The cPanel Hosting Setup I Use for Client Sites at 330 Hosting

Running a hosting business alongside IT services means I need infrastructure that's reliable, secure, and efficient to manage. Here's the actual stack and configuration I use at 330 Hosting for client websites.

Server Foundation

Base infrastructure:

• VPS or dedicated server depending on client load
• CentOS/AlmaLinux (cPanel's preferred platform)
• Minimum 4GB RAM for small deployments, 8GB+ for WordPress-heavy loads
• SSD storage (NVMe preferred for database performance)
• Located in a US datacenter with good peering

Why cPanel:

• Clients can manage basics themselves (email accounts, file manager)
• Backup and restore is straightforward
• SSL automation with AutoSSL
• PHP version management per account
• I know it well, which means faster troubleshooting

Initial Server Hardening

Before hosting any client sites:

SSH configuration:

# /etc/ssh/sshd_config changes
Port 22 → custom port (reduces noise)
PermitRootLogin no
PasswordAuthentication no (key only)

Firewall (CSF preferred with cPanel):

# Install ConfigServer Firewall
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Key CSF settings I change:

• TESTING = 0 (enable firewall)
• TCP_IN: Only ports needed (80, 443, custom SSH, cPanel ports)
• DENY_IP_LIMIT = 500 (prevent blocklist bloat)
• LF_TRIGGER = 10 (login failure trigger)
• Enable login failure tracking for SSH, SMTP, POP3, IMAP

Fail2ban as additional layer (CSF handles most, but belt and suspenders):

• Monitor SSH
• Monitor cPanel login
• Monitor WordPress logins (with WP Fail2ban plugin)

cPanel/WHM Configuration

Initial WHM Setup

Tweak Settings (WHM → Tweak Settings):

• Default home directory: /home
• Maximum Accounts per Client Domain: 1
• Prevent users from parking/adding domains: varies by client
• cPanel & WHM Updates: Automatic (STABLE tier)
• System Update Preferences: Daily automatic updates

Security Center:

• Enable cPHulk Brute Force Protection
• Configure password strength requirements (minimum 12 chars)
• Enable Two-Factor Authentication for WHM
• Apache mod_userdir Protection: On

PHP Configuration (WHM → MultiPHP Manager):

• Default PHP version: 8.1 or 8.2 (latest stable for WordPress)
• Keep 7.4 available for legacy sites
• Remove old unsupported versions

MultiPHP INI Editor (per-system defaults):

max_execution_time = 300
max_input_time = 300
memory_limit = 512M
post_max_size = 128M
upload_max_filesize = 128M
max_input_vars = 5000

These defaults work for most WordPress sites. Adjust per-account if needed.

Apache/LiteSpeed Configuration

I run LiteSpeed on most servers now. The performance gain for WordPress is significant.

If staying with Apache:

• Enable mod_deflate for compression
• Enable mod_expires for browser caching
• Configure MPM Event (better than prefork for performance)

With LiteSpeed:

• LSWS replaces Apache (cPanel compatible)
• LiteSpeed Cache plugin for WordPress
• HTTP/3 and QUIC support
• Better resource usage under load

Performance settings:

# .htaccess defaults for static content
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
</IfModule>

MySQL/MariaDB Tuning

Basic tuning for WordPress-heavy server (8GB RAM):

# /etc/my.cnf additions
[mysqld]
innodb_buffer_pool_size = 2G
innodb_log_file_size = 256M
innodb_flush_log_at_trx_commit = 2
innodb_flush_method = O_DIRECT
max_connections = 150
query_cache_type = 0
query_cache_size = 0

Why disable query cache: It's deprecated and can cause contention. Let object caching (Redis) handle this at the application layer.

Email Configuration

SpamAssassin settings:

• Score threshold: 5 (default is reasonable)
• Auto-delete spam: No (let users check quarantine)
• Bayes filtering: Enabled

DKIM, SPF, DMARC:

• Enable DKIM for all domains
• Guide clients on SPF records
• Recommend DMARC with p=none initially, then quarantine

Outbound rate limiting:

• Max emails per domain per hour: 500 (prevents compromised account spam blasts)
• WHM → Tweak Settings → Max Hourly Emails Per Domain

Backup Strategy

This is where most cheap hosts fail. Backups are mandatory, not optional.

Local backups:

• JetBackup or cPanel native backup
• Daily incremental, weekly full
• Retain 14 daily, 4 weekly

Remote backups:

• Sync to separate backup server or object storage (S3/Backblaze B2)
• Geographically separate from primary server
• Test restores monthly

JetBackup configuration:

• Enable account-level restores (clients can restore their own files)
• Database-specific restores
• Email restoration capability

WordPress-Specific Optimizations

Since 80% of hosted sites are WordPress:

Object caching with Redis:

# Install Redis
yum install redis
systemctl enable redis
systemctl start redis

# Configure PHP Redis extension via EasyApache4
WHM → EasyApache 4 → PHP Extensions → php-redis

Then use Redis Object Cache plugin per WordPress site.

PHP-FPM over suPHP:

• Better performance
• Per-user process pools
• Configurable via MultiPHP Manager

ModSecurity with OWASP ruleset:

• Provides WAF protection
• Block common WordPress attacks
• May need rule exceptions for some plugins (WooCommerce, page builders)

Imunify360 or similar:

• Proactive defense
• Malware scanning
• Reputation management

Per-Account Setup (New Client Onboarding)

When I set up a new hosting account:

1. Create account with strong password
2. Configure PHP version appropriate for their site
3. Enable AutoSSL - free SSL certificates from Let's Encrypt
4. Set resource limits based on their plan:
   • CPU seconds
   • Physical memory
   • Entry processes
   • I/O throughput
5. Create staging subdomain if they'll be doing development
6. Document control panel access and send credentials securely

Monitoring

What I monitor:

• Server load average
• Disk space (/ and /home partitions)
• Memory usage
• MySQL connections
• SSL certificate expiration
• Service availability (HTTP, MySQL, mail)

Tools:

• Nagios/Icinga for alerting
• Netdata for real-time dashboard
• cPanel native stats for per-account usage

Uptime monitoring:

• External ping monitor for each significant site
• Alert on 5xx errors
• DNS monitoring

Security Incident Response

When something goes wrong (malware, compromise, etc.):

1. Isolate - suspend account if actively malicious
2. Identify - check access logs, file modification times
3. Clean - remove malware, backdoors
4. Harden - update WordPress/plugins, reset passwords
5. Restore if needed from known-good backup
6. Document - for client and own records

Common WordPress compromises:

• Outdated plugins (90% of cases)
• Weak admin passwords
• Nulled themes/plugins with backdoors
• xmlrpc.php attacks

What I Don't Do

• Oversell resources: If the server can handle 50 accounts well, I don't add 100
• Skimp on backups: The cost of storage is nothing compared to data loss
• Ignore updates: Security patches go in promptly
• Use shared IP for everyone: Sites that need it get dedicated IPs
• Promise unlimited anything: Reasonable limits, clearly communicated

Pricing Philosophy

My hosting isn't the cheapest. It's:

• Reliable (redundant backups, monitored)
• Secure (hardened, firewalled, malware-scanned)
• Supported (I answer the phone)
• Properly resourced (not oversold)

That's worth more than $3/month hosting from a big box provider where you're a ticket number.

The technical setup above takes time to configure and maintain. But it results in hosting that clients can depend on, and that I can sleep at night providing.