.sql root@DEST_SERVER_IP:/root/

Steps: Import on Destination Server

mysql -u root -p < /root/all-databases-YYYYMMDD.sql

Steps: Export Individual Databases (optional)

# List all databases
mysql -u root -p -e "SHOW DATABASES;"

# Export one database
mysqldump -u root -p DATABASE_NAME > /root/DATABASE_NAME.sql

# Import one database
mysql -u root -p DATABASE_NAME < /root/DATABASE_NAME.sql

Verify

mysql -u root -p -e "SHOW DATABASES;"
mysql -u root -p DATABASE_NAME -e "SHOW TABLES;"

Notes

  • --single-transaction ensures a consistent snapshot without locking tables (requires InnoDB).
  • For very large databases, use mydumper for parallel export or pipe through compression: mysqldump ... | gzip > all-databases.sql.gz
  • On cPanel, also migrate /var/lib/mysql/ grants by exporting the mysql system database or re-creating users via WHM.

Configure Hostname SSL in cPanel/WHM

The cPanel hostname requires a valid SSL certificate for secure WHM, cPanel, and webmail access. This guide covers automatic and manual hostname SSL configuration.

Prerequisites

  • Root SSH access
  • The server hostname resolves to the server's main IP address
  • A valid SSL certificate (Let's Encrypt via AutoSSL or a commercial cert)

Steps: Force AutoSSL to Issue a Hostname Certificate

  1. Verify the hostname resolves:
    dig $(hostname) A
  2. Run the hostname SSL update script:
    /usr/local/cpanel/bin/checkallsslcerts --allow-retry
  3. Alternatively, trigger via WHM: SSL/TLS → Manage AutoSSL → Run AutoSSL for All Users.

Steps: Install a Hostname SSL Certificate Manually

  1. In WHM: Service Configuration → Manage Service SSL Certificates.
  2. Under Hostname, click Install.
  3. Paste your certificate, private key, and CA bundle.
  4. Click Install.

Steps: Force Certificate Recheck via Command Line

/usr/local/cpanel/bin/rebuild_ssl_db
/usr/local/cpanel/bin/checkallsslcerts

Verify

echo | openssl s_client -connect $(hostname):2087 2>/dev/null | openssl x509 -noout -dates -subject

Notes

  • After a hostname change, always rerun the SSL check script — the nightly cPanel update does this automatically.
  • Self-signed certificates will cause browser warnings; use Let's Encrypt via AutoSSL.
  • WHM ports 2087 and cPanel port 2083 both use the hostname SSL certificate.

Remove CloudLinux from a cPanel Server

If you no longer need CloudLinux on a cPanel server, it can be removed and the system reverted to a standard CentOS/AlmaLinux kernel. This guide walks through the removal process.

Prerequisites

  • Root SSH access
  • Console/KVM access recommended (kernel change requires a reboot)
  • A backup of critical data before proceeding

Steps

  1. Download and run the CloudLinux removal script:
    wget -O /tmp/cldeploy https://repo.cloudlinux.com/cloudlinux/sources/cln/cldeploy
    bash /tmp/cldeploy --uninstall
  2. The script will revert the kernel to CentOS/AlmaLinux. Confirm when prompted.
  3. Reboot the server:
    reboot
  4. After reboot, verify the kernel:
    uname -r
    The output should no longer contain lve or cloudlinux.
  5. Remove any remaining CloudLinux packages:
    yum remove cloudlinux-release -y
  6. Disable CageFS if it was enabled:
    cagefsctl --disable-all 2>/dev/null || true

Verify

uname -r
rpm -qa | grep -i cloudlinux

Notes

  • Removing CloudLinux also removes CageFS, LVE, and resource limits — shared hosting security is reduced.
  • Ensure your cPanel license is updated if it included a CloudLinux component.
  • Cancel the CloudLinux license through your provider to avoid billing.

Fix httpd.conf Being Overwritten by cPanel

cPanel regenerates httpd.conf automatically when accounts are modified or updates run. Any manual edits to httpd.conf are overwritten. The correct approach is to use cPanel's include system for persistent custom directives.

Prerequisites

  • Root SSH access
  • Understanding of cPanel's Apache include directory structure

Steps: Add Persistent Custom Apache Config

  1. Use WHM's Include Editor for global settings: Service Configuration → Apache Configuration → Include Editor.
  2. For per-domain settings, create a custom include file:
    mkdir -p /etc/apache2/conf.d/userdata/std/2_4/USERNAME/DOMAIN.TLD/
    nano /etc/apache2/conf.d/userdata/std/2_4/USERNAME/DOMAIN.TLD/custom.conf
  3. Add your directives to the include file. For SSL (port 443):
    mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/USERNAME/DOMAIN.TLD/
    nano /etc/apache2/conf.d/userdata/ssl/2_4/USERNAME/DOMAIN.TLD/custom.conf
  4. Rebuild the Apache config and restart:
    /scripts/rebuildhttpdconf
    systemctl restart httpd

Steps: Monitor httpd.conf for Unauthorized Changes

inotifywait -m /usr/local/apache/conf/httpd.conf -e modify,create,delete &

Verify

grep -r "your-custom-directive" /etc/apache2/conf.d/userdata/
httpd -t

Notes

  • Custom include files in /etc/apache2/conf.d/userdata/ survive rebuildhttpdconf and cPanel updates.
  • If you find ProxyPass entries being injected into httpd.conf, check for compromised accounts or malware — run a malware scan immediately.
  • The include file hierarchy: pre_main_global → per-VirtualHost includes → post_virtualhost_global.

