Services Hosting & Servers Tools Blog Search Company TürkçeTR
Get a Quote

cPanel is a Linux web management panel that has become the de facto standard across the global shared hosting and VDS market. Bundled with WHM (WebHost Manager), this duo unifies dozens of independent components — Apache, BIND, Exim, Dovecot, MySQL/MariaDB, PHP — under a single coherent administration interface. A cPanel VDS license is the account-based usage right you purchase to run that panel on your own virtual server — whether on Hetzner, AWS, Contabo, OVH, or a local Turkish provider's VDS plan.

This guide covers the entire operational loop: installing cPanel on a VDS from scratch, picking the right license, configuring WHM, creating accounts, AutoSSL, backups, security hardening, and performance tuning. By the end you'll know exactly which license tier to buy, which configuration counts as production-ready, and which traps to avoid.

Related guides: Managing Websites with cPanel · VPS vs VDS · Hosting Types and How to Choose · Let's Encrypt SSL Setup · VPS Security Hardening · Plesk Panel Management

What Is a cPanel VDS, and Why Run It on Your Own Server?

In shared hosting plans cPanel comes pre-installed; the provider has paid for the license, set the resource limits, and configured the backup policy on your behalf. A VDS (Virtual Dedicated Server), by contrast, gives you a virtual server with root access and dedicated resources. Installing cPanel on that server means you manage the panel under your own root, with your own PHP versions and your own security rules. The most common scenarios: becoming a reseller, hosting multiple clients, organizing your own WordPress portfolio, or running an agency's infrastructure.

Our VPS vs VDS article — which dives into the subtle but important distinction between the two — also covers which type of virtual server is appropriate for cPanel. Short version: cheap VPS plans with shared, oversold CPUs are a bad choice for cPanel. cPanel + WHM expects a minimum of 2 vCPU, 4 GB RAM, and 40 GB SSD; for real commercial use, 4 vCPU / 8 GB RAM / 80 GB NVMe is the starting point.

cPanel License Tiers: Solo, Admin, Pro, Premier

Since the famous 2019 pricing change, cPanel L.L.C. has used account-based licensing — the price you pay scales with the number of cPanel accounts created on the server. The official metalicense plans for 2026 are below; let cpanel.net/pricing always be your canonical reference:

  • cPanel Solo: Single account (only 1 cPanel user). For personal projects and single-site hosting. WHM is still available, but you can only create one account.
  • cPanel Admin: Up to 5 accounts. For small agencies, freelance developers, or anyone consolidating a handful of projects on one server.
  • cPanel Pro: Up to 30 accounts. Ideal for small-to-mid hosting resellers, boutique agencies, and corporate IT teams.
  • cPanel Premier: Starts at 100 accounts; per-account fee on top of that. For commercial hosting providers.
  • cPanel Premier Metal (formerly Plus): 100+ accounts on a dedicated (physical, not virtual) server, with an upcharge.

Licenses are IP-bound: they tie to the IP you specify at activation, and if the IP changes you get one transfer per 24 hours via cPanel's Manage2 panel. So before installing cPanel, make sure your VDS's IP is static and that your provider won't surprise you with elastic-IP-style changes.

Pricing Ranges: 2026 Estimates and the Reseller Edge

Official cPanel pricing climbs every year, and VAT, exchange rates, and partner discounts all shift the final amount you'll actually pay. The numbers below are approximate, vary by provider, and reflect 2026 data; always verify live pricing on cpanel.net.

  • Solo / 1 account: around 17-21 USD/month (annual billing may carry a discount).
  • Admin / 5 accounts: 29-35 USD/month range.
  • Pro / 30 accounts: 49-59 USD/month range.
  • Premier / 100 accounts: 67-79 USD/month; +0.17 USD per account beyond 100.
  • Turkish partner resellers: With local TRY invoicing and monthly billing, expect ₺600-2,500/month; partner-channel licenses are typically 10-25% cheaper than the official web pricing.

Searches for buy cPanel turn up two paths: directly from cpanel.net (card, USD), or via a Turkish partner provider (TRY, local invoice). The second option lowers FX friction and gets you Turkish-language support. Be cautious with platforms reselling licenses: gray-market (revocable) licenses aren't rare, and one day your panel might shut down with a "License Expired" error.

cPanel's official minimum requirements are very low, but in the real world those numbers don't produce a usable system. Here are the realistic figures we've observed at scale:

  • Test/staging: 2 vCPU, 4 GB RAM, 40 GB NVMe — single site, low traffic, dev use.
  • Production — small: 4 vCPU, 8 GB RAM, 80 GB NVMe — 5-15 accounts, moderate traffic (5-20K total daily pageviews).
  • Production — medium: 6-8 vCPU, 16 GB RAM, 160 GB NVMe — 15-50 accounts, e-commerce-heavy.
  • Production — large: 12-16 vCPU, 32-64 GB RAM, 250+ GB NVMe + a separate backup volume — 50-100 accounts, reseller portfolio.
  • Operating system: AlmaLinux 8/9, Rocky Linux 8/9, or Ubuntu 20.04/22.04. CentOS 7 has been declared EOL by cPanel — don't install it.

