Introduction
Many server administrators believe that Host Access Control (HAC) in WHM is enough to restrict access to sensitive services such as WHM itself.
In reality, this misunderstanding can expose your server to unnecessary risk.
This article explains the real difference between Host Access Control and CSF Firewall, why WHM may still be accessible from unauthorized IPs, and the correct best-practice method to secure WHM access.
What Is Host Access Control in WHM?
Host Access Control is a service-level access restriction feature within cPanel/WHM.
It allows administrators to:
Allow or deny IP addresses for specific internal services
Add an additional control layer for cPanel-related daemons
⚠️ Important:
Host Access Control is not a firewall and does not block network connections.
What Host Access Control Does Not Do
Despite its name, Host Access Control does not:
Block TCP connections at the kernel level
Prevent access to WHM ports (2086 / 2087)
Replace CSF, iptables, or nftables
This explains why administrators often find that WHM remains accessible even after restricting IPs in Host Access Control.
Why WHM Is Still Accessible from Unauthorized IPs
WHM operates on:
Port 2086 (non-SSL)
Port 2087 (SSL)
If these ports are open in the firewall, the connection is accepted before Host Access Control is evaluated.
Security flow:
If CSF allows port 2087, any IP can reach WHM, regardless of Host Access Control rules.
What Is CSF Firewall?
CSF (ConfigServer Security & Firewall) is a true firewall operating at the kernel level.
It provides:
Port-based access control
Stateful packet inspection
Intrusion detection (LFD)
iptables with nftables backend on modern systems
CSF is the primary and authoritative security layer for WHM access.
Best Practice: How to Properly Secure WHM Access
Step 1: Remove WHM Port from Global Access
Edit CSF configuration:
nano /etc/csf/csf.conf
Ensure port 2087 is not listed under TCP_IN:
This blocks WHM access for all IPs by default.
Step 2: Allow Only Trusted IP Addresses
Edit the CSF allow list:
nano /etc/csf/csf.allow
Add trusted administrative IPs only:
Reload CSF:
csf -r
✅ Result:
Authorized IPs can access WHM
All other IPs are blocked at the firewall level
How to Verify WHM Access Restrictions
From an unauthorized external IP:
nc -zv SERVER_IP 2087
Expected result:
From an allowed IP:
WHM login page loads successfully
When Host Access Control Is Still Useful
Host Access Control remains valuable for:
Restricting internal API access
Adding a secondary security layer
Limiting access to non-firewall-managed services
However, it should never be relied on as the primary security mechanism.
Common Myths vs Reality
| Myth | Reality |
|---|---|
| Host Access Control blocks WHM | ❌ False |
| HAC is a firewall | ❌ False |
| CSF is optional | ❌ Risky |
| CSF + HAC together | ✅ Best practice |
Final Recommendation
Always secure WHM using CSF Firewall.
Host Access Control should only be used as an additional security layer, not as a replacement for a firewall.
This approach ensures:
Kernel-level protection
Predictable access control
Strong defense against unauthorized access
