Web Management Cheatsheets: DNS, Security, Emails, Automation

🔒 Security Checklist

File and Access Security

Set appropriate file permissions Use 755 for directories and 644 for files. This allows the owner to read/write/execute, while others can only read/execute.

Check Robot.txt Check robot.txt file for any exposed links to sensitive files or directories.

Ensure appropriate file ownership Ensure that all files in CPanel accounts are owned by that cpanel user and never run composer as root when installing new dependencies.

Scan for malicious files and code Use grep to search for suspicious code, eval statements, or unknown URLs. E.g., grep -r "eval(base64_decode" /path/to/webroot

Run malware scans Use security plugins like Wordfence, Malcare, or server-side scanners like Imunify or ClamAV.

Audit admin users in WHM and WordPress Regularly review and remove any unused or unauthorized administrator accounts (for WordPress check directly in DB under users and usermeta tables).

Enable Two-Factor Authentication (2FA) Enforce 2FA for all critical logins, including WordPress, cPanel, and WHM.

Use jail shells to restrict user access Assign a jailed shell to cPanel users to prevent them from accessing other users' files or system-wide binaries.

[NEW] Use SSH keys for authentication Disable password authentication for SSH and require key-based access for a more secure connection. Learn more.

Network and Server Security

Change default SSH port and restrict IP access Move the SSH port from 22 to a non-standard port and use the firewall to allow only trusted IPs.

Block unsecure ports Block ports 80, 110, and 143 but make sure that http is redirected to https via CloudFlare.

Use Real Cron Jobs Disable pseudo-cron jobs in wp-config (DISABLE_WP_CRON, true), block external access to wp-cron, and setup a real internal cron job in its place.

Add a secondary SSH admin user with strong credentials Create a non-root admin user with sudo privileges and disable direct root login.

Disable unused apps/plugins in WordPress and server An unused component is an unnecessary attack vector. Deactivate and delete anything you don't need.

Secure forms Use a honeypot, reCAPTCHA, and restrict file upload types to prevent spam and malicious uploads.

Run penetration tests Use tools like Pentest-Tools or HostedScan to identify vulnerabilities.

Configure firewall and WAF Use a server firewall (e.g., CSF) and a Web Application Firewall like Immunify360 or ModSecurity.

[NEW] Disable XML-RPC in WordPress If not used for remote publishing, disable XML-RPC to prevent it from being a target for brute-force attacks. Add code via a plugin or theme.

Data Protection and Hardening

Set up redundant backups Configure local backups and sync them to a secure cloud (e.g., AWS S3, Backblaze) and/or an offline location.

Implement CSRF tokens Protect against Cross-Site Request Forgery (CSRF) by using nonces/tokens in forms and AJAX requests to validate user intent.

Enforce strong password policies Use plugins or server policies to require complex passwords and periodic changes for all users.

Configure Cloudflare for DNS and security Use Cloudflare's proxy (orange cloud) to enable its WAF, DDoS mitigation, and to hide your origin server's IP address.

Secure with .htaccess Add rules to block directory Browse, protect sensitive files like wp-config.php, and restrict access to wp-admin. See examples.

Use WP Toolkit 'Secure' options in WHM Apply multiple security fixes with one click, such as disabling file editing and blocking access to potentially sensitive files.

Enable SSL/TLS encryption Use "Full (Strict)" mode in Cloudflare and ensure SSL is properly configured on the server to encrypt all traffic.

Protect sensitive files Ensure files like wp-config.php and .env are not in a publicly accessible directory and have restrictive permissions (e.g., 400).

[NEW] Implement a Content Security Policy (CSP) Set CSP headers to control which resources can be loaded, mitigating XSS and other injection attacks. Learn more.

🗺️ DNS Checklist

Email Routing and SSL

Choose email hosting strategy In cPanel's "Email Routing", select Remote for third-party services (Google/Microsoft), Local for this server, or Auto to decide based on MX records.

Verify MX records for mail routing If remote, point MX records to your provider. If local, point the primary MX record to your server's hostname with priority 0.

Enable AutoSSL in WHM Ensure AutoSSL (powered by cPanel or Let's Encrypt) is active to automatically issue and renew free SSL certificates for all domains.