NVMe should be considered standard for disks now: roughly 70% of cPanel workloads are metadata-heavy (mail, logs, cache), so even SATA SSDs make a clear difference and spinning disks (HDDs) shouldn't even be on the table. On the RAM side, trying to run cPanel on a sub-4 GB VDS leads to heavy swap and frequent visits from the OOM killer.

Step 1: Choosing a VDS Provider

Local Turkish providers (Natro, Turhost, İhsHost, Atak Domain, Vargonen, Radore, etc.) bundle ready-to-go cPanel VDS plans with a license, which can save time at the start. For Europe-focused options, Hetzner Cloud (Germany/Finland), Contabo (Germany), OVH (France), and UpCloud (Finland) are the most cost-effective alternatives. Geographic choice swings TTFB by 30-80 ms — for a Turkish audience, prefer a TR location or the closest EU region.

Our broader take on hosting types — What Is Hosting? Types and How to Choose — also breaks down the differences between shared hosting, cloud, and dedicated.

Step 2: Operating System and Pre-Install Prep

Let's start by installing cPanel on AlmaLinux 9. On your first SSH session, run these checks: is the hostname correct (e.g., srv1.yourdomain.com), is the reverse PTR set, can the FQDN be pinged? cPanel installation requires an FQDN hostname; localhost.localdomain or a single-word hostname will cause the install to fail.

# Set hostname to FQDN
hostnamectl set-hostname srv1.yourdomain.com

# Add to /etc/hosts
echo "123.45.67.89 srv1.yourdomain.com srv1" >> /etc/hosts

# System update
dnf -y update
reboot

# Sanity-check before install
hostname -f
ping -c 2 srv1.yourdomain.com
free -h
df -h

# Important: put SELinux in permissive mode
setenforce 0
sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config

# NetworkManager causes issues on some releases
systemctl disable --now NetworkManager 2>/dev/null || true
systemctl enable --now network 2>/dev/null || true

Important: changing the hostname after cPanel is installed can break the license's IP/host binding, so finalize the hostname decision before installing. cPanel also officially puts SELinux into permissive mode; if you leave it enforcing, the panel will throw 500s in many places.

Step 3: The cPanel Install Command

cPanel ships a single-line install script. It pulls in every dependency automatically (Apache, BIND, Exim, Dovecot, MySQL or MariaDB, PHP, FTP) and takes 30-60 minutes on average. Do not reboot during the install, and use screen or tmux so you don't lose progress if your connection drops.

# screen session — survives connection drops during install
yum -y install screen perl curl wget
screen -S cpanel-install

# Official one-line installer
cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest
sh latest

# Alternative (one-liner)
curl -L https://securedownloads.cpanel.net/latest | sh

# After install, the WHM URL
echo "https://srv1.yourdomain.com:2087"

# Trial license is valid for 15 days; once you've purchased:
/usr/local/cpanel/cpkeyclt

When the install finishes, the server activates a 15-day trial license automatically; during that window you can purchase a license and refresh it with the cpkeyclt command. Activation maps your IP into the license pool through cPanel's Manage2.

First Login to WHM and the Initial Setup Wizard

Sign in to WHM at https://server-ip:2087 with your root password. On first launch, it walks you through these steps in order:

  • Accept the license agreement (EULA).
  • Confirm the server hostname (FQDN) and a server contact email.
  • Primary/secondary DNS resolver (typically 1.1.1.1 and 8.8.8.8).
  • Main network interface (eth0 / ens18) and IP configuration.
  • Nameserver configuration: ns1.yourdomain.com, ns2.yourdomain.com. If you don't have two separate nameserver IPs, cPanel suggests a cluster or a second cPanel DNSONLY server.
  • FTP, mail, and cPHulk brute-force protection choices.

Once the wizard finishes you land on the WHM home screen. Every administrative task from here on — creating accounts, defining packages, configuring EasyApache, choosing the MySQL version — happens through this panel. For a deeper day-to-day cPanel usage guide, see our Managing Websites with cPanel article.

WHM Tweak Settings: 12 Critical Knobs for Production

WHM > Server Configuration > Tweak Settings has 200+ options; the ones below absolutely should be reviewed before going to production.

  • Compress access logs: On. Significant disk savings.
  • Default catch-all/default address behavior: fail. :blackhole: leaves an open door for spam.
  • Initial default web page: a blank page instead of Default Apache page reduces information leakage.
  • Allow cPanel users to reset their password via email: On, but only if 2FA is enforced.
  • Use jailshell as the default shell for new accounts: On. Stops customer accounts from roaming the wider server.
  • Apache 'mod_userdir Tweak': Disabled. Closes off http://ip/~user/ URLs.
  • Maximum hourly emails per domain: 250-500. A shield against spam zombies.
  • Prevent the user 'nobody' from sending mail: On. A classic spam vector.
  • SMTP Restrictions: On. Only Exim and mailman can use port 25.
  • Cookie IP validation: strict. Reduces session-hijacking risk.
  • Require SSL (cPanel/WHM): On. Disables plain-text panel logins.
  • Compiler access: From WHM > Compiler Access, set Disabled for all non-root users.

