Securing Your cPanel & WHM Installation: A Step-by-Step Update Guide
Introduction
Keeping your web hosting control panel up to date is not just a best practice—it’s a necessity. cPanel and Web Host Manager (WHM) recently released patches that fix three security flaws. If left unpatched, these vulnerabilities could allow an attacker to escalate privileges, execute arbitrary code, or cause a denial-of-service condition. One of the issues, tracked as CVE-2026-29201 (CVSS 4.3), stems from insufficient input validation in a feature file name within the feature::LOADFEATUREFILE adminbin call. Other vulnerabilities involve code execution and denial-of-service vectors. This guide walks you through updating your cPanel/WHM installation to protect your server and your clients.
What You Need
Before you begin, ensure you have the following:
- Root or sudo access to your server (SSH or WHM root).
- A valid cPanel & WHM license (active and not expired).
- Stable internet connectivity to download updates.
- Current version knowledge – note your installed version (check via WHM or command line).
- A full backup of your server (do this before any update).
- Recommended: a staging or test environment if available.
Step-by-Step Guide
Step 1: Check Your Current cPanel/WHM Version
Knowing your current version helps you confirm whether the update is needed. Login via SSH as root and run:
/usr/local/cpanel/cpanel -VOr, browse to WHM >> Home >> Server Information. Look for the version string. If you’re running a release older than the patched tier (refer to cPanel’s release notes for specifics), proceed to Step 2.
Step 2: Create a Full Backup
Always back up before making changes. At minimum, create a system backup using WHM’s Backup feature:
- Go to WHM >> Home >> Backup >> Backup Configuration.
- Enable full backups to a remote destination or local drive.
- Run a manual backup via WHM >> Home >> Backup >> Generate Backup.
- Alternatively, use the command
/usr/local/cpanel/scripts/backupfor a quick snapshot.
Store the backup off-server if possible.
Step 3: Update cPanel/WHM Using the Command Line
The most reliable method is via the built-in updater. Connect via SSH and execute:
/usr/local/cpanel/scripts/upcp --forceThis forces a full update check and applies the latest stable release, including patches for the three vulnerabilities. The process may take several minutes. Do not interrupt it.
Alternatively, from WHM:
- Navigate to WHM >> Home >> Server Configuration >> Update Preferences.
- Ensure the update tier is set to RELEASE (or EDGE for bleeding edge, but RELEASE is recommended for stability).
- Click Update to Latest Version and confirm.
Step 4: Verify the Update
After the update completes, confirm the new version:
/usr/local/cpanel/cpanel -VCompare the version number with the patched release information from cPanel’s security announcements. Also check for any error messages in the update logs:
tail -100 /var/log/cpanel-update.logIf you see failures, refer to cPanel’s documentation or open a support ticket.
Step 5: Run Post-Update Checks
Confirm that the vulnerabilities are addressed by verifying the following:
- Privilege escalation – test with a non-root user (e.g., try to load a malicious feature file). In most cases, the fix prevents the attack outright.
- Code execution – ensure any custom scripts that call adminbin functions still work correctly.
- Denial-of-service – monitor server load after the update; it should remain normal.
Additionally, restart any related services that may have been affected:
service cpanel restart && service httpd restart && service mysql restartFinally, re-check your backup configuration to ensure future backups include the updated files.
Tips for a Smooth Update
- Schedule updates during low-traffic hours to minimize impact on users.
- Enable automatic updates in WHM (Update Preferences) so you don’t miss future patches.
- Test in a staging environment if you run custom plugins or modifications.
- Read the release notes for any breaking changes before updating.
- Monitor cPanel’s security advisories regularly (https://news.cpanel.com).
- Keep a rollback plan – know how to restore from backup if an update causes issues.
By following these steps, you’ll protect your server from the three identified vulnerabilities (including CVE-2026-29201) and maintain a secure hosting environment.