{"id":1367,"date":"2025-04-15T13:19:55","date_gmt":"2025-04-15T13:19:55","guid":{"rendered":"https:\/\/hosting-marketers.com\/news\/?p=1367"},"modified":"2025-04-15T13:25:38","modified_gmt":"2025-04-15T13:25:38","slug":"12-essential-steps-to-secure-your-laravel-website-on-cpanel","status":"publish","type":"post","link":"https:\/\/hosting-marketers.com\/news\/2025\/04\/15\/12-essential-steps-to-secure-your-laravel-website-on-cpanel\/","title":{"rendered":"12 Essential Steps to Secure Your Laravel Website on cPanel"},"content":{"rendered":"\n

Laravel is a powerful and flexible PHP framework \u2014 but with that power comes responsibility. If you’re running your Laravel application on a cPanel server, securing your environment is critical. At Hosting Marketers, we use LiteSpeed<\/strong>, CloudLinux<\/strong>, CPGuard<\/strong>, and Cloudflare<\/strong>, providing a robust foundation \u2014 but the app itself must be configured securely.<\/p>\n\n\n\n

Here are 12 essential steps to protect your Laravel-based website from potential attacks.<\/p>\n\n\n\n

\n\n\n\n

1. Turn Off Debug Mode<\/h3>\n\n\n\n

One of the most common Laravel security mistakes is leaving APP_DEBUG=true<\/code> in production. When enabled, Laravel exposes sensitive error messages, file paths, and even database credentials if something breaks.<\/p>\n\n\n\n