EasyApache 4: Apache, PHP, and Modules

EasyApache 4 (EA4) is the WHM tool that lets you configure the Apache web server, PHP versions, and dozens of modules as a single profile. A typical 2026 profile: Apache 2.4 + MPM event + PHP 7.4, 8.1, 8.2, 8.3 in parallel (per-account version selection) + opcache + imagick + redis + memcached + curl + mbstring + intl + zip + soap.

# EA4 profile management from the CLI
yum install ea-php82 ea-php82-php-fpm ea-php82-php-mysqlnd \
 ea-php82-php-opcache ea-php82-php-redis ea-php82-php-imagick \
 ea-php82-php-mbstring ea-php82-php-intl ea-php82-php-soap

# Restart Apache
/scripts/restartsrv_httpd

# Export the EasyApache profile
ea_profile_export --filename=/root/ea4-prod.json

# Use WHM > Software > MultiPHP Manager to choose
# the PHP version each account runs
whmapi1 php_set_system_default_version version=ea-php82
whmapi1 php_set_vhost_versions version=ea-php82 vhost-0=sitename.com

Enable PHP-FPM on every account (instead of Apache mod_php): each cPanel account runs in its own isolated pool, so a heavy site can't drag the others down. For deeper tuning we cover the PHP opcache + JIT + preload combo in our Site Optimization guide.

MySQL or MariaDB? cPanel's Stance

cPanel officially supports MySQL 8.0 and MariaDB 10.5/10.6/10.11. The default at install is MariaDB 10.11. We compare these in MySQL vs PostgreSQL; since the cPanel ecosystem doesn't officially support PostgreSQL, in practice the choice is between MySQL and MariaDB.

# Check the current version
/usr/local/cpanel/scripts/check_database_server

# Upgrade to MariaDB 10.11 (back up first!)
/usr/local/cpanel/scripts/manage_mysql_profiles --activate=MariaDB106
# Can also be done via WHM > SQL Services > Manage MySQL Profiles

# my.cnf production tuning (for 8 GB RAM)
cat > /etc/my.cnf.d/server-tuning.cnf <<'EOF'
[mysqld]
innodb_buffer_pool_size = 4G
innodb_log_file_size = 512M
innodb_flush_log_at_trx_commit = 2
innodb_flush_method = O_DIRECT
max_connections = 200
thread_cache_size = 64
table_open_cache = 4000
tmp_table_size = 128M
max_heap_table_size = 128M
slow_query_log = 1
slow_query_log_file = /var/log/mysql-slow.log
long_query_time = 1
EOF

systemctl restart mariadb

Keep innodb_buffer_pool_size around 50% of RAM. cPanel's default is far too low, and on high-traffic WordPress sites InnoDB will be the first bottleneck you hit.

Step 4: Creating the First Account

Define a hosting package (for example basic: 5 GB disk, 50 GB monthly traffic, 5 emails) under WHM > Packages > Add a Package, then create a new cPanel user via Account Functions > Create a New Account. You can also do it from the CLI:

# Create a package
whmapi1 addpkg name=basic quota=5120 maxftp=5 maxsql=5 \
 maxpop=10 maxlst=2 maxsub=10 maxpark=2 maxaddon=2 \
 bwlimit=51200 hasshell=0 cpmod=jupiter

# Create a new cPanel account
whmapi1 createacct username=acmecorp domain=acmecorp.com \
 plan=basic password='verySecurePass123!' \
 contactemail=admin@acmecorp.com

# Suspend / unsuspend the account
whmapi1 suspendacct user=acmecorp reason='unpaid invoice'
whmapi1 unsuspendacct user=acmecorp

# List accounts
whmapi1 listaccts

# Change password
whmapi1 passwd user=acmecorp password='newPassword!'

jupiter is the new default cPanel UX theme; the old paper_lantern was officially retired in 2023, so always use jupiter on fresh installs.

DNS: Cluster or Single Server?

cPanel requires two nameservers (ns1, ns2). Binding both to two different IPs on the same server is technically possible, but the best practice is to stand up a separate cPanel DNSONLY server and form a BIND cluster. DNSONLY is free — it's a DNS-only variant of the cPanel package.

  • Single server, two IPs: a cheap starter option; if the main server goes down, the second nameserver goes with it, so glue NS resolution becomes shaky.
  • Cluster + DNSONLY: BIND configuration on the primary syncs to one or two DNSONLY servers; failover is solid.
  • Cloudflare DNS: move every domain's NS to Cloudflare and manage them there; you can disable cPanel's BIND entirely — the simplest setup. Our What Is DNS, How to Change Settings guide covers the basics.

AutoSSL: Automating Free SSL

cPanel's AutoSSL feature provisions a free Let's Encrypt or Sectigo certificate for every domain and subdomain on an account, then auto-renews 60 days before expiration. No more manual certbot wrangling.

