Web Hosting Archives - Page 2 of 3 - Web...

Email Accounts Management in cPanel


Welcome to this tutorial on how to manage Email Accounts in cPanel, including creating new email account, changing email password or disk space, deleting email account or finding the details of email client software configuration.

We assume that you have already logged into cPanel.

cPanel Email Accounts

Click Email Accounts icon under Mail section.

cPanel Email Page

You can create your required email address on this Email Accounts screen for any of the domains you have in your account including addon and parked domains.

List emails

You can also see all email accounts that you have created earlier and can manage them e.g. change password, change disk space for email account, delete an email account, get the details of email configuration to setup in Outlook, Thunderbird or other email software on your computer.

The list of email accounts also shows how much disk space is used by each account.

Create Email

We are going to create a new account so we’ll focus on that part of the screen. Enter your desired email user. For this tutorial we use john@businessx.com as the email address. Next enter a strong password. The strength indicator will show you how strong is your password. Try to use alpha-numeric, upper-lower case combination with a few special characters. Never use dictionary words or your name etc. You can use the Password Generator for help in creating a strong password. Remember the password or note it down safely where only you can access it.

Finally Create Email Account

You can set the mailbox quota here as well. This is for the storage of emails for this particular email account in your hosting account. Please note that if this email account uses all the disk space you define here and is full, any new email will be rejected by the server with Mailbox quota exceeded error and returned to the sender of the email.

Click Create Account to finally create the email account.

Now that the email account has been created, it will be listed on this same page. If you have already forgotten the password 😉 you can change it by clicking Change Password. Similarly you can change the disk quota or delete the account altogether and start over again.

 List emails

Click More to access a drop down menu with two more options. You can select Access Webmail which will ask you for the email password and then login you to webmail. We’ll talk about this in another post. Click Configure Email Client to view the page that provides manual and auto-configuration for a number of email clients such as Microsoft Outlook, Mac Mail, Postbox, Thunderbird and KDE Kmail.

cPanel Auto Configure Email

If Auto Configuration does not work for some reason, note down the manual settings:

cPanel Manual Email Settings

Please use Secure SSL/TLS Settings (that is why they appear recommended). Also make sure to setup authentication for SMTP to send emails from the server.

Website Hacked – How to secure it?


hackedThis article applies to general security of websites with emphasis on Linux cPanel based shared web hosting. These are some of the best practices that can help prevent hacking. And if the website gets hacked, some steps that should be taken to properly secure it. 

1. Update Web Applications Regularly

First thing you should do is to check vendor/developer websites for all of the web scripts/applications (e.g. WordPress, Joomla, Drupal etc.) used in your account for any updates. This includes any addon modules you may be using in any web applications. If you are using any open source web application, that may be the prime suspect. However, you must check all and keep them up to date. Search on google or security related websites for any known exploits in public knowledge for any web application in your use. For example if you are using WordPress or Joomla, you must get yourself registered in their mailing lists and update to latest stable release or whenever they release a security patch. The window of opportunity for hackers should be kept minimum. We do this for a number of websites that we maintain and they have never been hacked in 17 years.

2. Audit Files in Your Account

Once you have verified that 100% of scripts/web applications are on latest stable version, you will need to go through all files of your account and make sure none is uploaded by hackers before you audited. Remove any unattended install of any applications. For example if you installed a web app to test it out and forgot to remove it.

Go through all files in your folders and check for timestamp of file changes. There may be files in folders you would never imagine. You can use ftp or cPanel File Manager to go through all files under public_html and compare them with your local copy. [You should always maintain a local copy for this comparison as well as backup] – especially check any modified files for any code injected into it.

Typical locations for hackers to install malicious scripts is images folder or web app upload folder.

3. Strong Passwords

Make sure all passwords are mix of alpha-numeric and not any dictionary word. Just because you thought of a difficult word from dictionary does not make you safe. Reset all passwords if you are hacked, including email, database, web app logins, and any control panel. Hacker may have already scanned all your files to pick e.g. database password for future attacks.