Fix 404 Error for All Sites in WHM

When all sites on a WHM server return 404 errors simultaneously, the cause is typically a corrupt or missing httpd.conf, incorrect permissions on home directories, or Apache failing to start. This guide provides a systematic fix.

Prerequisites

  • Root SSH access

Steps

  1. Check Apache status:
    systemctl status httpd
  2. Test the Apache config for errors:
    httpd -t
  3. Rebuild the Apache configuration:
    /scripts/rebuildhttpdconf
  4. Fix permissions on all account home directories using this script:
    #!/bin/bash
    for user in $(ls /var/cpanel/users/); do
        homedir=$(grep "^$user:" /etc/passwd | cut -d: -f6)
        if [ -d "$homedir/public_html" ]; then
            chmod 750 "$homedir/public_html"
            chown "$user":nobody "$homedir/public_html"
            echo "Fixed: $user"
        fi
    done
  5. Restart Apache:
    systemctl restart httpd
  6. Check the Apache error log for clues:
    tail -100 /usr/local/apache/logs/error_log

Verify

curl -I http://DOMAIN.COM
curl -I http://YOUR_SERVER_IP

Notes

  • A 404 for all sites after a cPanel update usually means rebuildhttpdconf failed — check the update log at /var/cpanel/updatelogs/.
  • Ensure the default document root exists: ls -la /usr/local/apache/htdocs/

Change cPanel Document Root for Main Domain

The document root for a cPanel account's main domain is stored in the userdata configuration files. Changing it requires editing these files and rebuilding the Apache config.

Prerequisites

  • Root SSH access
  • The cPanel username and domain name

Steps

  1. Edit the userdata file for the domain:
    nano /var/cpanel/userdata/USERNAME/DOMAIN.COM
  2. Find the documentroot line:
    documentroot: /home/USERNAME/public_html
    Change it to your desired path:
    documentroot: /home/USERNAME/newpath
  3. Repeat for the SSL configuration file:
    nano /var/cpanel/userdata/USERNAME/DOMAIN.COM_SSL
  4. Remove the cached userdata files:
    rm -f /var/cpanel/userdata/USERNAME/DOMAIN.COM.cache
    rm -f /var/cpanel/userdata/USERNAME/DOMAIN.COM_SSL.cache
  5. Rebuild the Apache configuration and restart:
    /scripts/rebuildhttpdconf
    systemctl restart httpd
  6. Ensure the new document root directory exists and has correct permissions:
    mkdir -p /home/USERNAME/newpath
    chown USERNAME:USERNAME /home/USERNAME/newpath
    chmod 755 /home/USERNAME/newpath

Verify

grep -i "documentroot" /usr/local/apache/conf/httpd.conf | grep DOMAIN

Notes

  • Always remove the .cache files after editing userdata or changes will not take effect.
  • This change persists through cPanel updates because it is stored in the userdata config.
  • Addon domain document roots are configured similarly in their own userdata files.

Change Primary Domain Document Root in cPanel/WHM

By default, all cPanel accounts use public_html as the document root for the primary domain. This guide explains how to change it to a subdirectory or a custom path using WHM or the command line.

Prerequisites

  • Root SSH access
  • The cPanel username and primary domain

Steps: Via WHM

  1. In WHM: Account Functions → Modify an Account.
  2. Select the account and look for the Document Root field.
  3. Note: WHM's standard modify page may not expose this setting — use the command line method below for reliability.

Steps: Via Command Line

  1. Edit the main userdata file:
    nano /var/cpanel/userdata/USERNAME/DOMAIN.COM
    Change:
    documentroot: /home/USERNAME/public_html
    To:
    documentroot: /home/USERNAME/public_html/subdir
  2. Edit the SSL userdata file:
    nano /var/cpanel/userdata/USERNAME/DOMAIN.COM_SSL
    Make the same change.
  3. Delete the cache files:
    rm -f /var/cpanel/userdata/USERNAME/DOMAIN.COM.cache
    rm -f /var/cpanel/userdata/USERNAME/DOMAIN.COM_SSL.cache
  4. Rebuild and restart:
    /scripts/rebuildhttpdconf
    systemctl restart httpd

Verify

grep "DocumentRoot" /usr/local/apache/conf/httpd.conf | grep "USERNAME"

Notes

  • The new document root must be within the account's home directory to comply with cPanel's security model.
  • After changing the document root, copy or move your web files to the new location.
  • WordPress and other CMS tools may need their configuration updated to reflect the new path.

cPanel Apache Error Log Locations and Commands

Quickly finding the right error log is critical for debugging cPanel server and application issues. This guide maps out all key error log locations and the most useful log-reading commands.

Prerequisites

  • Root SSH access (or cPanel user for per-account logs)

Error Log Locations

Log TypePath
Apache global error log/usr/local/apache/logs/error_log
Apache per-domain error log/home/USERNAME/logs/DOMAIN.COM-ssl_log
PHP-FPM error log (per user)/var/cpanel/php-fpm/USERNAME/logs/error.log
PHP-FPM slow log (per user)/var/cpanel/php-fpm/USERNAME/logs/slow.log
Internal cPanel PHP errors/home/USERNAME/logs/.php.error.log
MySQL error log/var/lib/mysql/<hostname>.err
Exim mail log/var/log/exim_mainlog
cPanel service error log/usr/local/cpanel/logs/error_log

Useful Commands

# Follow Apache errors in real time
tail -f /usr/local/apache/logs/error_log

# Search for errors for a specific domain
grep "yourdomain.com" /usr/local/apache/logs/error_log | tail -50

# View PHP-FPM errors for a user
tail -100 /var/cpanel/php-fpm/USERNAME/logs/error.log

# Follow all cPanel user PHP errors
tail -f /home/*/logs/.php.error.log

# Count 500 errors in the last hour
grep "$(date +'%d/%b/%Y:%H')" /usr/local/apache/logs/error_log | grep -c " 500 "

Notes

  • Per-domain logs in /home/USERNAME/logs/ are rotated by cPanel automatically.
  • Enable detailed PHP error logging by setting log_errors = On and error_log path in the PHP INI.
  • WHM's System Health → Apache Status page shows live connection stats.