# Pick the Let's Encrypt provider in WHM > Manage AutoSSL
# Activate via the CLI
/usr/local/cpanel/bin/whmapi1 set_autossl_provider provider=LetsEncrypt

# Force AutoSSL to run for every account
/usr/local/cpanel/bin/autossl_check --all-users

# For a specific user
/usr/local/cpanel/bin/autossl_check --user=acmecorp

# AutoSSL log
tail -f /var/cpanel/logs/autossl.log

The two most common reasons AutoSSL fails: (1) DCV (Domain Control Validation) can't reach http://domain/.well-known/pki-validation/ — Cloudflare proxy must be bypassed for auto-renewal, or DNS-01 challenge must be used; (2) the www. subdomain has no A record. For deeper SSL coverage, see Let's Encrypt SSL and How to Get an SSL Certificate.

Email: Exim, Dovecot, and Mailbox Format

The cPanel mail stack uses Exim (MTA) + Dovecot (IMAP/POP). The default mailbox format is maildir/; mailbox size counts against the account's disk quota. SPF, DKIM, and DMARC records are automated similarly to AutoSSL — WHM auto-generates a DKIM key whenever a new account is created.

# DKIM key status
whmapi1 has_dkim_records_for_user user=acmecorp
whmapi1 install_dkim_records_for_user user=acmecorp

# Account SPF record
whmapi1 install_spf_records domain=acmecorp.com

# Mail queue
exim -bpc # queue size
exim -bp | head -50 # first 50 messages in queue
exim -Mvh MSGID # inspect headers
exiqgrep -i | xargs -n1 -P4 exim -Mrm # delete the entire queue (caution!)

# Mail logs
tail -f /var/log/exim_mainlog
tail -f /var/log/maillog

SMTP auth brute-force is the most common attack. Under WHM > cPHulk Brute Force Protection, set distinct thresholds for SMTP, IMAP, POP, FTP, cPanel, and SSH. When an account gets compromised and turned into a spam zombie, you can stop it from sending mail with one command:

# Hourly mail limit (anti-spam)
whmapi1 modifyacct user=acmecorp MAX_EMAIL_PER_HOUR=100

# Halt mail from a suspicious account
echo "acmecorp" >> /etc/exim_mailusers_quotas
systemctl reload exim

# Outgoing spam detection — find the highest 'sender_count'
grep -E '<= ' /var/log/exim_mainlog | \
 awk '{print $5}' | sort | uniq -c | sort -rn | head -20

Backups: Backup Configuration

WHM > Backup Configuration is one of cPanel's most critical features. Never leave it disabled. Recommended setup: daily incremental + weekly full + monthly full, targeting another server (FTP, SCP, S3, Backblaze B2, Wasabi) — local backups alone won't save you from a real disaster.

  • Backup type: Incremental (saves space) or Compressed (faster restore, more space).
  • Daily Backup: 7-day retention
  • Weekly Backup: 4-week retention
  • Monthly Backup: 3-month retention
  • Additional destinations: at least one off-site (S3 + Backblaze B2 strike a great cost/perf balance)
  • Encrypted backup: always encrypt off-site backups with GPG (cPanel has native support).
# Manual account backup
/usr/local/cpanel/scripts/pkgacct acmecorp /home/backups

# Bulk backup of all accounts
/usr/local/cpanel/bin/backup --force

# Copy backups to another server (rsync)
rsync -avz --progress -e 'ssh -p 22' \
 /backup/2026-05-06/accounts/ \
 backup@backup.yourdomain.com:/srv/cpanel-backups/srv1/

# Push to B2 (Backblaze)
rclone copy /backup b2:bucket-name/srv1/ --transfers 4 --checkers 8

Apply the 3-2-1 backup rule (3 copies, 2 different media, 1 off-site) to your hosting infrastructure too. For deeper strategy, our Database Backup Strategies article covers full / incremental / PITR differences and the test procedure.

Security Hardening: cPHulk, ModSecurity, CSF

cPanel ships three core security components: cPHulk (service-level brute-force protection), ModSecurity (Apache WAF), and the optionally installed CSF/LFD (host-level firewall). All three should be active.

# CSF install (popular and free)
cd /usr/src && rm -rf csf*
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz && cd csf
sh install.sh

# Test: are CSF requirements met?
perl /usr/local/csf/bin/csftest.pl

# Edit default config (the important parts)
sed -i 's/^TESTING = "1"/TESTING = "0"/' /etc/csf/csf.conf
sed -i 's/^TCP_IN = "\(.*\)"/TCP_IN = "22,25,53,80,110,143,443,465,587,993,995,2078,2083,2087,2096"/' /etc/csf/csf.conf
sed -i 's/^SMTP_BLOCK = "0"/SMTP_BLOCK = "1"/' /etc/csf/csf.conf
sed -i 's/^LF_TRIGGER = "0"/LF_TRIGGER = "5"/' /etc/csf/csf.conf

# Restart
csf -r

ModSecurity is enabled under WHM > Security Center > ModSecurity Vendors by activating the OWASP CRS 3.x or Comodo WAF rule set. Default rules can produce false positives; you can disable specific rule IDs on a per-account basis.