4. MySQL Security

The MySQL database access for a web application should be through separate database users. Do not use your main account user/pass for it. Your main login should never be stored in any file in your account. If you need to access MySQL remotely, make sure you allow only your static IP for access.

5. Archive Raw Logs

In your cPanel, activate archive option of your web logs in Raw Log Manager. This will give you the opportunity to check how the hacker exploited one of the scripts. Otherwise all raw logs are cleared after generating stat reports. If you have already been hacked, it is too late now but you can archive the logs for future attacks.

6. Old Web Applications

If you have customized a web application with modifications or modules, make sure it is also latest stable. Many popular web application may be stable but one of the addon mods are exploitable, which may not be maintained any more. Avoid using them. Only use well maintained code in your account.

7. Sanitize Input Data

If you have developed some code yourself, make sure all input variables are sanitised (checked for valid data before using it). Otherwise a single line of bad code can give access to your entire account. The usual mistakes are (a) to include a file based on user input (b) passing the data as it is to database or other scripts without sanitising it. Again, make sure all input to a script is checked for valid data. All exploits are based on input data. If your site does not take any input, you are 100% safe from web exploits, i.e. if you run 100% static html site with no script whatsoever anywhere in your account.

8. PHP Scripts Security

For php scripts, any application that uses register_globals to be active has more chances of being exploitable. Avoid such applications. In latest php, register_globals are no longer active so this type of exploits are going down.

9. Email Scripts Header Injection

If you have an email script for a contact form, make sure it is safe from header injection. In essence make sure that email address, subject and other part of data that is being submitted by user does not contain line breaks. If any line break comes in, the script should block such attempts. With such header injection spammers can use your account and server to send huge spam.

10. Open Source Responsibility

Using open source free web applications is great but you have to maintain it by regular updates or you can loose all your data and site if a new exploit is released. And as a hosting account owner, it is your responsibility that you maintain such applications and keep your account protected.

If your site has been running fine for years, it does not mean there were no security holes in it. It actually means that exploit was unknown or you were lucky that no one exploited it before.

Also avoid using open source software (including any plugin/theme) that is not well maintained or has been abandoned by the developer. Another indicator would be high number of critical exploits discovered for it in the past, meaning the code base is not very secure and more exploits could be discovered in future.

11. Secure Configuration Files

If you are on a shared hosting account, for added security, change the permissions of your configuration files (having database credentials in them) to “660”. You can do that via ftp, ssh or file manager. For example via ssh: chmod 660 config.php

12. Protect Administration Sections

Again for additional security if you can block access to certain administrative sections of your site do that by giving access to only authorized IP addresses and blocking access for everyone else. Or password protect it. This can be done using .htaccess file or Password Protected Folders.

13. Uploaded Files

If there is any file upload facility in your account, make sure that only authorized users can use it. It should also have some sanity check on what type of files are allowed. This is one of the easiest entry points for hackers.

Also the uploaded file should not be accessible via web URL directly. They should be stored outside of public_html unless (a) it is only uploaded by a site admin (b) checked and validated that it does not contain malicious data.

14. URL Forwarding / Webmail

If there is any URL forwarding or Webmail facility for your site membership, make sure access is restricted. It should be allowed only with proper authorization, otherwise it could be used for spamming.

15. Test / Dev Installs

If you’re exploring something by installing a test instance of a web app, or you are in the process of developing a new app, lock it behind password or IP access right away.

16. World Write Folders Not Required

Since our linux web hosting servers come with suphp, you do not need any file or folder with world write permissions. The normal folder permissions should not exceed 755. And php/html files can be 644. CGI/perl scripts can be 755.

17. Software Piracy

If you download a commercial software or a plugin of a web app from suspicious website e.g. a commercial theme or plugin for WordPress, chances of that code already infected with malicious code are very high. Never download such files, and never install them on your website. Same is the case with any client software installed on your computer.

18. Educate Web Developers/Programmers About Security

Anyone who writes web application code, should be familiar with security. Here is a book that covers the web application security particularly on php: http://www.oreilly.com/catalog/phpsec/ we recommend it to all. It covers different aspects of vulnerabilities found today in web applications. Remember, one single line of bad code can give access to your entire account. Writing code is easy but writing secure code needs awareness. This is not a problem of PHP or server. It is lack of security awareness and education. It should be high priority in a web development project.

