Password Security

Strong, unique passwords are your first line of defense against unauthorized access. This guide covers best practices for all the passwords associated with your hosting account.

What Makes a Strong Password

A strong password should:

Be at least 12 characters long — longer is better.
Include a mix of uppercase letters, lowercase letters, numbers, and symbols.
Not contain dictionary words, names, dates, or common phrases.
Not be reused across different accounts or services.
Not follow simple patterns like Password123! or abc123.

Tip Use a password manager like Bitwarden, 1Password, or KeePass to generate and store strong, unique passwords for every account. This way you only need to remember one master password.

Changing Your cPanel Password

Log into the Client Area.
Go to Services → My Services.
Click on your hosting plan.
Click Change Password in the sidebar.
Enter a new strong password and save.

Note Changing your cPanel password also changes the password used for WHM access (if applicable) and may affect FTP access if your FTP account uses the main cPanel credentials.

Email Account Passwords

Each email account you create in cPanel has its own password. To change an email password:

In cPanel, go to Email → Email Accounts.
Find the email account and click Manage.
In the Security section, click Update Email Password.
Enter a new password or click Generate to create a strong random password.
Click Update Email Settings.

After changing an email password, you will need to update it in any email clients (Outlook, Thunderbird, phone mail apps) that connect to that account.

FTP Account Passwords

If you use separate FTP accounts (not the main cPanel account), change their passwords regularly:

In cPanel, go to Files → FTP Accounts.
Find the FTP account and click Change Password.
Enter a new strong password and click Change Password.

Warning Avoid using FTP when possible. Use SFTP instead, which encrypts your credentials and file transfers. FTP transmits passwords in plain text, making them vulnerable to interception. Connect on port 22 with your cPanel username and password to use SFTP.

Database Passwords

MySQL database user passwords should be strong since databases often contain sensitive information like customer data or website credentials:

In cPanel, go to Databases → MySQL Databases.
Scroll to Current Users.
Click Change Password next to the database user.
Enter a new strong password and click Change Password.

Warning After changing a database password, you must update the connection credentials in your website's configuration file. For WordPress, this is wp-config.php. For other applications, check their documentation for the database configuration file location. Your site will go down if the password in the config file doesn't match.

Client Area Password

Your Client Area password is separate from your cPanel password. To change it:

Log into the Client Area.
Click your name in the top right corner and select Edit Account Details.
Enter your current password and a new password.
Click Save Changes.

Two-Factor Authentication

For additional security, enable two-factor authentication (2FA) on your cPanel account:

In cPanel, go to Security → Two-Factor Authentication.
Click Set Up Two-Factor Authentication.
Scan the QR code with an authenticator app (Google Authenticator, Authy, or similar).
Enter the six-digit code from the app to confirm.

With 2FA enabled, you will need both your password and a code from your authenticator app to log into cPanel.

Tip Save your 2FA backup codes in a safe place. If you lose access to your authenticator app, you can use a backup code to log in and reconfigure 2FA.