# Inspect the ModSecurity audit log
tail -f /usr/local/apache/logs/modsec_audit.log

# Find the most-triggered rule IDs
awk '/Rule [0-9]+/' /usr/local/apache/logs/modsec_audit.log | \
 grep -oE 'id:[0-9]+' | sort | uniq -c | sort -rn | head -20

# Per-account rule disable (example)
cat > /etc/apache2/conf.d/modsec/userdata/std/2/acmecorp/acmecorp.com/modsec.conf <<'EOF'
<IfModule mod_security2.c>
 SecRuleRemoveById 949110 980130
</IfModule>
EOF
/scripts/restartsrv_httpd

For DDoS protection, fronting your origin with a CDN+WAF layer like Cloudflare or Bunny dramatically reduces both origin load and attack surface; we lay out the multi-layer architecture in our DDoS Protection guide.

VPS Hardening: SSH, Fail2ban, Sudo

cPanel's defaults are a decent baseline, but they aren't enough. You need the same discipline at the server level: passwordless SSH (public key only), root login disabled, the SSH port shifted off the default, and fail2ban guarding against SSH brute-force. For details, see our VPS Security Hardening and Fail2ban Guide.

# Harden /etc/ssh/sshd_config
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#\?Port 22/Port 2289/' /etc/ssh/sshd_config
echo 'AllowUsers admin' >> /etc/ssh/sshd_config
systemctl restart sshd

# Open the new SSH port in CSF
sed -i 's/^TCP_IN = "\(.*\),22,/TCP_IN = "\1,2289,/' /etc/csf/csf.conf
csf -r

# 2FA for WHM logins
whmapi1 twofactorauth_set_policy enabled=1
# Enforces TOTP for every root user (Google Authenticator/Authy)

Performance: cPanel + LiteSpeed or Apache?

cPanel defaults to Apache + PHP-FPM. LiteSpeed Web Server (LSWS) is a fully cPanel-compatible commercial alternative; it parses Apache .htaccess files natively, runs PHP 2-3x faster via LSAPI, and offers server-level full-page cache for WordPress through LSCache.

  • Apache + PHP-FPM: free, well known, flexible; static-asset performance is middling.
  • LiteSpeed Enterprise: paid license (5-site / unlimited-site packages), CDN not included; roughly 2-4x more traffic capacity on average.
  • OpenLiteSpeed: the open-source sibling of LSWS; no official cPanel integration — manual install required.
  • NGINX (cPanel reverse proxy): the cpanel-nginx package puts nginx in front of Apache, with significant gains for static files. Our Nginx Configuration article covers the reverse-proxy logic.
# Install nginx as a reverse proxy on cPanel (engintron)
cd /
rm -f engintron.sh
wget --no-check-certificate https://raw.githubusercontent.com/engintron/engintron/master/engintron.sh
bash engintron.sh install

# Static-asset offload + extra HTTP/2 push
# Customize /etc/nginx/custom_rules
cat > /etc/nginx/custom_rules <<'EOF'
location ~* \.(jpg|jpeg|png|gif|webp|avif|svg|woff2|css|js)$ {
 expires 365d;
 add_header Cache-Control "public, immutable";
 access_log off;
}
EOF

systemctl reload nginx

Running a Reseller Hosting Business: cPanel Pro / Premier

If your goal is selling hosting to others, start with a Pro license (30 accounts) and graduate to Premier (100+) as demand grows. WHM Resellers > Reseller Center is where you define reseller accounts, packages, and quota limits. A reseller can log into their own WHM, define their own packages, and create their own cPanel users — but never reach root.

  • Create a reseller account: WHM > Resellers > Create a New Reseller — disk + bandwidth + max-account caps.
  • Reseller branding: WHM > Customization > Branding (a custom login page just for the reseller).
  • WHMCS integration: the de facto standard for automated provisioning + billing. WHM API token + WHMCS module = a hosting business in hours.
  • Overselling: acceptable if done with realistic disk/RAM discipline; aggressive overselling means losing customers.

Observability and Monitoring

cPanel's built-in monitoring is limited (Server Status, ChkServd). External monitoring is mandatory in production: load average, RAM, disk I/O, MySQL slow queries, busy Apache workers, Exim queue depth. Our Prometheus + Grafana guide covers a full setup; for cPanel, the minimum is the node_exporter + mysqld_exporter + apache_exporter trio.

# Quick disk-usage scan
df -h | awk '$5+0 > 80'

# Top 20 disk-consuming accounts
du -sh /home/*/ 2>/dev/null | sort -h | tail -20

# Top 10 CPU/RAM-hungry processes
ps aux --sort=-%mem | head -11
ps aux --sort=-%cpu | head -11

# Active MySQL queries
mysqladmin processlist
mysql -e "SHOW FULL PROCESSLIST" | grep -v Sleep

# Exim queue status
exim -bpc

# Apache worker status
lynx --dump http://127.0.0.1/whm-server-status

Top 10 Common Issues and Fixes

Over the years, here are the 10 issues we run into most often on cPanel servers — the ones that eat hours of customer time:

  • License Expired: refresh the license with /usr/local/cpanel/cpkeyclt; verify in cPanel Manage2 that the IP is bound correctly.
  • WHM 500 Error: usually SELinux enforcing or a full disk. setenforce 0 + df -h.
  • Mail bouncing: SPF/DKIM/PTR mismatch. whmapi1 install_dkim_records_for_user user=... and have your provider set the PTR.
  • AutoSSL fail: .well-known returns 403/404; whitelist the ModSecurity rule.
  • MySQL crashed table: mysqlcheck --auto-repair --all-databases; for InnoDB, temporarily enable innodb_force_recovery.
  • High load average: locate the bottleneck with top + iotop + sar; usually MySQL with an undersized buffer_pool or a runaway cron loop.
  • Backup fail: disk full, target server unreachable, or quota exceeded. Check /var/cpanel/backups/ logs.
  • cPHulk login lock: list blocked IPs with whmapi1 list_cphulk_records; clear them with whmapi1 flush_cphulk_login_history.
  • Slow WordPress: outdated PHP (≤7.4), opcache off, plugin bloat. Our WordPress optimization perspective.
  • Disk filling up: find /var/log -size +100M, find /home -name 'error_log' -size +500M; /usr/local/apache/logs/error_log in particular balloons fast.

cPanel Alternatives: Plesk, DirectAdmin, ISPConfig

cPanel dominates, but it isn't the only option. After the 2019 price hikes, alternative panels gained market share. A comparison that may matter to you:

  • Plesk: supports Windows + Linux (cPanel is Linux-only). UI is a bit more modern, and the WordPress Toolkit feature is strong. Pricing is similar to cPanel. Details in our Plesk Panel Management guide.
  • DirectAdmin: lighter, lower resource footprint; offers a one-time 'lifetime' license option. The ecosystem isn't as deep as cPanel's.
  • ISPConfig: free and open source. Multi-server support is good, but the UI/UX isn't as polished as cPanel's; documentation skews DIY.
  • CyberPanel: built on OpenLiteSpeed, free. WordPress + LSCache integration is out-of-the-box. Less mature than cPanel but growing fast.
  • aaPanel: Chinese in origin, modern UI, free. No enterprise support — exercise caution in regulation-sensitive environments.

Buying cPanel: Where, How, and Which Edition?

Let's circle back to the license table from the start of the guide and lay out a clear decision matrix. When deciding to buy cPanel, three questions guide you: how many accounts are you planning, do you prefer USD or TRY billing, and what language do you want support in?

  • 1-2 sites, personal project: Solo license + a Turkish partner reseller (TRY invoice).
  • Up to 5 sites, freelance: Admin license + cpanel.net direct or a partner.
  • 10-30 sites, small agency: Pro license is a must; for Turkish-language support, prefer a local provider.
  • 30+ sites, hosting reseller: Premier license; joining the cPanel partner program (if you're selling 1,000+ accounts) gets you additional discounts.
  • I just want a ready-to-go VDS plan: 'cPanel-installed VDS' packages exist at every local provider; expect ₺800-3,500/month.

A warning: suspiciously cheap offers — say, a Premier license for $50/year — are almost always gray-market or sub-licensed under restrictions. They can be revoked by cPanel L.L.C. one day, leaving your server unusable. Buy only from official cpanel.net or authorized Turkish partners.

Migration: Moving from Another Panel to cPanel

Migrating from Plesk, DirectAdmin, or a pure Linux setup to cPanel is relatively painless thanks to cPanel's strong transfer tooling. WHM > Transfer Tool pulls accounts in parallel as long as you have root on the source server.

# CLI equivalent of WHM > Transfer Tool
/scripts/whmxfer --remote-host=old.server.com \
 --remote-user=root --remote-port=22 \
 --account=old_user --copy-account

# Migrate an individual account (cpmove archive)
# On the old server:
/scripts/pkgacct old_user /home/

# On the new server:
scp old.server:/home/cpmove-old_user.tar.gz /home/
/scripts/restorepkg old_user

# Plesk -> cPanel migration
/scripts/cpanel-server-migration --plesk-server=old.plesk.com

# Prepare for the DNS switchover (lower TTL)
for domain in $(ls /var/named/ | grep -v 'named.ca\|named.local'); do
 sed -i 's/86400/300/' /var/named/$domain
done
/scripts/restartsrv_named

Lowering DNS TTL to 300 seconds during migration shortens propagation and makes the switchover transparent. After moving every account, keeping the old server in read-only mode for 30-60 days (just in case) is good practice.

WHM API: Automate, Don't Repeat

cPanel exposes two APIs: WHM API 1 (root/reseller operations) and cPanel API / UAPI (user-level operations). Token auth, JSON responses, callable from both the CLI and HTTP.

# Create an API token (WHM > Development > Manage API Tokens)
# Then over HTTP:
TOKEN="YOUR_API_TOKEN"
HOST="https://srv1.yourdomain.com:2087"

# List accounts
curl -s -k -H "Authorization: whm root:$TOKEN" \
 "$HOST/json-api/listaccts?api.version=1" | jq '.data.acct[].user'

# Create a new account
curl -s -k -H "Authorization: whm root:$TOKEN" \
 "$HOST/json-api/createacct?api.version=1&username=demo&domain=demo.com&plan=basic"

# Disk-usage report (all accounts)
for user in $(whmapi1 --output=jsonpretty listaccts | jq -r '.data.acct[].user'); do
 used=$(du -sh /home/$user/ 2>/dev/null | awk '{print $1}')
 echo "$user: $used"
done

Plug this API into WHMCS, your own billing system, monitoring scripts, and Grafana dashboards. Drop routine tasks (provisioning, suspending inactive accounts, quota reports) into cron and forget about them.