Fix MXToolbox SMTP Test Failures (False Positives) on cPanel

MXToolbox's SMTP tests sometimes report failures on cPanel servers that are not actual problems. This guide explains common false positives and how to address legitimate issues they might indicate.

Prerequisites

  • Root SSH access
  • Exim configured and running

Common MXToolbox Test Results and Fixes

  1. SMTP Banner Check failure
    MXToolbox expects the SMTP banner to contain the domain name. Verify Exim's banner:
    grep "smtp_banner" /etc/exim.conf
    Set it in WHM: Service Configuration → Exim Configuration Manager → Basic Editor → SMTP Banner.
  2. SMTP TLS failure
    Ensure TLS is enabled in Exim: WHM → Exim Configuration Manager → Security → SSL/TLS set to On. Test TLS manually:
    openssl s_client -starttls smtp -connect YOUR_SERVER_IP:25
  3. SMTP Reverse DNS mismatch
    The server's PTR record must match the SMTP banner hostname. Contact your hosting provider to set the PTR/RDNS record for the server IP to match $(hostname).
  4. Open relay test failure (false positive)
    cPanel's Exim is not an open relay. MXToolbox may flag this incorrectly. Verify with:
    exim -bh TEST_IP
    Relay attempts should be rejected.

Verify

telnet YOUR_SERVER_IP 25
# You should see: 220 hostname ESMTP Exim ...
EHLO test
# You should see STARTTLS listed

Notes

  • MXToolbox results can be cached — retest after making changes and allow 5–10 minutes.
  • Always cross-reference with mail-tester.com for a comprehensive deliverability report.
  • Check that SPF, DKIM, and DMARC records are published in DNS for maximum deliverability.

Find Which PHP Version Each Domain Uses in cPanel

On cPanel servers with MultiPHP, different domains can run different PHP versions. This guide shows how to list PHP versions per domain and identify end-of-life PHP versions that need updating.

Prerequisites

  • Root SSH access
  • EasyApache 4 with MultiPHP installed

Steps: List PHP Version Per Domain

whmapi1 php_get_vhost_versions | python3 -c "
import sys, json
data = json.load(sys.stdin)
for item in data.get('data', {}).get('versions', []):
    print(f"{item['vhost']}: {item['version']}")
"

Steps: List Installed EOL PHP Versions

echo "EOL PHP versions installed on this server:"
for eol in ea-php54 ea-php55 ea-php56 ea-php70 ea-php71 ea-php72 ea-php73 ea-php74; do
    ls -ld /usr/bin/$eol 2>/dev/null | awk '{print $9}' | awk -F'/' '{print $4}'
done

Steps: List All Domains Using a Specific PHP Version

whmapi1 php_get_vhost_versions | python3 -c "
import sys, json
data = json.load(sys.stdin)
target = 'ea-php74'
for item in data.get('data', {}).get('versions', []):
    if item['version'] == target:
        print(item['vhost'])
"

Steps: Change PHP Version for a Domain

whmapi1 php_set_vhost_versions   versions='[{"vhost":"DOMAIN.COM","version":"ea-php83"}]'

Verify

whmapi1 php_get_installed_versions
whmapi1 php_get_system_default_version

Notes

  • PHP versions 5.4 through 7.4 are end-of-life and should be removed or migrated urgently.
  • Test applications on a staging environment before upgrading production PHP versions.
  • WHM's MultiPHP Manager GUI provides a visual overview: Software → MultiPHP Manager.

Install ImageMagick in WHM/cPanel

ImageMagick enables PHP applications to manipulate images. On cPanel servers, it is installed via EasyApache 4 as a PHP extension, making it available to all accounts using the configured PHP version.

Prerequisites

  • Root SSH access and WHM access
  • EasyApache 4 installed

Steps: Install via EasyApache 4 (WHM GUI)

  1. In WHM: Software → EasyApache 4.
  2. Click Customize next to the current profile.
  3. Go to PHP Extensions and search for Imagick.
  4. Enable the ea-phpXX-php-imagick package for the relevant PHP version(s).
  5. Click Review then Provision.

Steps: Install via Command Line

# Install ImageMagick system library
yum install -y ImageMagick ImageMagick-devel

# Install the PHP imagick extension for a specific PHP version
yum install -y ea-php83-php-imagick

Steps: Verify PHP Extension is Loaded

/opt/cpanel/ea-php83/root/usr/bin/php -m | grep imagick

Verify

convert --version
/opt/cpanel/ea-php83/root/usr/bin/php -r "echo phpinfo();" | grep imagick

Notes

  • Install the extension for each PHP version used by your accounts — ea-php81-php-imagick, ea-php83-php-imagick, etc.
  • After installation, restart PHP-FPM: /scripts/restartsrv_apache_php_fpm
  • Confirm availability in a PHP info page: <?php phpinfo(); ?> — look for the Imagick section.

