Changing domain.com/cpanel

When using cPanel shared, or reseller hosting, is it possible, as a user/customer, to disable, or change the login through:
domain.com/cpanel

I have figured out how to disable cpanel.domain.com, but not the /cpanel

BikeGremlin I/O
Mostly WordPress ™

Comments

  • XsltelXsltel Hosting Provider

    your host provider will need to disable proxying that sub directory from tweak settings.
    I doubt its possible to override that in .htaccess

    Xsltel OU | A One-man show powered by 250 grams of brain
    Offering reliable hosting services, Server management since 2011 and free cPanel hosting since 2020

  • @Xsltel said:
    your host provider will need to disable proxying that sub directory from tweak settings.
    I doubt its possible to override that in .htaccess

    Yes - .htaccess from user's cPanel account doesn't help.
    Is that a normal thing to ask the provider?
    Can it be done on a per-customer level?

    I would expect it to require a server restart at least.

    BikeGremlin I/O
    Mostly WordPress ™

  • mikhomikho AdministratorHosting ProviderOG

    You have to talk to the provider if its only for one or a few domains,
    https://forums.cpanel.net/threads/possible-to-disable-domain-com-cpanel-for-client.468861/

    Thanked by (1)bikegremlin
  • XsltelXsltel Hosting Provider

    actually after further checking I don't see an option to disable that from tweak settings. I mixed that with subdomain in my first reply.

    however its possible to achieve that by these commands
    cp /var/cpanel/templates/apache2_4/ea4_main.default /var/cpanel/templates/apache2_4/ea4_main.local

    then editing the new file
    /var/cpanel/templates/apache2_4/ea4_main.local

    and finding and commenting these lines
    ScriptAliasMatch ^/?controlpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?kpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?securecontrolpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
    ScriptAliasMatch ^/?securecpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
    ScriptAliasMatch ^/?securewhm/?$ /usr/local/cpanel/cgi-sys/swhmredirect.cgi
    ScriptAliasMatch ^/?webmail$ /usr/local/cpanel/cgi-sys/wredirect.cgi
    ScriptAliasMatch ^/?webmail/ /usr/local/cpanel/cgi-sys/wredirect.cgi
    ScriptAliasMatch ^/?whm/?$ /usr/local/cpanel/cgi-sys/whmredirect.cgi

    then
    /scripts/rebuildhttpdconf
    /scripts/restartsrv_httpd

    if someone need to do it on their cPanel server

    Thanked by (2)bikegremlin Abdullah

    Xsltel OU | A One-man show powered by 250 grams of brain
    Offering reliable hosting services, Server management since 2011 and free cPanel hosting since 2020

  • If you're using Cloudflare, you can do it using their page rules.
    For example: domain.tld/cpanel -> domain.tld.
    Though if you're on the free plan, you won't have enough rules if you'd like to redirect all cPanel-related URLs (/cpanel, /whm, /webmail, :2083, :2087, :2096, ...)

    Thanked by (1)bikegremlin
  • @Naix said:
    If you're using Cloudflare, you can do it using their page rules.
    For example: domain.tld/cpanel -> domain.tld.
    Though if you're on the free plan, you won't have enough rules if you'd like to redirect all cPanel-related URLs (/cpanel, /whm, /webmail, :2083, :2087, :2096, ...)

    How much of a "hacking" risk does leaving those available pose?

    A friend got warned about these for their website, and asked me if it could be blocked somehow.
    I suppose a good, strong password, with any decent provider (that blocks 1000 tries per minute) should suffice. Am I wrong?

    BikeGremlin I/O
    Mostly WordPress ™

  • edited February 2021

    @bikegremlin said:

    @Naix said:
    If you're using Cloudflare, you can do it using their page rules.
    For example: domain.tld/cpanel -> domain.tld.
    Though if you're on the free plan, you won't have enough rules if you'd like to redirect all cPanel-related URLs (/cpanel, /whm, /webmail, :2083, :2087, :2096, ...)

    How much of a "hacking" risk does leaving those available pose?

    A friend got warned about these for their website, and asked me if it could be blocked somehow.
    I suppose a good, strong password, with any decent provider (that blocks 1000 tries per minute) should suffice. Am I wrong?

    Not much risk I think and yes you're right, that should be enough.
    You could also enable 2FA.
    When I attempted to do this, I was concerned about L4 DDoS attacks to the cPanel server, so I wanted to try and make it a bit harder to get the server IP.
    I gave up when I found out that there are many URLs and ports to try to redirect/hide.

    Thanked by (1)bikegremlin
  • bikegremlinbikegremlin ModeratorOG
    edited February 2021

    From what I could tell, when using Cloudflare, you can't get the server's IP, even when you are redirected to domain.com/cpanel.

    Of course, whm.domain.com, cpanel.domain.com etc. are disabled (aren't resolved through DNS), and mail.domain.com is not on the website's hosting server.

    2FA is a huge hassle, and not sure if I'm too naive, but I'm not a big fan of that. I understand it makes unauthorized access exponentially more difficult.

    Thanked by (1)Naix

    BikeGremlin I/O
    Mostly WordPress ™

Sign In or Register to comment.

This Site is currently in maintenance mode.
Please check back here later.

→ Site Settings