How to fix:<\/strong> In your .env<\/code> file, set:<\/p>\n\n\n\n

APP_DEBUG=false\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
2. Protect the .env<\/code> File<\/h3>\n\n\n\n
Your .env<\/code> file holds critical information \u2014 database credentials, mail config, app keys. You must block public access to it.<\/p>\n\n\n\n
Add this to .htaccess<\/code>:<\/strong><\/p>\n\n\n\n
<Files .env>\n    Order allow,deny\n    Deny from all\n<\/Files>\n<\/code><\/pre>\n\n\n\n
This works even under LiteSpeed.<\/p>\n\n\n\n
\n\n\n\n
3. Keep Laravel and Dependencies Updated<\/h3>\n\n\n\n
Outdated Laravel installations or Composer packages are a hacker\u2019s dream. Security patches are released frequently.<\/p>\n\n\n\n
Run this regularly:<\/strong><\/p>\n\n\n\n
composer update --no-dev\n<\/code><\/pre>\n\n\n\n
Also, ensure your PHP version (set via cPanel) is not obsolete \u2014 8.1 or 8.2 is ideal.<\/p>\n\n\n\n
\n\n\n\n
4. Set Correct File and Folder Permissions<\/h3>\n\n\n\n
Files and directories with 777 permissions can be exploited. Set them securely:<\/p>\n\n\n\n
chmod -R 755 .\nchmod -R 775 storage bootstrap\/cache\n<\/code><\/pre>\n\n\n\n
Then run:<\/p>\n\n\n\n
chown -R yourcpaneluser:yourcpaneluser .\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
5. Expose Only the public\/<\/code> Folder<\/h3>\n\n\n\n
The public\/<\/code> directory should be the only web-accessible<\/strong> part of Laravel. Never upload Laravel into public_html<\/code> directly.<\/p>\n\n\n\n
If you’re using cPanel, set the document root to:<\/p>\n\n\n\n
\/home\/yourcpaneluser\/laravel\/public\n<\/code><\/pre>\n\n\n\n
Or symlink public\/<\/code> to public_html<\/code>.<\/p>\n\n\n\n
\n\n\n\n
6. Use Middleware and Rate Limiting<\/h3>\n\n\n\n
Protect routes with Laravel\u2019s built-in middleware:<\/p>\n\n\n\n
    \n
  • Use auth<\/code> for private routes<\/li>\n\n\n\n
  • Use throttle<\/code> to prevent brute-force login attacks<\/li>\n<\/ul>\n\n\n\n
    Example:<\/p>\n\n\n\n
    Route::post('\/login', 'LoginController@login')->middleware('throttle:5,1');\n<\/code><\/pre>\n\n\n\n
    \n\n\n\n
    7. CPGuard + ModSecurity (Enabled Server-Wide)<\/h3>\n\n\n\n
    At Hosting Marketers, we\u2019ve enabled CPGuard<\/strong> and ModSecurity with OWASP rules<\/strong> server-wide. These tools actively block:<\/p>\n\n\n\n
      \n
    • SQL Injection<\/li>\n\n\n\n
    • Cross-Site Scripting (XSS)<\/li>\n\n\n\n
    • Remote File Inclusions<\/li>\n\n\n\n
    • Bot attacks<\/li>\n<\/ul>\n\n\n\n
      This protection is applied to all accounts automatically \u2014 no need to configure anything on your end.<\/p>\n\n\n\n
      \n\n\n\n
      8. Add Secure HTTP Headers<\/h3>\n\n\n\n
      Inject security headers via .htaccess<\/code>, or in LiteSpeed\u2019s “Headers” section:<\/p>\n\n\n\n
      Header set X-Content-Type-Options \"nosniff\"\nHeader set X-Frame-Options \"DENY\"\nHeader set X-XSS-Protection \"1; mode=block\"\nHeader set Content-Security-Policy \"default-src 'self'\"\n<\/code><\/pre>\n\n\n\n
      These headers block clickjacking, code injection, and other exploits.<\/p>\n\n\n\n
      \n\n\n\n
      9. Scan for Malware and Vulnerabilities<\/h3>\n\n\n\n
      We provide built-in malware protection with CPGuard<\/strong>, available directly via your cPanel dashboard<\/strong>.<\/p>\n\n\n\n
      Additionally, ClamAV antivirus<\/strong> is installed server-wide and accessible through cPanel to scan your files.<\/p>\n\n\n\n
      Laravel developers can also run:<\/p>\n\n\n\n
      composer require laravel\/laravel-security-checker --dev\n<\/code><\/pre>\n\n\n\n
      for code-based vulnerability checks.<\/p>\n\n\n\n
      \n\n\n\n
      10. Monitor Logs<\/h3>\n\n\n\n
      Laravel logs everything inside:<\/p>\n\n\n\n
      storage\/logs\/laravel.log\n<\/code><\/pre>\n\n\n\n
      Use this to monitor suspicious behavior or failed login attempts. You can even integrate log notifications into services like Slack or Papertrail.<\/p>\n\n\n\n
      \n\n\n\n
      11. Cloudflare DNS & WAF (Enabled Server-Wide)<\/h3>\n\n\n\n
      All sites hosted with Hosting Marketers are protected by Cloudflare\u2019s WAF and DNS filtering<\/strong>. This includes:<\/p>\n\n\n\n
        \n
      • DDoS mitigation<\/li>\n\n\n\n
      • Bot filtering<\/li>\n\n\n\n
      • SSL management<\/li>\n\n\n\n
      • Geo-blocking features<\/li>\n<\/ul>\n\n\n\n
        Cloudflare is deployed at the server level to protect all websites by default.<\/p>\n\n\n\n
        \n\n\n\n
        12. Backups: Frequent and Tested<\/h3>\n\n\n\n
        We maintain secondary drives<\/strong> for server-wide backups. However, keep in mind:<\/p>\n\n\n\n
          \n
        • Backups may be a few days old depending on the update cycle<\/li>\n\n\n\n
        • It\u2019s your responsibility to trigger manual backups after major changes<\/li>\n\n\n\n
        • You can also store copies off-site for added security<\/li>\n<\/ul>\n\n\n\n
          \n\n\n\n
          Final Thoughts<\/h2>\n\n\n\n
          Laravel security is not optional \u2014 and at Hosting Marketers, we make sure you start with the best protection possible. By combining strong server-level firewalls with smart application-level hardening, your Laravel website can stay one step ahead of hackers.<\/p>\n\n\n\n
          \n","protected":false},"excerpt":{"rendered":"
          Laravel is a powerful and flexible PHP framework \u2014 but with that power comes responsibility. If you’re running your Laravel application on a cPanel server, securing your environment is critical. At Hosting Marketers, we use LiteSpeed, CloudLinux, CPGuard, and Cloudflare, providing a robust foundation \u2014 but the app itself must be configured securely. Here are […]<\/p>\n","protected":false},"author":1,"featured_media":1368,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[88,219],"tags":[213,215,214,218,216,210,217,211,209,212,208],"class_list":["post-1367","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-laravel-security","tag-cloudlinux","tag-cpanel-2","tag-cpguard","tag-cybersecurity","tag-laravelsecurity","tag-laraveltips","tag-litespeed","tag-phphosting","tag-webhosting","tag-websitesecurity","tag-laravel-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_15_08-AM.png?fit=1024%2C1536&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/p9Yxzd-m3","jetpack-related-posts":[{"id":1353,"url":"https:\/\/hosting-marketers.com\/news\/2025\/02\/24\/how-to-secure-your-wordpress-and-laravel-sites-on-a-hosting-marketers-shared-accounts\/","url_meta":{"origin":1367,"position":0},"title":"How to Secure Your WordPress and Laravel Sites on a Hosting Marketers Shared Accounts","author":"Admin","date":"February 24, 2025","format":false,"excerpt":"Website security is critical for protecting your data, preventing hacks, and