Add Passive FTP Port Range to CSF Firewall on cPanel

Passive FTP is required when FTP clients are behind firewalls. By default, Pure-FTPd uses ports 49152–65534 for passive connections. If CSF or another firewall is active, these ports must be opened and the range configured consistently.

Prerequisites

  • Root SSH access to the cPanel/WHM server
  • CSF (ConfigServer Firewall) installed
  • Pure-FTPd running as the FTP service

Steps

# Step 1: Set the passive port range in Pure-FTPd
vi /etc/pure-ftpd.conf

# Uncomment and set:
PassivePortRange 30000 35000
# Step 2: Open the same range in CSF
vi /etc/csf/csf.conf

# Add to TCP_IN:
# 30000:35000

# Restart CSF and LFD
csf -r
# Step 3: Restart Pure-FTPd
service pure-ftpd restart

Verify

netstat -tlnp | grep pure
csf -l | grep 30000

Test passive FTP from a client behind a firewall — directory listings should succeed.

Notes

  • Keep the passive range small (e.g. 5,000 ports) to minimize firewall exposure.
  • The passive port range in pure-ftpd.conf and CSF must match exactly.
  • For ProFTPd, set the range using PassivePorts 30000 35000 in /etc/proftpd.conf.

Manage PHP Versions on cPanel via Command Line (MultiPHP)

cPanel's MultiPHP Manager can be controlled via the WHM API from the command line. This is useful for scripting PHP version changes across many domains.

Prerequisites

  • Root SSH access to the WHM server
  • EasyApache 4 with MultiPHP enabled

Common API Calls

# List all installed PHP versions
whmapi1 php_get_installed_versions

# Set the server-wide default PHP version
whmapi1 php_set_system_default_version version=ea-php80

# Set the PHP version for a specific domain
whmapi1 php_set_vhost_versions vhost-0=example.com version=ea-php81

# Get the PHP version for all domains
whmapi1 php_get_vhost_versions

Verify

# Confirm the domain's PHP version
whmapi1 php_get_vhost_versions | grep example.com -A2

Notes

  • PHP version strings follow the format ea-phpXY (e.g. ea-php81).
  • Use whmapi1 php_get_installed_versions to see the exact strings available on your server.
  • Changes take effect immediately — no Apache restart is needed for PHP-FPM domains.

cPanel Performance and Security Hardening Guide

Key steps to improve cPanel server performance and harden security by disabling unneeded services, tuning PHP, and applying security best practices.

Step 1 — Disable Unused cPanel Services

In WHM, go to Service Manager and disable any services not in use:

  • Munin (stats monitoring) — if using an external monitor
  • Mailman (mailing lists) — if not needed
  • SpamAssassin — if using a third-party spam filter
  • FTP server (Pure-FTPd or ProFTPd) — if clients use SFTP only
# Verify what is running
whmapi1 servicestatus | grep -E 'name|enabled'

Step 2 — Tune Apache MPM

In WHM: Apache Configuration → Global Configuration. Recommended settings for a server with 2–4 GB RAM:

StartServers         2
MinSpareServers      2
MaxSpareServers      5
MaxRequestWorkers    150
MaxConnectionsPerChild 1000

Step 3 — Switch to PHP-FPM

PHP-FPM uses significantly less memory than mod_php. Enable it in WHM: MultiPHP Manager → PHP-FPM per domain, or globally via MultiPHP INI Editor.

# Verify PHP handler per domain
whmapi1 php_get_vhost_versions | grep -A2 vhost

Step 4 — Enable OPcache

In WHM: MultiPHP INI Editor → Editor Mode — enable OPcache for each PHP version:

opcache.enable=1
opcache.memory_consumption=128
opcache.max_accelerated_files=10000
opcache.revalidate_freq=2

Step 5 — Harden SSH

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
Port 2222          # Change from default 22
MaxAuthTries 3

sudo systemctl restart sshd

Step 6 — Configure CSF Firewall

# Install CSF
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz && cd csf && sh install.sh

# Edit /etc/csf/csf.conf — key settings:
TESTING = "0"           # Disable testing mode
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2222,2083,2087"
DENY_IP_LIMIT = "200"

csf -r                  # Restart CSF

Step 7 — Enable ModSecurity

In WHM: Security Center → ModSecurity → Enable. Then install OWASP ruleset via ModSecurity Vendors.

Step 8 — Enable MySQL Query Cache (MariaDB)

# /etc/my.cnf
[mysqld]
query_cache_type = 1
query_cache_size = 64M
query_cache_limit = 2M
innodb_buffer_pool_size = 512M

sudo systemctl restart mysql

Step 9 — Set Up Automatic Updates

In WHM: Update Preferences — set cPanel and system updates to automatic.

# Manual update
/usr/local/cpanel/scripts/upcp --force

Verify

# Check server load
uptime
top -bn1 | head -20

# Check memory
free -m

# Check Apache status
apachectl status | head -30

https://support.cpanel.net/hc/en-us/articles/360052251053-How-to-Install-a-Specific-Version-of-cPanel-WHM

https://support.cpanel.net/hc/en-us/articles/360052251053-How-to-Install-a-Specific-Version-of-cPanel-WHM

Install a Specific cPanel Version (Including EDGE Build)

By default, cPanel installs the latest stable release. You can install a specific version or the EDGE experimental build using a version flag in the install command.