Let us know if you would like to add more to these tips by posting them in comments section below.

Importing Script Manually from Fantastico to Softaculous in cPanel


Fantastico is a scripts library that automates the installation of web applications to a website. We have been using Fantastico on our cPanel/WHM servers for a number of years but lately the updates have been slow. Many web hosting providers have already switched from Fantastico to Softaculous.

Switching from one software to another is not always easy. It requires careful planning and change management so that end users of the software are not disturbed. We were waiting for Fantastico to update their software but time was slipping. There is news on their website that they are doing it now with new features. They are also offering beta version of latest updates but we have now already switched to Softaculous.

Softaculous has done a good job of providing a smooth transition from other scripts library including Fantastico. Once installed, server administrator can login to WHM and click Import link to transfer the installation data of scripts. This enables the customers to maintain their scripts and web applications, which they installed using Fantastico, from the clean Softaculous interface in cPanel.

Import Script in Softaculous

Import Script in Softaculous

Having said that some scripts may not get imported from admin interface and may need to be done manually in cPanel. It is a three step process.

1. Search the script name (e.g. WordPress) or click on the name in scripts list
2. When on the script page (within Softaculous) click Import in the top right
3. Provide the script location (if it is installed in root folder of the website, leave the “In Directory” empty) and click Import button.

Final Step in Importing Script

Final Step in Importing Script

Now you’ll have the script in your Softaculous list. If you click All Installation icon (Brown Box on top menu), it will show you the script just impoted. Enjoy!

How to redirect all traffic to one domain URL via mod_rewrite?


Normally when a website is hosted, both the domain and the prefix www with it load the same website. This can sometimes cause problem as web pages can be accessed using two URLs (e.g. example.com and www.example.com).

Using mod_rewrite rules you can redirect all traffic to one domain. This is also beneficial for SEO (Search Engine Optimization) purpose to avoid duplicate URLs and pages in search engine index. Search engines are becoming smart, however they still may not like duplicate pages.

To be on the safe side and to show only one URL of your website, you can use following format of mod_rewrite rules under Apache web server in .htaccess file which is placed in your web root (typically in public_html).

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

This will redirect all traffic to one URL for all pages on your web site and there will be no duplicate URLs because of www. If you do not want to use www and instead prefer to use only example.com, you can use this instead:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]

If you have other mod_rewrite rules, placing one of the rules-set above at the top will process it first and in the next pass it will by-pass them as the URL will not match again.

I am unable to reach my server / account / web site?


If you are unable to reach your website for more than a few minutes (while other websites are working fine from your computer), then it is most probably a network problem between your computer and the server. There can be several reasons for this issue e.g. firewall on the server may have blocked your access, there may be a network issue between your Internet service provider and web hosting server. To find out if this is the case, please follow these two steps:

Step 1

Run a traceroute. This can be done by going to Command Prompt on Windows computer using these steps:

Click Start > Select All Programs > Select Accessories > And then lastly select Command Prompt

Once there, enter this command:

tracert YOUR_DOMAIN_COM

[ where YOUR_DOMAIN_COM is your website domain name hosted on the server. Do not start with http:// – only enter the domain name part without any space in the name. ]

Once the tracert command completes, click on the top left corner of the Command Prompt window, select Edit and then Mark. Now highlight the entire output from the tracert command with the mouse by dragging it on the window from one corner to the other. Once highlight, press Enter key. Now you have the output in your clipboard. Please paste it in a support ticket.

Step 2 (optional)

We also need your public Internet IP address. We normally receive it when you open a support ticket, therefore this step is optional. If you want to provide this information as well, you can go to google.com website and type this in search: What is my IP address?

The search result will show Your public IP address is …

Please copy/paste that into support ticket as well. With this information our support team can quickly troubleshoot the issue and find out why you are unable to open your website or reach the server.

Back to Top

© 2019 Webx Networks.