10 Ways to Harden VPS Hosting

In this article:

The biggest changes in upgrading from Shared to VPS Hosting are root access and Web Host Manager (WHM). These two capabilities grant you more responsibility to harden VPS hosting for your content management systems (CMSs), websites, and email solutions.

You can access both of these features within your Account Management Panel (AMP).

Below are ways to use that power to harden your VPS Hosting security stance.

Learn more about InMotion Hosting VPS Hosting plans.

Security Features to Harden VPS Hosting

ClamAV Scanner

ClamAV Scanner is an open source anti-virus scanner accessible in cPanel and configurable in WHM. After installing ClamAV in WHM as root, cPanel users can use the Virus Scanner to check files and mail. The scanner will list any potentially infected files after the scan.

Want to try something different? Check out ImunifyAV for easy automatic scans.

Recommended: Run at least monthly.

cPHulk Brute Force Protection

cPHulk protects cPanel accounts against brute force login attempts. Enabling cPHulk allows you to configure failed login lockouts, whitelist/blacklist IP addresses and countries, and log login attempts.

Recommended: Enable username and IP-based protection. Enable notifications. Blacklist nonapplicable countries. Check History Reports at least monthly.

Config&Server Security Firewall (CSF)

Config&Server Security Firewall (CSF) is a versatile server-level firewall with the ability to detect and prevent brute-force login attempts, port scans, and other network-based attacks.

Account owners with Advanced Policy Firewall (APF) should upgrade to CSF for improved security.

Recommended: Block unneeded ports. Schedule Checks for IPs in RBLs. Enable port flood protection, port scan tracking, port knocking settings.

DNS Records

Enable domain privacy to protect your WhoIs information. Remove old DNS records that are no longer needed. Ask your registrar how to enable DNS security extensions (DNSSEC).

Recommended: Enable DNS security extensions (DNSSEC) when possible via your domain registrar and server or within proxy servers such as Cloudflare.

Email Authentication

Email is a popular attack vector for cyber-attacks. Always look for signs of malicious emails. But enlist your server to assist you. Use all available server security software and spam filters within your server and email software.

Recommended: Follow our guide to strengthen email authentication. Learn about phishing, spear-phishing, and whaling.


ModSecurity is generally left alone unless it blocks an important task. If that’s the case, enable ModSec once you’re done. Contact Live Support for assistance troubleshooting the block, and/or consider another method to complete the task to maintain security.

Recommended: Keep ModSecurity enabled.

PHP Versions

The newest PHP version is PHP 7.3 while 7.2 is the most commonly supported. All older PHP versions should be avoided and removed if not required to run important software.

Recommended: Use the highest PHP version possible. Remove older PHP versions in WHM.

Security Advisor

The cPanel Security Advisor in WHM offers configuration recommendations for passwords, cPHulk, MySQL/MariaDB, SSH, SMTP, and more.

Recommended: Run the Security Advisor periodically and follow its recommendations.


Softaculous Instant Installer takes the pain out of installing new software. However, there are many included installable CMSs that aren’t actively maintained or require an outdated PHP version. If you remove those older PHP versions, those installation scripts will have unmet requirements. Abandoned CMSs are more vulnerable to cyber-attacks.

Recommended: Only use CMSs and frameworks in active development. Remove outdated Softaculous scripts.

Don’t have Softaculous? Purchase it in AMP today.

SSL Certificate

A Secure Socket Layer (SSL) certificate encrypts communication between the user and the website. There are three validation levels for SSLs – domain (DV), organization (OV), and extended (EV). We offer a free and paid DV Comodo SSL. We recommend paid SSLs for major organizations and e-commerce stores. The free AutoSSL suffices for other websites.

After installing an SSL, HTTPS will work with your website – e.g. https://www.inmotionhosting.com. But you’ll need to force your website to redirect from HTTP to HTTPS to ensure it protects website visitors. The type of website, CMS, or other software you use will determine how you implement this.

Some business owners use HTTP Strict Transport Security (HSTS) which forces HTTPS at the browser level. Websites with HSTS enabled will not display if the SSL expires.

Recommended: Install a free or paid SSL certificate and force HTTPS via .htaccess or website plugin. Consider HSTS.

WHM/cPanel Updates

cPanel updates keep server-level software up to date. Check WHM, as user root, for updates in the upper-right corner.

Recommended: Check WHM for updates monthly.


The unfortunate truth: you can do everything above and still suffer from a malware infection. Part of working to harden VPS hosting is preparing for the possibility that it still doesn’t stop a cyber intrusion. Up-to-date cPanel backups, stored externally from the server, are your primary disaster recovery solution. AMP snapshots are another backup option, but its a single backup for your entire container. It’s used to restore your entire VPS to a last known best configuration.

Recommended: Schedule cPanel backups in WHM and snapshots in AMP.


It’s important to train cPanel users, website administrators, and email account holders on everything above. Like customer service, security is everyone’s job. Everyone shares the role to harden VPS security. Share security news related to installed CMSs, cPanel, phishing, and InMotion infrastructure regularly.

Recommended: Email cPanel users from WHM often and recommend training courses for further learning.

Technical Support

24/7 Live Support is always available via phone, live chat, email, and Skype. You’ll need account verification information for account assistance. If we can’t resolve the issue with you, we’ll provide recommendations including other support options below.

Advanced Product Support (APS) is dedicated to supporting VPS-3000 hosting plans and above. APS is also available 24/7.

Managed Hosting specializes in custom server-level configurations and optimizations. Ask Live Support about Launch Assist to help you get started and your allotted Managed Hosting time.

Community Support Center is the place to engage the community for support, alternatives, and additional assistance. Feel free to ask questions about additional ways to harden VPS hosting. Remember, the forum is not a live chat support medium and InMotion administrators do not have access to your hosting account. For immediate assistance with support and billing, contact our 24/7 Live Support.

Want to add external protection to harden VPS hosting security? Check out Sucuri web application firewall today.

Jacqueem Technical Writer

Technical writer focused on cybersecurity and musicianship.

More Articles by Jacqueem

Was this article helpful? Let us know!