Prerequisites

  • A fresh server running a supported OS (AlmaLinux 8/9, Rocky Linux 8/9, or CloudLinux)
  • Root access
  • Note: cPanel does not officially support Ubuntu 22.04

Install a Specific Version

# Download the cPanel installer
cd /home && curl -o latest-cpanel-installer https://securedownloads.cpanel.net/latest

# Install a specific version (replace 11.116.0.x with the target version)
sh latest-cpanel-installer --force --tier=release

# For the EDGE (experimental) tier:
sh latest-cpanel-installer --force --tier=edge

Available Tiers

  • release — Stable, recommended for production
  • current — Latest stable updates
  • edge — Experimental builds, not for production
  • lts — Long-term support release

Verify

/usr/local/cpanel/cpanel -V

Notes

  • Installing older versions is not recommended as they may contain unpatched security vulnerabilities.
  • cPanel requires a license — obtain one from store.cpanel.net before installing.
  • The installer takes 15–30 minutes on a fresh server.

wild card ssl

wild card ssl

This will work only if the DNS is managed locally.

If DNS is managed elsewhere, make sure the * sudbomain is added to the DNS.

Add the * sudbomain to the zone editor and point it to the server IP.

Then run the autossl.

Then navigate to SSL/TLS section in cPanel and use this newly generated SSL.

Tune PHP-FPM max_children Limit on cPanel

The max_children directive in PHP-FPM controls the maximum number of PHP worker processes per domain. Setting it too low causes request queuing; too high risks memory exhaustion.

How max_children Works in cPanel

In cPanel's PHP-FPM implementation, max_children is applied per domain. A value of 5 means only 5 concurrent PHP processes can run for that domain at once. Additional requests queue until a worker is free.

Calculate the Right Value

# Check average PHP process memory usage
ps --no-headers -o rss -C php-fpm | awk '{sum+=$1} END {print sum/NR/1024 " MB avg"}'
# Formula:
# max_children = Available RAM for PHP / Average PHP process size
# Example: 2048 MB / 50 MB per process = ~40 max_children

Set max_children in WHM

Go to WHM > Software > MultiPHP Manager > PHP-FPM Settings and adjust the Max Children value per domain or globally.

Or Edit the Pool Config Directly

# Find the domain's pool config
find /etc/php-fpm.d/ -name '*.conf' | xargs grep -l 'example.com'

# Edit:
pm.max_children = 20
systemctl reload php-fpm

Verify

php-fpm -t
systemctl status php-fpm

Notes

  • If you prefer not to tune max_children, consider switching to the LSAPI handler (WHM > MultiPHP Manager > PHP Handler), which is more memory-efficient.
  • Monitor PHP-FPM status with php-fpm status or the cPanel stats to identify bottlenecks.

installing specific version of cPanel

installing specific version of cPanel

cPanel & WHM does not support ubuntu 20.04 on version 126. For more information, read about our supported versions at https://go.cpanel.net/system-requirements

cpanel install error in ubuntu 20.04.

(FATAL): The background process “SQL Databases and dependent apps” failed with a fatal error: The subprocess reported error number 127 when it ended.

Solution is to add the keys

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys b7b3b788a8d3785c

cpanel versions can be checked from: http://httpupdate.cpanel.net/ or http://httpupdate.cpanel.net/cpanelsync/TIERS

nano /etc/cpupdate.conf

CPANEL=118.0.15

RPMUP=daily

SARULESUP=daily

STAGING_DIR=/usr/local/cpanel

UPDATES=manual

cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest && sh latest

Clear a Large /var/log/journal Folder

The systemd journal (/var/log/journal) can grow very large on busy servers. You can safely reduce it using journalctl commands or by configuring a size limit.

Check Current Journal Size

journalctl --disk-usage
du -sh /var/log/journal/

Trim the Journal

# Keep only the last 2 days of logs
journalctl --vacuum-time=2d

# Keep only 500 MB of logs
journalctl --vacuum-size=500M

# Keep only the last 1000 entries
journalctl --vacuum-files=1000

Set a Permanent Size Limit

nano /etc/systemd/journald.conf

# Add or update:
SystemMaxUse=500M
SystemKeepFree=100M
MaxRetentionSec=1month

systemctl restart systemd-journald

Verify

journalctl --disk-usage

Notes

  • Do not delete files directly from /var/log/journal/ — always use journalctl --vacuum-* to let the journal manage its own cleanup.
  • The journal directory itself (/var/log/journal/) must not be deleted.
  • For ephemeral logging (no persistence across reboots), set Storage=volatile in journald.conf.

supervisor laravel queues

supervisor laravel queues

apt install supervisor -y
systemctl enable supervisor
systemctl start supervisor
systemctl status supervisor

nano /etc/supervisor/conf.d/jobifyworker.conf

[program:laravel-queue]

process_name=%(program_name)s_%(process_num)02d

command=/opt/cpanel/ea-php83/root/usr/bin/php /home/jobify/public_html/artisan queue:work database --sleep=3 --tries=3

autostart=true

autorestart=true

numprocs=8 ; Number of workers

redirect_stderr=true

stdout_logfile=/home/jobify/public_html/storage/logs/queue.log

supervisorctl reread

supervisorctl update

supervisorctl start laravel-queue:*

supervisorctl restart laravel-queue:*

check logs:

