cPanel Security Update: What You Need to Know

DerrellDerrell 4 Minute Read

Your website stayed online throughout the incident. We completed a cPanel security update on April 28, 2026, after a serious security flaw was discovered in the software powering the back-end of your hosting account. For most customers, there is nothing to do.

What Happened with the cPanel Security Update

Researchers discovered a serious flaw in cPanel, the software behind the dashboard you use to manage your hosting account. The flaw could have allowed an attacker to break into a hosting account without needing a username or password. This was not an InMotion Hosting-specific issue. Every web host running cPanel faced the same risk at the same time.

To protect customers while the fix was being applied, we temporarily restricted access to the cPanel login page and control panel. Your website, email, and any applications running on your account continued operating normally throughout. Only the management dashboard was briefly inaccessible.

Is Your Site Safe?

Your website was online the entire time. Your files, databases, and email were not disrupted by the update. InMotion Hosting applied the cPanel security update across the entire server fleet (Shared, WordPress Reseller, VPS, and Dedicated), and access to the control panel was restored once each server was confirmed patched.

One important caveat: The patch we applied closes the door going forward, but it does not look back. If you notice anything unusual on your site or in your account, contact our Technical Support team, and we will help you investigate.

Note: A small number of customers may have been contacted directly by our team if their specific environment required extra attention. If you received that outreach, please respond so the team can help you.

Do You Need to Do Anything?

For most customers, no. The update was applied automatically to your server, regardless of whether you are on Shared, Reseller, VPS, or Dedicated. You do not need to run any commands or make any changes.

As a general precaution, you can change your cPanel password. This is optional, but it is always a good habit after any security event. Log in to your Account Management Panel (AMP) and update your password from there.

If you manage your own VPS or Dedicated Server and are not sure whether your server received the update, contact our Technical Support team. Chat and ticket support are available 24 hours a day, 7 days a week.

If Your Account Was Migrated to a New Server

As part of our response, we moved a subset of accounts to fresh hardware. If your account was migrated, you received an email from InMotion Hosting – System Administration ([email protected]) with a subject containing “Account Move Complete.” That email lists your new server name, IP address, and temporary cPanel and Webmail URLs.

Your old server stays active for up to 24 hours to give DNS time to propagate. During that window, connections to the old hostname may still succeed, but they will stop working once propagation completes. Update your client settings now so you are ready when that happens.

Check and update the following:

  • Email clients (SMTP, IMAP, POP3). Update the incoming and outgoing server hostname in your mail app (Outlook, Apple Mail, Thunderbird, or any mobile client) to the new server name from your migration email. Your username and password do not change.
  • Webmail, cPanel, and WHM bookmarks. Replace any saved links that point to the old hostname. Password resets run against the old hostname will appear to succeed during the grace period and then stop working after propagation completes. This is the most common cause of “I changed my password, and now I am locked out” reports.
  • Temporary cPanel and Webmail URLs. The temporary URLs in the migration email use plain HTTP because SSL certificates for the new hostname are still being provisioned. Use them only long enough to confirm the move, then switch to HTTPS once your domain has propagated to the new server.
  • Third-party connections. Backup tools, deployment pipelines, CRM integrations, and monitoring services that connect by hostname all need to be updated to the new hostname from your migration email.
  • External DNS A records. If your DNS is hosted outside InMotion Hosting (for example, Cloudflare), update your A records to point to the new server IP listed in the migration email. InMotion Hosting does not update third-party DNS on your behalf.

Important: Do not make changes to site content or databases until DNS propagation is complete. Edits made to the old server after propagation will not carry over to the new one.

If you cannot find the migration email, check your spam folder. If it is not there, contact our Support team so we can confirm whether your account was moved and resend the details.

Learn More

For the full technical picture, including how the vulnerability worked, how InMotion responded, and a detailed checklist for server administrators, see the technical follow-up article.

Share this Article
Derrell Willis
Derrell Willis Manager, Developer Relations

More Articles by Derrell
Related Articles

Leave a Reply

Need More Help?

Current Customers

Chat: Chat with Sales
Call: 757-416-6575 x2
Ticket: Submit a Support Ticket

Get Reliable Web Hosting

Chat: Chat with Sales
Email: [email protected]
Call: 757-416-6575 x1

Get web hosting that grows with your business. Our all-in-one hosting platform gives you everything your website needs to scale - so you can focus on the next big thing for you and your business.