Laravel is a powerful and flexible PHP framework — but with that power comes responsibility. If you’re running your Laravel application on a cPanel server, securing your environment is critical. At Hosting Marketers, we use LiteSpeed, CloudLinux, CPGuard, and Cloudflare, providing a robust foundation — but the app itself must be configured securely.
Here are 12 essential steps to protect your Laravel-based website from potential attacks.
1. Turn Off Debug Mode
One of the most common Laravel security mistakes is leaving APP_DEBUG=true in production. When enabled, Laravel exposes sensitive error messages, file paths, and even database credentials if something breaks.
How to fix: In your .env file, set:
APP_DEBUG=false
2. Protect the .env File
Your .env file holds critical information — database credentials, mail config, app keys. You must block public access to it.
Add this to .htaccess:
<Files .env>
Order allow,deny
Deny from all
</Files>
This works even under LiteSpeed.
3. Keep Laravel and Dependencies Updated
Outdated Laravel installations or Composer packages are a hacker’s dream. Security patches are released frequently.
Run this regularly:
composer update --no-dev
Also, ensure your PHP version (set via cPanel) is not obsolete — 8.1 or 8.2 is ideal.
4. Set Correct File and Folder Permissions
Files and directories with 777 permissions can be exploited. Set them securely:
chmod -R 755 .
chmod -R 775 storage bootstrap/cache
Then run:
chown -R yourcpaneluser:yourcpaneluser .
5. Expose Only the public/ Folder
The public/ directory should be the only web-accessible part of Laravel. Never upload Laravel into public_html directly.
If you’re using cPanel, set the document root to:
/home/yourcpaneluser/laravel/public
Or symlink public/ to public_html.
6. Use Middleware and Rate Limiting
Protect routes with Laravel’s built-in middleware:
- Use
authfor private routes - Use
throttleto prevent brute-force login attacks
Example:
Route::post('/login', 'LoginController@login')->middleware('throttle:5,1');
7. CPGuard + ModSecurity (Enabled Server-Wide)
At Hosting Marketers, we’ve enabled CPGuard and ModSecurity with OWASP rules server-wide. These tools actively block:
- SQL Injection
- Cross-Site Scripting (XSS)
- Remote File Inclusions
- Bot attacks
This protection is applied to all accounts automatically — no need to configure anything on your end.
8. Add Secure HTTP Headers
Inject security headers via .htaccess, or in LiteSpeed’s “Headers” section:
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self'"
These headers block clickjacking, code injection, and other exploits.
9. Scan for Malware and Vulnerabilities
We provide built-in malware protection with CPGuard, available directly via your cPanel dashboard.
Additionally, ClamAV antivirus is installed server-wide and accessible through cPanel to scan your files.
Laravel developers can also run:
composer require laravel/laravel-security-checker --dev
for code-based vulnerability checks.
10. Monitor Logs
Laravel logs everything inside:
storage/logs/laravel.log
Use this to monitor suspicious behavior or failed login attempts. You can even integrate log notifications into services like Slack or Papertrail.
11. Cloudflare DNS & WAF (Enabled Server-Wide)
All sites hosted with Hosting Marketers are protected by Cloudflare’s WAF and DNS filtering. This includes:
- DDoS mitigation
- Bot filtering
- SSL management
- Geo-blocking features
Cloudflare is deployed at the server level to protect all websites by default.
12. Backups: Frequent and Tested
We maintain secondary drives for server-wide backups. However, keep in mind:
- Backups may be a few days old depending on the update cycle
- It’s your responsibility to trigger manual backups after major changes
- You can also store copies off-site for added security
Final Thoughts
Laravel security is not optional — and at Hosting Marketers, we make sure you start with the best protection possible. By combining strong server-level firewalls with smart application-level hardening, your Laravel website can stay one step ahead of hackers.
Recent Comments