Cloudflare DNS Management

Set domain nameservers to Cloudflare’s Point your domain's nameservers at your registrar to those provided by Cloudflare to activate its services.

Configure core DNS records in Cloudflare Ensure A (main site), CNAME (www), MX (mail), and other necessary records are correctly pointing to their respective server IPs or hostnames.

Enable DNSSEC for spoofing protection Activate DNSSEC in your Cloudflare dashboard with a single click to add a cryptographic signature to your DNS, preventing forgery. Cloudflare Guide.

[NEW] Set CAA records for letsencrypt.org Add a Certification Authority Authorization (CAA) record to specify which CAs are permitted to issue certificates for your domain. Use a generator tool for help.

[NEW] Check DNS propagation After making changes, use a tool like dnschecker.org to verify that your DNS records have updated across the globe.

Email Authentication and Other Records

Generate and add DKIM record In cPanel's "Email Deliverability", generate a DKIM key. Add the provided name and value as a TXT record in Cloudflare to sign outgoing mail.

Configure SPF record Create a TXT record that lists all authorized mail servers. End with -all (hard fail) for strict enforcement, or ~all (soft fail) if unsure. Use a wizard to build it.

Set DMARC policy Create a TXT record to tell receivers what to do with mail that fails SPF/DKIM. Start with p=none for monitoring, then move to p=quarantine or p=reject. Use a wizard.

Set PTR (reverse DNS) record Contact your hosting provider to set a PTR record for your mail server's IP, pointing it back to your hostname. This is critical for deliverability. Check it with MXToolbox.

Add BIMI TXT record For brand recognition, add a Brand Indicators for Message Identification record. This requires a VMC (Verified Mark Certificate). Learn more.

Add AAAA record if server supports IPv6 If your server has an IPv6 address, create an AAAA record pointing to it for clients that use the newer protocol.

Cloudflare Configuration

Proxy web traffic through Cloudflare Enable the proxy (orange cloud) for A, AAAA, and CNAME records pointing to your website to benefit from CDN, WAF, and IP masking.

Do not proxy mail-related records Ensure the proxy is disabled (grey cloud / DNS Only) for MX records and any subdomains used for mail services (e.g., mail, smtp, imap).

Enable "Always Use HTTPS" In Cloudflare's SSL/TLS settings, enable this feature to automatically redirect all http requests to https.

Add firewall rules to block/challenge traffic In Cloudflare, block known malicious user agents, challenge traffic from certain countries, or protect your login pages from brute-force attacks.

📤 Email Deliverability Checklist

Content and Design

Maintain a good text-to-HTML ratio Avoid image-only emails. Ensure there's a good balance of text content to keep spam filters happy.

Avoid spam trigger words Words like "free," "act now," "winner," and excessive punctuation can increase your spam score. See a list or use the live-check email composer.

Personalize where possible Using the recipient's name or other merge tags can improve engagement and reduce the chance of being marked as spam.

Include a clear unsubscribe link Make it easy for users to opt out. This is a legal requirement in many regions and better than them marking you as spam.

[NEW] Include a `List-Unsubscribe` header This enables a one-click unsubscribe button in email clients like Gmail, improving user experience and protecting your reputation.

Sending Practices and Reputation

Warm up new domains/IPs slowly Start by sending a small volume of emails and gradually increase it over several weeks to build a positive sending reputation. Learn how.

Dedicated email addresses Use specific email addresses for specific bulk emailing purposes.

[NEW] Check for blacklist placement Regularly check your domain and mail server IP against major blacklists using a tool like MXToolbox.

[NEW] Set up Feedback Loops (FBLs) Sign up for FBLs with major ISPs like Gmail and Outlook.com to receive reports when recipients mark your emails as spam.

Keep sending volume consistent Sudden, large spikes in email volume can look suspicious to spam filters. Maintain a regular, predictable schedule.

[NEW] Use a dedicated IP for high-volume sending If you send a large volume of email, a dedicated IP address isolates your reputation from other senders.

List Management

Use double opt-in for bulk lists Require users to confirm their subscription via email. This proves consent and ensures the email address is valid.

Clean list of inactive users Periodically remove subscribers who haven't engaged with your emails in several months to improve open rates and sender reputation.

Remove hard bounces immediately A hard bounce means the email is invalid and should be removed instantly. Monitor soft bounces (e.g., full inbox) and remove if persistent.

