When you take on a VPS, the server arrives with a reasonably secure base image. That is a starting point, not a finished state. The decisions you make in the first few days, and the habits you build after that, determine how exposed your server actually is.
The steps below cover the most practical things you can do inside cPanel and Plesk to reduce your attack surface. None of them require deep Linux knowledge, but all of them make a real difference.
Keep software updated
Outdated software is one of the most common ways servers get compromised. Attackers actively scan for known vulnerabilities in older versions of PHP, Apache, MySQL and control panel software. Running current versions closes those doors before anyone can walk through them.
In cPanel, you can manage updates through WHM under Server Configuration > Update Preferences. Setting updates to automatic means you are not relying on remembering to check. In Plesk, updates are handled through Tools & Settings > Updates and Upgrades. Check this regularly if you prefer manual control, or enable automatic updates for security patches at minimum.
Tip: PHP version management is separate from your control panel updates. Check which PHP version each of your hosted sites is running and update any that are past their end-of-life date. Our guide on changing PHP version in cPanel walks through the process.
Restrict SSH access
SSH (Secure Shell) is the protocol used to connect to your server via the command line. By default, it listens on port 22, which is the first port automated scanners try. Two changes make a significant difference here.
First, change the default SSH port to something non-standard. This will not stop a determined attacker, but it eliminates the vast majority of automated brute-force attempts that never look beyond port 22. Our KB article on changing the SSH port on a VPS covers this step by step.
Second, disable password-based SSH login and switch to key-based authentication. A private key is far harder to compromise than a password, and it removes the risk of brute-force attacks entirely. You can find instructions for adding your SSH key to your VPS in our knowledgebase.
Configure your firewall properly
A firewall controls which ports and services are reachable from the outside world. The principle is to allow only what you need and block everything else. Both cPanel and Plesk include firewall tools, and there are also dedicated options worth knowing about.
CSF (ConfigServer Security & Firewall) is a popular choice for cPanel-based servers. It integrates directly with WHM and gives you granular control over inbound and outbound traffic. Plesk users can manage firewall rules through Tools & Settings > Firewall, or use Fail2Ban to automatically block IPs that show signs of brute-force behaviour.
If you are managing firewall rules at the OS level, our guides on opening ports in UFW and opening ports in Firewalld cover the two most common Linux firewall tools.
Use SSL certificates across all your domains
SSL certificates encrypt traffic between your server and visitors. Without one, data sent to and from your site travels in plain text, which is a problem for login forms, contact forms and any page handling personal information.
Both cPanel and Plesk support Let’s Encrypt, which provides free, automatically renewing certificates. In cPanel, AutoSSL handles this for you once enabled. In Plesk, you can install Let’s Encrypt certificates through the SSL/TLS Certificates section of each domain. Our guide on installing a Let’s Encrypt SSL in cPanel walks through the process if you have not done it before.
If you need certificates for multiple domains or want extended validation options, take a look at the SSL certificates available from UWH.
Set up regular backups
Backups are not a security measure in the traditional sense, but they are your recovery option when something does go wrong. A compromised server with a recent backup is a recoverable situation. A compromised server without one is not.
In cPanel, you can configure automated backups through WHM under Backup > Backup Configuration. Store backups off-server where possible, so a breach of the VPS itself does not take your backups with it. Plesk users can configure scheduled backups through Tools & Settings > Backup Manager. Our guide on creating a cPanel backup covers the basics if you are starting from scratch.
Monitor login attempts and access logs
Knowing what is happening on your server is half the battle. Both cPanel and Plesk give you access to logs that show login attempts, failed authentications and traffic patterns. Reviewing these periodically helps you spot unusual activity before it becomes a serious problem.
In cPanel, access logs are available through Metrics > Raw Access. WHM also provides a Security Center section with tools for reviewing brute-force activity. In Plesk, logs are accessible under Websites & Domains > Logs for each domain. Our guide on viewing access logs explains where to find them and what to look for.
For a broader look at hardening your server at the OS level, the VPS security guide and our KB article on securing your VPS cover additional steps worth taking.
These steps will not make your server invulnerable, but they will remove the low-hanging fruit that most attacks rely on. A server that requires real effort to compromise is one that most automated attacks will skip past entirely.
If you are looking for a VPS that starts from a solid foundation, take a look at our VPS hosting plans.
You May Also Like
Related articles you might find interesting.
Best UK VPS Hosting: How to Choose the Right Provider in 2026
cPanel vs DirectAdmin vs Plesk: Which Control Panel Should You Choose?
Ready to get started?
Launch your website with our reliable cPanel hosting with unlimited bandwidth and expert support.
Get cPanel Hosting