--------------

tail -f /home/jobify/public_html/storage/logs/queue.log

journalctl -u supervisor

/opt/cpanel/ea-php82/root/usr/bin/php artisan config:clear

/opt/cpanel/ea-php82/root/usr/bin/php artisan view:clear

/opt/cpanel/ea-php82/root/usr/bin/php artisan route:clear

/opt/cpanel/ea-php82/root/usr/bin/php artisan cache:clear

/opt/cpanel/ea-php82/root/usr/bin/php artisan optimize:clear

/opt/cpanel/ea-php82/root/usr/bin/php artisan queue:restart

increase /tmp partition

increase /tmp partition

nano /scripts/securetmp

Find and modify the 'tmpdsksize' value to the desired size. For example, this sets the value to 10GB:

my $tmpdsksize = 10485760

Use "#" characters to disable this section of the script:

my $five_percent_of_available = ( $available * 0.05 );

if ( $five_percent_of_available > $tmpdsksize ) {

$tmpdsksize = $five_percent_of_available;

}

my $FOUR_GIG_k = ( 1024 * 1024 * 4 );

if ( $tmpdsksize > $FOUR_GIG_k ) {

$tmpdsksize = $FOUR_GIG_k;

}

From https://support.cpanel.net/hc/en-us/articles/360063263733-How-to-increase-the-size-of-the-cPanel-generated-tmp-filesystem>

whmapi1 configureservice service=cpsrvd enabled=1 monitored=0

whmapi1 configureservice service=mysql enabled=1 monitored=0

whmapi1 configureservice service=httpd enabled=1 monitored=0

/scripts/restartsrv_cpsrvd --stop

/scripts/restartsrv_mysql --stop

/scripts/restartsrv_httpd --stop

umount -l /tmp

umount -l /var/tmp

mv /usr/tmpDSK /usr/tmpDSK_bak

/scripts/securetmp

/scripts/restartsrv_cpsrvd --start

/scripts/restartsrv_mysql --start

/scripts/restartsrv_httpd --start

whmapi1 configureservice service=cpsrvd enabled=1 monitored=1

whmapi1 configureservice service=mysql enabled=1 monitored=1

whmapi1 configureservice service=httpd enabled=1 monitored=1

proxy to another port

proxy to another port

Create the directories and files where the includes go:

mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/CPANELUSERNAME/DOMAIN.TLD/

mkdir -p /etc/apache2/conf.d/userdata/std/2_4/CPANELUSERNAME/DOMAIN.TLD/

touch /etc/apache2/conf.d/userdata/ssl/2_4/CPANELUSERNAME/DOMAIN.TLD/include.conf

touch /etc/apache2/conf.d/userdata/std/2_4/CPANELUSERNAME/DOMAIN.TLD/include.conf

Please note, that CPANELUSERNAME is the cPanel username and DOMAIN.TLD is the domain you're configuring.

Open both include.conf files in your preferred text editor, and add the following:

ProxyPass /.well-known !

ProxyPass / http://ip:port/

ProxyPassReverse / http://ip:port/

From https://support.cpanel.net/hc/en-us/articles/1500011220222-How-do-you-create-an-Apache-Reverse-Proxy-with-mod-proxy>

outgoing mail test

outgoing mail test

curl -iLk -m 10 http://portquiz.net:465

HTTP/1.1 200 OK

Date: Mon, 07 Apr 2025 10:12:36 GMT

Server: Apache/2.4.29 (Ubuntu)

Content-Length: 44

Connection: close

Content-Type: text/html; charset=UTF-8

Port test successful!

Your IP: 51.17.17.248

commands

commands

alias acctinfo='/usr/local/cpanel/3rdparty/bin/perl https://raw.githubusercontent.com/cPanelInc/tech-acctinfo/master/acctinfo)'

acctinfo ACCOUNT

acctinfo DOMAIN.TLD

echo;echo "Count of Times MaxChildren Was Hit Per Domain";for log in $(find /opt/cpanel/ea-php*/root/usr/var/log/php-fpm/ -type f -name error.log);do echo;echo $log; startdate=$( head -1 $log | awk -F"[][]" '{print $2}' );enddate=$( tail -1 $log | awk -F"[][]" '{print $2}' );if [ -z "$startdate" ];then echo "EMPTY";else printf "Log-Start: $startdate\nLog-End: $enddate" | column -t;fi;awk '/server reached max_children/{gsub("_",".",$5);split($5,d,"]");arr[d[1]]++}END{for (i in arr) print arr[i],i|"sort -nr"}' $log ;done

From https://support.cpanel.net/hc/en-us/articles/4404836032407-How-to-use-acctinfo-to-troubleshoot-issues>

504 gateway timeout

504 gateway timeout

The following article explains how to use acctinfo tool to troubleshoot issues:

How to use acctinfo to troubleshoot issues

Using acctinfo tool described in the above artcile I found the following info:

[06:13:24 server root@95711112 ~]cPs# acctinfo progresando.com

...

EA4 PHP Version [ progresando.com ]: ea-php81 cPanel EA4 PHP version has precedence

\_ Configuration File Path => /opt/cpanel/ea-php81/root/etc/php-fpm.d/progresando.com.conf

\_ Loaded Configuration File Path => /opt/cpanel/ea-php81/root/etc/php-fpm.d/progresando.com.conf

\_ Scan this dir for additional .ini files => /opt/cpanel/ea-php81/root/etc/php.d

PHP Handler: php-fpm

PHP-FPM pool detected

\_ pm_max_children: 5

\_ pm_max_requests: 20

\_ pm_process_idle_timeout: 10

...

The following artcile explains how to find PHP-FPM logs:

Where are the global PHP-FPM logs located?