Honour unsubscribes immediately Process unsubscribe requests instantly and automatically to comply with regulations and avoid spam complaints.

Testing and Compliance

Test with spam checkers Before sending, use tools like Mail-Tester or MailReach to get a spam score and identify issues.

Test across email clients Use services like Litmus or Email on Acid to ensure your emails render correctly everywhere.

Comply with regulations Ensure you follow the rules of CAN-SPAM, GDPR, and other local regulations, including providing a physical address.

⚙️ Systems Checklist

Automated Backups and Recovery

Schedule daily backups in WHM Configure WHM's Backup Configuration to run daily, retaining a reasonable number of copies (e.g., 7-14 days).

Set up offsite backups Add an "Additional Destination" in WHM to sync backups to a remote service like AWS S3, Backblaze B2, or Google Drive.

Test backup restoration regularly Periodically restore a backup to a staging environment to ensure data integrity and that the restoration process works as expected.

[NEW] Establish a Disaster Recovery Plan (DRP) Go beyond backups. Document the full process for rebuilding your server and restoring services in a worst-case scenario.

Performance and Uptime Monitoring

Monitor server resources Use tools like Munin, Nagios, or modern alternatives like Prometheus/Grafana to track CPU, RAM, and disk usage.

Set alerts for resource thresholds Configure your monitoring tools to send alerts (email, Slack) when resources exceed critical levels (e.g., CPU > 90% for 5 minutes).

[NEW] Implement external uptime monitoring Use a service like UptimeRobot or Better Uptime to get immediate alerts if your website or server goes down.

Automated Updates and Maintenance

Enable automatic OS package updates Configure unattended-upgrades (for Debian/Ubuntu) or dnf-automatic (for AlmaLinux/Rocky) to apply security patches automatically.

Use EasyApache for Apache/PHP updates Run EasyApache 4 regularly in WHM to update your web server, PHP versions, and related modules.

[NEW] Consider kernel live patching Use a service like KernelCare to apply critical kernel security patches without needing a server reboot, maximizing uptime.

Configure automatic log rotation Ensure logrotate is properly configured to rotate, compress, and delete old log files to prevent disk space issues.

Automation and Integrations

Schedule automated security scans Set up cron jobs to run security scanners like Lynis (system hardening) or OpenVAS (vulnerability scanning).

Implement fail2ban for intrusion prevention Fail2ban scans log files and bans IPs that show malicious signs like too many password failures or seeking exploits.

Automate WordPress management with WP Toolkit Use WP Toolkit in cPanel/WHM to configure automatic updates for WordPress core, plugins, and themes, as well as scheduled security checks.

[NEW] Use configuration management tools For multiple servers, use tools like Ansible, Puppet, or Chef to automate and standardize server setup and deployments.

Integrate alerts with Slack/Discord Configure webhooks to send real-time notifications for monitoring alerts, security events, or successful backups to your team's chat platform.

FREE CHEATSHEETS FOR GREAT
WEB MANAGEMENT

🔒 Security Checklist

File and Access Security

Network and Server Security

Data Protection and Hardening

🗺️ DNS Checklist

Email Routing and SSL

Cloudflare DNS Management

Email Authentication and Other Records

Cloudflare Configuration

📤 Email Deliverability Checklist

Content and Design

Sending Practices and Reputation

List Management

Testing and Compliance

⚙️ Systems Checklist

Automated Backups and Recovery

Performance and Uptime Monitoring

Automated Updates and Maintenance

Automation and Integrations

Useful Links for Server Management

FREE CHEATSHEETS FOR GREAT WEB MANAGEMENT

🔒 Security Checklist

File and Access Security

Network and Server Security

Data Protection and Hardening

🗺️ DNS Checklist

Email Routing and SSL

Cloudflare DNS Management

Email Authentication and Other Records

Cloudflare Configuration

📤 Email Deliverability Checklist

Content and Design

Sending Practices and Reputation

List Management

Testing and Compliance

⚙️ Systems Checklist

Automated Backups and Recovery

Performance and Uptime Monitoring

Automated Updates and Maintenance

Automation and Integrations

Useful Links for Server Management

These Pages are Coming Soon

FEEDBACK

FREE CHEATSHEETS FOR GREAT
WEB MANAGEMENT