Read time: 7 minutes
A cPanel attack looks like a sudden traffic spike and makes the website inaccessible to real users. During a Distributed Denial of Service (DDoS) attack, you will not be able to access websites, will get 504 timeout errors continuously, and the WebHost Manager (WHM) dashboard will become unresponsive.
Every year, the number of DDoS attacks is rising. Recently, in Q1 this year, attackers exploited thousands of servers due to a vulnerability in user authentication. Therefore, it is important for those who own a website or manage a hosting server to have complete information about this attack.
In this guide, we will talk about how you can detect if your website is under a DDoS attack, how you can prevent it, and what steps you must take to prevent the attack on your cPanel server.
What is a cPanel DDoS Attack?
Imagine cars passing through a toll gate. Then, suddenly, thousands of fake cars come to the toll and jam it. Now, the real cars are waiting behind a long queue to reach the toll gate. This is what happens when an attacker sends fake requests to your cPanel server. The real users cannot reach the website.
The attacker uses a network of multiple compromised computers to target your website. Fake requests in millions are received at the exact same time. The cPanel gets overwhelmed when trying to process everything. As a result, the website slows down or crashes entirely.
Some attackers use a single system to do it, called a single-source DoS attack. While others rely on multiple systems to overwhelm the cPanel server, called a Distributed Denial of Service (DDoS) attack.
Why is Your cPanel Targeted?
A DDoS attack is not personal (at least when it is not from your direct competitor). It is a way to generate ransoms. The attackers continuously scan websites with weak passwords and missing critical firewall settings. The moment they find one, a DDoS attack is launched. If successful, they will ask for money to stop the attack.
How Can You Verify If You Are Under a DDoS Attack?
Before making permanent changes to your server settings, I recommend that you confirm whether the sudden traffic spike is actually an attack or whether these are real users. To verify the DDoS attack on your cPanel, follow these steps:
- Log in to the cPanel and go to the Metrics > Bandwidth section. Here, look for any unusual spike in the traffic. Also, check out the Resource Usage data for an overloaded CPU or system memory.
- Alternatively, if you have administrator-level access, go to the WebHost Manager (WHM) and check:
- Server Status and analyze the overall server load.
- Server logs and inside it look for repeated requests from the same IPs or IP ranges.
Different Types of DDoS Attacks
If you are sure that your cPanel is under attack and the server logs show machine-like fake request patterns, then you are experiencing one of the following DDoS attacks right now.
- Volumetric attack: In this type of DDoS attack, the attacker floods the bandwidth with junk traffic (e.g., UDP floods).
- Protocol/connection attack: Here, the attacker tries to exploit connection handling in network or transport layers, e.g., SYN floods.
- Application-layer (Layer 7) attack: In this attack, your website will get fake HTTP requests that look almost like real users, making them the hardest to detect.
Quick Solutions to Implement During an Active DDoS Attack on cPanel
When it is confirmed that you are dealing with a DDoS attack, immediately try these hacks to minimize the damage.
- Check and block offending IPs using the cPanel’s IP Deny Manager or WHM’s firewall.
- If using Cloudflare or LiteSpeed web servers, utilize their built-in settings to mitigate a DDoS attack.
- Backup cPanel emails, website files & folders, and databases. The overloaded resources can cause servers to crash, which may corrupt data.
- Contact your host or admin and ask them to implement the necessary steps to divert or stop the fake traffic.
What are the Methods to Stop the cPanel DDoS Attacks?
There are a few techniques that you can implement in the cPanel and WHM settings to stop the attack on your server. These are:
1. Configure CSF (ConfigServer Security & Firewall)
CSF is the standard free firewall for cPanel/WHM servers. To access it, log in to WHM and go to CSF. Then in the Firewall Configuration, do this:
- Lower the CT_LIMIT to 20. This is the maximum connection allowed per IP. Normally, it is between 100 and 300.
- Then, modify the value of CT_INTERVAL to 10. This value defines how often CSF scans for connections.
- Finally, enable PORTFLOOD and SYNFLOOD to catch attacks.
2. Add mod_evasive (Apache)
It is a native module in WHM and protects against DoS, DDoS, and brute-force attacks. To use it, go to WHM > Home > Software > EasyApache 4 and install the mod-evasive module. It blocks IPs that repeatedly request the same page too quickly.
Some administrators also use the Imunify360 for a superior AI-powered protection. Its working mechanics are the same as mod-evasive. However, to use it, you must buy a license.
3. Use LiteSpeed’s Built-In Anti-DDoS Tools
LiteSpeed offers several options for anti DDoS protection. You can use Per-Client Throttling and reCAPTCHA to separate bots from real users. Furthermore, enable the LiteSpeed Cache to help the server absorb the increased traffic spike even during an attack.
4. Rate-Limit with Nginx/Cpnginx (If Not Using Pure Apache)
If your server runs Nginx or Cpnginx, you must configure connection and request rate limiting. To do this, go to WHM > Cpnginx > Preferences > Firewall. This setting will stop a single IP from opening 100+ connections at the same time. Moreover, it is greatly effective against Layer 7 attacks.
| Method | When to use | What it does |
|---|---|---|
| CSF | To stop irregular massive traffic spikes | Blocks bad traffic before it even reaches your website. |
| mod_evasive | To stop bots from reloading a page repeatedly | On your Apache Web Server keeps web pages from crashing. |
| Nginx / Cpnginx | Handling high-volume traffic and fake visitor requests | Efficiently manages thousands of rapid, fake views. |
| LiteSpeed Anti-DDoS | Catching advanced bots and verifying real humans | Test if a visitor is real using tools like reCAPTCHA. |
How to Prevent a cPanel DDoS Attack?
To minimize the chances of an attacker targeting your cPanel server, do this:
- Always make sure to update your plugins and cPanel.
- For the server account, use a strong password.
- Enable two-factor authentication (2FA).
- Keep tight security on who can access the WHM/cPanel.
- Monitor logs of the server and look for irregularities.
Final Thoughts
Do not depend on a single method to stop the cPanel DDoS attack. Different methods are required to handle different types of DDoS attacks on your server. For best protection, use the above-discussed methods in combination. Furthermore, also add an external CDN for added security.
Even with strong defenses, no server is 100% immune. Keep regular, separate backups of your website files and your email accounts. However, a complete cPanel backup will consume a lot of your server’s resources, and this becomes a problem when the server is under attack. A smart move is to divide the server load. Use native options to back up website files and databases. For emails, use an IMAP Backup tool.
Frequently Asked Questions
A. A DDoS attack happens when an attacker sends fake traffic from multiple computers/sources to your server, all at once. They usually target cPanel servers that have weak firewall settings and outdated software.
A. No firewall can guarantee 100% safety. The CSF settings can mitigate small-to-medium attacks significantly but may fail during a large-scale DDoS attack on cPanel.
A. It mainly depends on the attacker’s resources and your mitigation response. A DDoS attack can last anywhere from a few minutes to several days.