Checking the php-fpm error log while replicating the issue, I found the following info:

[06:39:42 server root@95711112 ~]cPs# tail /opt/cpanel/ea-php81/root/usr/var/log/php-fpm/error.log

[25-May-2025 06:37:01] NOTICE: [pool progresando_com] child 477372 exited with code 0 after 262.450921 seconds from start

[25-May-2025 06:37:01] NOTICE: [pool progresando_com] child 477532 started

[25-May-2025 06:39:15] NOTICE: [pool progresando_com] child 477504 exited with code 0 after 195.822144 seconds from start

[25-May-2025 06:39:15] NOTICE: [pool progresando_com] child 477708 started

[25-May-2025 06:39:36] NOTICE: [pool progresando_com] child 477517 exited with code 0 after 178.788886 seconds from start

[25-May-2025 06:39:36] NOTICE: [pool progresando_com] child 477711 started

[25-May-2025 06:39:54] NOTICE: [pool progresando_com] child 477404 exited with code 0 after 321.851422 seconds from start

[25-May-2025 06:39:54] NOTICE: [pool progresando_com] child 477728 started

[25-May-2025 06:41:16] NOTICE: [pool progresando_com] child 477524 exited with code 0 after 266.022771 seconds from start

[25-May-2025 06:41:16] NOTICE: [pool progresando_com] child 477767 started

It seems that your PHP-FPM for the provided user constantly reaches the max_requests settings: pm_max_requests: 20

Checking the error log for max_children I see that the provided domain constantly reaches the limits, it reached the limit for 294 times in two days: 294 progresando.com

[06:29:10 server root@95711112 ~]cPs# echo;echo "Count of Times MaxChildren Was Hit Per Domain";for log in $(find /opt/cpanel/ea-php*/root/usr/var/log/php-fpm/ -type f -name error.log);do echo;echo $log; startdate=$( head -1 $log | awk -F"[][]" '{print $2}' );enddate=$( tail -1 $log | awk -F"[][]" '{print $2}' );if [ -z "$startdate" ];then echo "EMPTY";else printf "Log-Start: $startdate\nLog-End: $enddate" | column -t;fi;awk '/server reached max_children/{gsub("_",".",$5);split($5,d,"]");arr[d[1]]++}END{for (i in arr) print arr[i],i|"sort -nr"}' $log ;done

Count of Times MaxChildren Was Hit Per Domain

/opt/cpanel/ea-php81/root/usr/var/log/php-fpm/error.log

Log-Start: 23-May-2025 08:26:59

Log-End: 25-May-2025 06:31:15

294 progresando.com

11 segundayprimera.com

11 ocinator.com

1 yoover.com

You may need to fine-tune your PHP-FPM settings as explained in the following article:

PHP-FPM Limit Tuning Basics for Max Children

The following online cPanel documentation explains how to modify the PHP-FPM settings:

Configuration Values of PHP-FPM

You may need to increase the max_children and max_requests values and see if the issue persists.

From https://support.cpanel.net/hc/en-us/requests/95711112>

limit files mysql

limit files mysql

# grep -i nofile /etc/systemd/system/mysqld.service.d/*

/etc/systemd/system/mysqld.service.d/limits.conf:LimitNOFILE=40000
/etc/systemd/system/mysqld.service.d/override.conf:LimitNOFILE=40000

# grep -i nofile /usr/lib/systemd/system/mysql.service

LimitNOFILE = 10000

# systemctl show mysql | grep -i nofile

LimitNOFILE=10000

LimitNOFILESoft=10000

Because of this, I edited the service file and modified the limit to 40k, before reloading the daemon and restarting the service.

# systemctl daemon-reload

# /scripts/restartsrv_mysql

# systemctl show mysql | grep -i nofile

LimitNOFILE=40000

LimitNOFILESoft=40000

cPanel Hardening

cPanel Hardening

Tweak Settings

Disabled unnecessary stats programs

- Enable Analog Stats – Off

- Enable Awstats stats – Off

Email Security Tweaked

- Enable DKIM on domains for newly created accounts – On

- Enable SPF on domains for newly created accounts – On

- BoxTrapper Spam Trap – Off

- Initial default/catch-all forwarder destination – Fail

- Track email origin via X-Source email headers – On

- Enable Apache SpamAssassin™ spam filter – On

Blank referrer safety check – On

Referrer safety check – On

Misc Security Settings

- Use cPanel jailshell by default – On

- Include password in the raw log download link in cPanel (via FTP) – Off

- Limit Server Status Allowed IPs

Allow server-info and server-status – server IP only.

Spam/Abuse related settings

- Max hourly emails per domain – 100

- Count mailman deliveries towards a domain’s Max hourly emails - On

- Maximum percentage of failed or deferred messages a domain may send per hour – 25%

Prevent “nobody” from sending mail – On

Allow users to relay mail if they use an IP address through which someone has validated an IMAP or POP3 login within the last hour (Pop-before-SMTP) – Off

Add X-PopBeforeSMTP header for mail sent via POP-before-SMTP – Off

Prefix “mail.” onto Mailman URLs – On

WHM Security

- Apache mod_userdir Tweak – On

- Compiler Access – Off

- Shell Fork Bomb Protection – On

- Two factor authentication – Enable

- Password Strength Configuration - 65

cPHulk Brute Force Protection

- Brute Force Protection Period (in minutes): 5

- Maximum Failures by Account: 15

- IP Address-based Brute Force Protection Period (in minutes): 15

- Maximum Failures per IP Address: 5

Apache Configuration > Global Configuration > TraceEnable and change the value to ‘Off’.

Apache Configuration > Global Configuration > ServerTokens and change the value to ‘ProductOnly’.

Check apache for FileETag

Go to WHM > Apache Configuration > Global Configuration > FileETag and change the value to ‘None’.