PHP-FPM Pool Tuning and Per-Account Performance

cPanel's default PHP-FPM settings are conservative: pm = ondemand + pm.max_children = 5. A high-traffic WordPress account suffocates under those limits; tune via WHM > MultiPHP Manager or directly in the file.

; /opt/cpanel/ea-php82/root/etc/php-fpm.d/acmecorp.com.conf
[acmecorp.com]
user = acmecorp
group = acmecorp
listen = /opt/cpanel/ea-php82/root/usr/var/run/php-fpm/acmecorp.sock
listen.owner = acmecorp
listen.group = nobody
listen.mode = 0660

pm = dynamic
pm.max_children = 25
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 10
pm.max_requests = 500
pm.process_idle_timeout = 30s

php_admin_value[memory_limit] = 256M
php_admin_value[max_execution_time] = 60
php_admin_value[upload_max_filesize] = 64M
php_admin_value[post_max_size] = 64M
php_admin_flag[opcache.enable] = on
php_admin_value[opcache.memory_consumption] = 128

Sizing pm.max_children: (total RAM - system reserve - MySQL reserve) / average RAM per PHP worker (50-80MB). On an 8 GB RAM server, a total cap of 60-80 max_children across all accounts is reasonable.

Cron, Quotas, and cPanel Background Jobs

cPanel runs dozens of cron jobs in the background: upcp (cPanel update), AutoSSL renewal, backups, log rotation, mail-queue cleanup, cphulkd ban cleanup. You'll find all of them in /etc/cron.d/cpanel and /etc/cron.d/cpanel_backup.

# cPanel update — manual
/scripts/upcp
# Daily auto (default 04:00)

# Recompute quotas (WHM > Quota Modification)
/scripts/fixquotas

# Mail queue cleanup
/scripts/exim_tidydb

# Log rotation (default weekly)
/usr/local/cpanel/scripts/cpanellogd --restart

# Refresh disk-usage cache
/scripts/update_db_cache

# Stale add-on / package cleanup
yum autoremove -y
/scripts/sysup

cPanel Image Optimization: WordPress Toolkit and EA-PHP-Imagick

Roughly 60% of hosting users run WordPress. To professionalize the cPanel + WordPress combo, the recommended stack is: Softaculous (one-click installer), WP Toolkit (alternative), WordPress Manager by Softaculous + WP-CLI (terminal-based WP management).

# Install WP-CLI (server-wide)
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar && mv wp-cli.phar /usr/local/bin/wp

# WP operations inside a cPanel account
su - acmecorp
cd public_html/
wp core check-update
wp plugin update --all
wp theme update --all
wp core update --minor
wp cache flush
wp transient delete --all

# Possible 'wp' permission issue
chown -R acmecorp:acmecorp /home/acmecorp/public_html/

WordPress's most common bug (the white screen) usually traces back to a plugin conflict. If WP Toolkit isn't enabled, run wp plugin deactivate --all, then re-enable plugins one at a time to isolate the offender.

Compliance and KVKK: Log Retention, Data Locality

In Turkey, hosting providers must retain access logs for at least 6 months (1 year recommended) under Law No. 5651. Under KVKK, customer data may be moved to the EU or to KVKK-approved jurisdictions; direct transfer to the US requires Standard Contractual Clauses.

  • cPanel access log: under /usr/local/apache/domlogs/ and /var/cpanel/logs/.
  • Mail log: /var/log/exim_mainlog, default 14-day rotation; KVKK-safer to retain for 1 year.
  • Database log: MySQL slow query + binlog (critical for PITR).
  • Off-site sync: rsync logs to a separate log-archive server; even if the origin is compromised, the logs remain.
  • Encryption at rest: not on by default in cPanel. LUKS-encrypted volumes + GPG backups are mandatory.

Cost Optimization: Saving Money in cPanel Environments

cPanel costs have three legs: license + VDS rent + bandwidth/backup storage. Optimization tips:

  • Annual billing discount: cpanel.net offers 15-20% off annual plans; use it if cash flow allows.
  • Reseller upgrade: jumping from Pro to Premier as you cross 30 accounts is a leverage point; don't get stuck at the 30th account.
  • VDS provider arbitrage: the same 4 vCPU/8 GB costs differently across providers — Hetzner (€3-4), Contabo (€5-8), Turkish locals (₺200-400 — roughly $7-15 USD); audience and invoicing preference decide.
  • Backup storage: B2 (Backblaze) ~$6 USD/TB/month, S3 ~$23 USD/TB/month. S3 for backups you actively restore; B2 or Wasabi for archive.
  • WHMCS: license ~$16 USD/month; pays for itself by automating provisioning.