ensuring your site runs smoothly. While your hosting provider has CSF Firewall to protect the server from external threats, securing your WordPress or Laravel site is your responsibility. Many hacks happen because of poor security practices\u2014such as outdated plugins,\u2026","rel":"","context":"In "security"","block_context":{"text":"security","link":"https:\/\/hosting-marketers.com\/news\/category\/security\/"},"img":{"alt_text":"How to Secure Your WordPress and Laravel Sites on a Hosting Server with CSF Firewall","src":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1371,"url":"https:\/\/hosting-marketers.com\/news\/2025\/04\/15\/the-ultimate-wordpress-security-guide-for-cpanel-users-2025-edition\/","url_meta":{"origin":1367,"position":1},"title":"The Ultimate WordPress Security Guide for cPanel Users (2025 Edition)","author":"Admin","date":"April 15, 2025","format":false,"excerpt":"WordPress powers over 40% of all websites \u2014 which makes it a prime target for hackers. If you\u2019re hosting with cPanel and using WordPress, security should be your top priority. At Hosting Marketers, we give you the tools (LiteSpeed, CloudLinux, CPGuard, Cloudflare) \u2014 but here\u2019s what you need to do\u2026","rel":"","context":"In "security"","block_context":{"text":"security","link":"https:\/\/hosting-marketers.com\/news\/category\/security\/"},"img":{"alt_text":"Protect your WordPress site from hackers with this complete security guide. Learn how to harden your site using cPanel, PHP updates, file permissions, .htaccess rules, and best practices.","src":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_36_03-AM.png?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_36_03-AM.png?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_36_03-AM.png?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_36_03-AM.png?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_36_03-AM.png?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":518,"url":"https:\/\/hosting-marketers.com\/news\/2015\/04\/24\/cloudlinux\/","url_meta":{"origin":1367,"position":2},"title":"cloudlinux, php version selector and sites slowing down","author":"Admin","date":"April 24, 2015","format":false,"excerpt":"One of the software's we use on our servers is http:\/\/www.cloudlinux.com\/ this allows the customer to choose which version of PHP he wants on his account, this selection is done on the cpanel, it secures the site so if one site is hacked the server is not damaged and other\u2026","rel":"","context":"In "php version selector"","block_context":{"text":"php version selector","link":"https:\/\/hosting-marketers.com\/news\/category\/php-version-selector\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1385,"url":"https:\/\/hosting-marketers.com\/news\/2025\/07\/22\/the-complete-guide-to-cloudflare-setup-benefits-and-wordpress-integration-with-litespeed\/","url_meta":{"origin":1367,"position":3},"title":"The complete guide to Cloudflare: Setup, benefits, and WordPress integration with LiteSpeed","author":"Admin","date":"July 22, 2025","format":false,"excerpt":"Introduction Cloudflare is more than just a DNS or CDN \u2014 it\u2019s a powerful, all-in-one solution for website performance, security, and compatibility. Whether you're running a personal blog or managing multiple client sites, integrating Cloudflare with WordPress and LiteSpeed can significantly boost load times, protect your infrastructure, and even fix\u2026","rel":"","context":"In "Hosting Marketers News"","block_context":{"text":"Hosting Marketers News","link":"https:\/\/hosting-marketers.com\/news\/category\/hosting-marketers-news\/"},"img":{"alt_text":"Blog cover image with the title \u2018The complete guide to Cloudflare: Setup, benefits, and WordPress integration with LiteSpeed\u2019 on a purple background, with icons representing Cloudflare, a computer server, WordPress, and LiteSpeed below the text.","src":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/07\/ChatGPT-Image-Jul-22-2025-10_56_40-AM.png?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/07\/ChatGPT-Image-Jul-22-2025-10_56_40-AM.png?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/07\/ChatGPT-Image-Jul-22-2025-10_56_40-AM.png?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/07\/ChatGPT-Image-Jul-22-2025-10_56_40-AM.png?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/07\/ChatGPT-Image-Jul-22-2025-10_56_40-AM.png?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":1050,"url":"https:\/\/hosting-marketers.com\/news\/2021\/06\/02\/deploy-node-js-on-our-shared-servers\/","url_meta":{"origin":1367,"position":4},"title":"Deploy Node.js on our shared servers","author":"Admin","date":"June 2, 2021","format":false,"excerpt":"[et_pb_section][et_pb_row][et_pb_column type=\"4_4\"][et_pb_text] Version Control with Git Before we can\u00a0configure your Node.js application, the first step is getting that application on your server. There are a few options. You can use FTP to upload the copy of your application to your server, or you can use cPanel\u00e2\u20ac\u2122s native Git support to\u2026","rel":"","context":"In "Hosting Marketers News"","block_context":{"text":"Hosting Marketers News","link":"https:\/\/hosting-marketers.com\/news\/category\/hosting-marketers-news\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":801,"url":"https:\/\/hosting-marketers.com\/news\/2019\/07\/05\/how-to-deploy-an-app-nodejs-through-cpanel\/","url_meta":{"origin":1367,"position":5},"title":"how to deploy an APP NodeJS Through cPanel","author":"Admin","date":"July 5, 2019","format":false,"excerpt":"how to setup or deploy an app on nodejs with our cpanel","rel":"","context":"In "deploy app nodejs cpanel"","block_context":{"text":"deploy app nodejs cpanel","link":"https:\/\/hosting-marketers.com\/news\/category\/deploy-app-nodejs-cpanel\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2019\/07\/node2.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2019\/07\/node2.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2019\/07\/node2.jpg?resize=525%2C300&ssl=1 1.5x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts\/1367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/comments?post=1367"}],"version-history":[{"count":2,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts\/1367\/revisions"}],"predecessor-version":[{"id":1370,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts\/1367\/revisions\/1370"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/media\/1368"}],"wp:attachment":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/media?parent=1367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/categories?post=1367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/tags?post=1367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}