Check mod_userdir protection

Go to WHM > Security Center > mod_userdir Tweak , Tick the ‘Enable mod_userdir Protection’ box.

Click Restart apache button after saving the above configurations

Check php for disable_functions

Add the below functions to ‘php.ini’ file

vi /usr/local/lib/php.ini

show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

Check php open_basedir protection

Go to WHM > Security Center > php open_basedir Tweak

Tick ‘Enable php open_basedir protection’ and click save

Check cPanel login is SSL only

Go to WHM > Tweak Settings / Select ‘Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.’ option and click ‘Save’

Check boxtrapper is disabled

WHM > Tweak Settings > BoxTrapper Spam Trap /Select ‘off’ option and click ‘Save’

Check max emails per hour is set

Go to WHM > Tweak Settings > The maximum each domain can send out per hour / Limit mail sending limit to your desired value and click ‘Save’

Example: 150

Check compilers

Go to WHM > Security Center > Compilers Tweak, Click Disable compilers

Check FTP Logins with Root Password

Go to WHM > FTP Server Configuration > Allow Logins with Root Password and select ‘No’

Click save

Check proxy subdomains

Go to WHM > Tweak Settings > Proxy subdomains and select ‘No’

Select ‘Save’

Check Cookie IP Validation

Go to WHM > Tweak Settings > Cookie IP validation and select ‘Stirct’ and click ‘save’

Check Referrer Blank Security

Go to WHM > Tweak Settings > Blank referrer safety check and click ‘On’ and click ‘save’

Go to WHM > Tweak Settings > Referrer safety check and click ‘On’ and select ‘save’

Go to WHM > Tweak Settings > Hide login password from cgi scripts and select ‘On’ and click ‘save’

Check SMTP Restrictions

Go to WHM > Security Center > SMTP Restrictions and select ‘Disable’ button

Disable shell access for all accounts(except root)

You can disable shell access for all accounts via Home >> Account Functions >> Manage Shell Access

Select the radio button on “Disable shell’ and click ‘Apply to all’

Restart csf once all the above steps has been completed.

Restart csf via the command ‘csf -r’

Exclude services from outdated services script of cPanel

Exclude services from outdated services script of cPanel

The decision to exclude services from the outdated services script’s check in cPanel is generally dangerous. However, there can be some situations that demand it.

In cPanel, the outdated services script plays a vital role in ensuring the security and stability of the server. It regularly scans for outdated software versions and alerts the administrator to update them promptly. However, there may be situations where certain services need to be excluded from this script’s check.

Excluding services from the outdated services script can be necessary for various reasons. One common scenario is when a particular service has been customized extensively and is running on a modified version that may not be compatible with the latest updates. In such cases, updating the service could potentially cause conflicts or disrupt the functionality of the customized components.

Another reason for excluding services from the script’s check could be that its developers no longer support or maintain the service. If a service has reached its end-of-life or is no longer actively updated, no updates may be available to apply. Including such services in the script’s check would only generate unnecessary alerts and notifications, leading to confusion and clutter in the monitoring system.

Here are the Steps:

Log in to your server via SSH

Create a directory under /etc/cpanel/local to exclude a service.

mkdir -p /etc/cpanel/local

Next, create a file “ ignore_outdated_services “under /etc/cpanel/local/ and add services.

For example, you can use the below command to exclude lshttpd service from the outdated services script’s check.

echo -e "# Prevent cPanel from checking the lshttpd services\nlshttpd" >> /etc/cpanel/local/ignore_outdated_services

If the directory is already available, use a text editor, such as vim or nano, and open the “/etc/cpanel/local/ignore_outdated_services “ file and add services.

Services listed in the “/etc/cpanel/local/ignore_outdated_services” will be excluded. Run the outdated services script to check for outdated services. The services should now be ignored and not displayed on outdated services.

By carefully managing the exclusion of services from the outdated services script’s check, administrators can strike a balance between ensuring system security and stability while avoiding unnecessary updates or alerts for services that require special handling. It is essential, however, to regularly review the excluded services and reassess their status to ensure prompt implementation of necessary updates or alternative solutions.

From https://www.techprovidence.com/knowledgebase/exclude-services-from-the-outdated-services-scripts-check/>

Enable Passive FTP Mode on cPanel with Pure-FTPd

Passive FTP is needed when FTP clients are behind NAT or firewalls. Without it, clients can connect but time out when trying to list directories. This guide enables passive mode for Pure-FTPd on a cPanel server.

Prerequisites

  • Root SSH access to the cPanel server
  • Pure-FTPd installed (default on cPanel)
  • The passive port range open in the server's firewall

Steps

# Edit the Pure-FTPd configuration
vi /etc/pure-ftpd.conf

# Uncomment and configure the passive port range
# (Use a smaller range to limit firewall exposure)
PassivePortRange 30000 35000
# Open the passive ports in the server firewall
# For CSF:
vi /etc/csf/csf.conf
# Add 30000:35000 to TCP_IN
csf -r

# For iptables directly:
iptables -A INPUT -p tcp --dport 30000:35000 -j ACCEPT
# Restart Pure-FTPd
service pure-ftpd restart

Verify

ftp -p your-server-ip
# Try 'ls' — passive mode should return a directory listing

Notes

  • If the server is behind a NAT (e.g. AWS), also set ForcePassiveIP YOUR_PUBLIC_IP in pure-ftpd.conf.
  • For FTPS (FTP over TLS), ensure the TLS configuration is also set up in pure-ftpd.conf.
  • cPanel's WHM > FTP Server Configuration provides a GUI for these settings.