Scaling Up: From One VDS to Multi-Server

How far can a single cPanel VDS take you? In our experience, with proper tuning a 4 vCPU / 16 GB RAM box handles 50-80 accounts and 500K+ daily pageviews. Beyond that, the scaling strategies:

  • Vertical scale: move to a larger VDS plan; 8 vCPU / 32 GB RAM. cPanel snapshot + restore yields 1-2 hours of downtime.
  • Horizontal — DNS cluster: primary cPanel + 2-3 DNSONLY. High availability for DNS.
  • Horizontal — separate DB server: move MySQL/MariaDB to a dedicated VDS and connect via remote-mysql. Big CPU win.
  • Multi-server cluster (Premier): not an official cPanel cluster feature; for true HA, build a custom architecture with CloudLinux + Imunify360 + Apache cluster + glusterfs. Complex.
  • Containerization: splitting the server with LXC/Docker sounds tempting, but cPanel doesn't support running in its own container. Our Deploying with Docker approach is a modern non-cPanel alternative.

Checklist: Before Going to Production

Final-round checks before opening your cPanel VDS to production traffic:

  • WHM > Server Status > Service Status: are all services green?
  • Tweak Settings: did you apply the 12 critical settings above?
  • cPHulk + ModSecurity + CSF: all three active and emitting logs?
  • Backup Configuration: are daily + weekly + off-site targets running? Have you done a test restore?
  • AutoSSL: do all domains have valid certificates? Verify Free SSL on cpanel.net.
  • DNS: are ns1 and ns2 on different IPs, and are glue records correct?
  • cron: are upcp, autossl, and backup visible in cron?
  • Mail: SPF, DKIM, DMARC, PTR — does mail-tester.com, which tests all four, return 9+/10?
  • Lighthouse / PageSpeed: is the main site scoring 70+ on mobile and 85+ on desktop?
  • cphulk login + 2FA: are you sure you haven't locked yourself out of WHM?
  • Monitoring: which service triggers Prometheus / UptimeRobot / Datadog if it goes down?
  • Recovery plan: in a 'server burned down' scenario, are you confident you can move to a new server within an hour?

Looking Ahead: cPanel and Modern Alternatives

cPanel won't surrender market share easily — the ecosystem (WHMCS, Softaculous, Imunify360, JetBackup, BlueOnyx) is wide, and the developer/sysadmin base is experienced. But modern application deployment is shifting toward containers and serverless; for teams running Docker Compose + Kubernetes, cPanel's well-known file/folder approach can feel dated. cPanel L.L.C. is trying to close the gap with WP-Toolkit-style visual modules, native JetBackup integration, and Cloudflare Single-Click add-ons. The trend to watch in 2026: how tightly the cPanel + Cloudflare + Imunify360 trio fuses automatic protection, CDN, and local management.

Useful Command Cheat Sheet

# Service status
whmapi1 servicestatus
/scripts/restartsrv_httpd # Apache
/scripts/restartsrv_mysql # MySQL/MariaDB
/scripts/restartsrv_exim # Mail
/scripts/restartsrv_named # BIND
/scripts/restartsrv_cpsrvd # cPanel/WHM

# Account operations
/scripts/wwwacct domain.com user pass # Create account
/scripts/killacct user # Delete account
/scripts/suspendacct user 'reason' # Suspend
/scripts/unsuspendacct user # Activate

# System repair
/scripts/upcp --force # Manual cPanel update
/scripts/easyapache --build # Rebuild EA4
/scripts/checkallsslcerts # Check every SSL cert
/scripts/fixhome # /home permissions
/scripts/fixquotas # Refresh disk quotas
/usr/local/cpanel/bin/cpanel-fileprotect # Account home dir permissions

# Log locations
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/access_log
/usr/local/apache/logs/error_log
/var/log/exim_mainlog
/var/log/maillog
/var/cpanel/logs/autossl.log
/var/cpanel/logs/cpbackup_transporter.log

Frequently Asked Questions

How many IPs does a cPanel VDS license cover?

One license is bound to a single primary IP. Your server can have additional IPs (IP failover, aliases), but the license activation IP is unique. For an IP transfer, Manage2 grants one change per 24 hours.

What happens if my license is canceled?

The server displays a cPanel License Expired error; existing accounts and your data aren't deleted, but you can't log into the panel or create new accounts. SSH root access still works at all times — back up your data with /scripts/pkgacct and migrate it to another server.

cPanel vs Plesk: which is faster?

On raw web-server performance they're equivalent — both build on Apache/nginx. The real differences are in management experience, plugin ecosystem, and your customers' familiarity. Plesk differentiates with Windows IIS support.

Can I extend the trial?

The 15-day trial is one-shot. You can't request a second trial for the same IP or hostname. To go to production, you have to buy a license.

AlmaLinux or Ubuntu?

cPanel officially supports AlmaLinux 9 and Ubuntu 22.04 LTS. The community and documentation skew larger on the AlmaLinux/RockyLinux side; Ubuntu LTS is appealing for its modern package versions. We recommend AlmaLinux 9.

Resources

Professional support for cPanel VDS installation, license purchase, and ongoing management

For end-to-end service across the entire cPanel + WHM ecosystem — from a clean-slate install to a reseller hosting infrastructure — get in touch

WhatsApp