Two Factor Authentication for cPanel

Everyone wants their account to be as secure as possible, even with using a random strong password your account can still be hacked. Two Factor Authentication provides an extra step to access your cPanel account. In this guide we will be discussing how to set up, configure, and use the Two Step Authentication option provided within Web Host Manager (WHM). The option must be enabled in WHM before it can be activated in the cPanel account.

Two factor authentication requires that you have root access to your server. The Google Authentication app must also be installed on your mobile device.

  1. Log into your WHM as the root user.
  2. Search for 2 factor

    Use the search bar to find Two-Factor Authentication. You can also search for “2fa” for short.

  3. enable two-factor authentication

    Click the on and off button to enable Two-Factor Authentication Security Policy.

  4. Name the issuer for your settings

    Next you will need to click on Settings in order to give name to the issuer for two-factor authentication. By default, it is set to your server name. This name is used to identify the code used within the Google Authenticator app. If you are using the app for several authentications, this name distinguishes your server so that you know what code to use when you need to login to cPanel.

At this point, in order to enable two-factor authentication for a cPanel account you will need to login to the cPanel account where you wish to use two-factor authentication. You will need to go to the Security section and click on the Two-Factor Authentication icon. Follow the procedure below in order to activate two-factor authentication for a cPanel account.

cPanel Two-Factor authentication utilizes the Google Authentication app. At this point you will need to have the application loaded and working on your mobile device. Note that when you have two-factor authentication enabled, the mobile device will be required to login.

  1. Configure two-factor authentication in cPanel

    Click on the Two-Factor Authentication icon in cPanel.

  2. Click button to setup 2-factor authentication

    Click on the button that is labeled Configure Two-Factor Authentication. You will see a QR code appear on the screen. You will need your mobile device with the Google Authentication app for next 2 steps. The Google Authentication application uses the camera on your mobile device in order to view the QR code. If your device cannot read the QR code, then you can use the manual code provided below the QR code. Click on Manual entry in order to enter the provided key.

  3. Scan QR code

    If you can scan the QR code with your device, then click on Scan barcode.

  4. type in 6-digit code

    Once you scan the QR code you will get a code that will only show for a short period of time. Go down the screen to Step 2 and type in the 6-digit code.

Once the code is entered you will see a message that says “Success: Two-factor authentication is now configured on your account.” At this point, if you log out of the cPanel, you will be required to enter your normal cPanel password and then use the Google authentication app to provide the code to login cPanel as per the screenshot below:

Login screen after cPanel password

Thoughts on “Two Factor Authentication for cPanel

    • 2FA is available on VPS and dedicated server hosting subscriptions. In order to activate it you would need to have root access.

  • Hi guys,
    I just enable it for my cpanel but i see that if i click on cpane using my AMP its not asking for a 2 step ver.
    So what is the meaning if have the 2 step ver. for cpanel but not for AMP?
    Is there any way to install some 2 step ver. on my AMP?

    • The AMP uses your cPanels API so you cannot add two factor authentication to it. Currently, there is no way to add two factor authentication your amp.

      Best Regards,
      Kyle M

  • Hi – I am an Inmotion Shared Hosting Power Plan User, and was earlier a client of Namecheap Hosting. I am fairly satisfied with your hosting services, however, the lack of 2 Factor Authentication for Shared Hosting Users is a very serious security issue. Namecheap has enabled 2 Factor Authentication for all Customers Log-ins through provision of sending SMS OTP code to the customer’s designated mobile No(s.), which provides an extra layer of security to everyone irrespective of their domain/hosting plan. GoDaddy has also implemented a similar 2FA via OTP code on customer phones.

    Why can’t Namecheap implement the same for all its hosting server users, irrespective of their shared/VPS/Dedicated Hosting plan, for better security and peace of mind? In today’s age, when all passwords of customers can be hacked easily, or uncovered through brute force software bots, it should be the first priority to secure accounts of all customers, as any breach or hack will also damage Inmotion Hosting’s reputation.

    Request you to please implement this SMS OTP 2FA immediately, without any further delay. Security is paramount, and every customer, big or small, deserves it equally.

    Thanks and regards,

    Concerned User

  • i have lost my old device ..

    now i don’t have access to my whm ..

    how can i get into the whm and setup the 2 way authentication on my new device .. ??

    • Hello,

      You can disable the 2FA through SSH as root using the cPanel API, Below is the command you would use. I have also included a link to the cPanel documentation for this here. You can also contact our techincal support and ask them to help you disable it if your hosting is with us.

      “uapi –user=username TwoFactorAuth remove_user_configuration”

      Best Regards,
      KyleM

  • This article desperately needs an update. This package requires the deprecated whmlib.pm, which is no longer available in newer cPanle/WHM installs.

  • Is this feature available for shared hosting customers, or only those with VPS? If that is the case, why compromise the security of those who pay less? Hoping I can connect with a sys admin to get this set up on my shared account. Thanks!

    • This feature is a third party plugin that requires root access in order to install. It is a plugin that can be installed onto any VPS and Dedicated server with root access.

  • Can you please activate this on a Reseller account on request?

    I want me customers to be able to enable on their cPanel to enhance the security of their websites.

    Regards

    • Unfortunately, this is not available on the reseller servers. To do this requires root access on a VPS or Dedicated server.

    • Hello Frank,

      If you are on a VPS+ account then yes you could add that plugin to your WHM.

      Best Regards,
      TJ Edens

  • I’m very interested in this except I want to be sure there is a way to specify an alternate phone number in case something happens to me or my phone. This is a problem that I don’t see a current solution for.

    • Hello Frank,

      Thank you for contacting us. “If you’re having trouble signing in with your primary phone, you can always have a verification code sent to your backup phone…” here is the guide.

      Thank you,
      John-Paul

    • Thank you for your question. I’m not sure what you mean by backup phone number? Do you mean you want to authenticate with a phone in general? Or, do you want to use a backup phone number?

Leave a Reply