What Is WHM (Web Host Manager) and How to Access It

WHM (Web Host Manager) is a server-level administrative control panel developed by cPanel, LLC, that runs on Linux-based web servers. It provides root-level and reseller-level access to manage multiple cPanel accounts, configure server-wide settings, control security policies, and administer core services such as Apache, MySQL, and DNS — all through a browser-based interface. WHM operates on port 2087 (HTTPS) and is the backend counterpart to cPanel, which serves as the end-user interface.

If you are running a managed hosting environment, a reseller hosting business, or a self-administered VPS Hosting or Dedicated Server with cPanel/WHM installed, understanding WHM's architecture and access methods is non-negotiable for maintaining uptime, security, and operational efficiency.

WHM vs. cPanel: Understanding the Architectural Relationship

A common point of confusion is treating WHM and cPanel as interchangeable. They are not. They occupy distinct layers of the same software stack.

WHM is the administrative plane. cPanel is the data plane for individual accounts. Every cPanel account is created, configured, and governed by WHM. If WHM is unavailable, cPanel accounts continue to serve traffic, but no administrative changes can be made at the server level.

Core Technical Capabilities of WHM

Account and Package Management

WHM uses a concept called hosting packages (also called plans or feature lists) to define resource allocations — disk quotas, bandwidth limits, email account caps, database limits, and subdomains — that are applied uniformly to cPanel accounts. This abstraction allows administrators to manage hundreds of accounts without configuring each one individually.

Key operations include:

• Creating cPanel accounts with predefined packages or custom resource limits
• Suspending and unsuspending accounts without data loss, which is critical for billing enforcement
• Terminating accounts with optional data retention
• Modifying account limits on the fly without account recreation
• Transferring accounts between servers using WHM's built-in Transfer Tool, which handles DNS, email, databases, and file structures atomically

A frequently overlooked capability: WHM's Skeleton Directory (`/root/cpanel3-skel/`) allows administrators to pre-populate every new cPanel account with default files, directory structures, or configuration templates — useful for agencies deploying standardized WordPress or application environments at scale.

Reseller Account Architecture

WHM supports a three-tier privilege model: root administrator, resellers, and end-users. Resellers receive a subset of WHM's capabilities scoped to accounts they own. They can create and manage their own cPanel accounts, set resource limits within their own allocation, and brand the cPanel interface — but they cannot access or affect other resellers' accounts or server-level configurations.

This architecture is the foundation of the reseller hosting business model and is directly relevant if you are operating a VPS with cPanel to offer hosting services to downstream clients.

Critical nuance: resellers do not get root SSH access. Their WHM access is restricted to the ACL (Access Control List) permissions granted by the root administrator. Misconfiguring ACLs is a common security error — granting resellers more privilege than intended, particularly the ability to modify DNS globally or access server configuration.

Server Administration and Service Management

WHM provides direct control over the core services that underpin every hosted website:

• Apache/LiteSpeed configuration — modify global directives, manage virtual host templates, configure PHP handlers (suPHP, FastCGI, PHP-FPM), and switch PHP versions per account using MultiPHP Manager
• MySQL/MariaDB administration — manage global database settings, run MySQL upgrades, and monitor query load
• DNS cluster management — configure WHM to participate in a DNS cluster, synchronizing zone files across multiple nameservers for redundancy
• Exim mail server configuration — manage SMTP relay settings, spam thresholds, RBL lists, and delivery queues
• Service monitoring — WHM's Service Manager allows enabling, disabling, and monitoring daemons, with automatic restart policies

A detail that catches many administrators off guard: WHM's EasyApache 4 (EA4) is the tool for compiling and configuring Apache and PHP. Switching PHP versions or adding extensions (like `imagick`, `redis`, or `memcached`) is done through EA4 profiles, not through the OS package manager. Attempting to install PHP extensions via `yum` or `apt` without EA4 awareness can break cPanel's PHP handler configuration.

Security Center

WHM's Security Center consolidates several critical hardening controls:

• cPHulk Brute Force Protection — rate-limits failed login attempts to WHM and cPanel, with configurable lockout thresholds and IP whitelisting
• CSF (ConfigServer Security & Firewall) integration — while CSF is a third-party plugin, it integrates deeply into WHM's UI and is the de facto firewall solution for cPanel servers
• Two-Factor Authentication (2FA) — WHM supports TOTP-based 2FA for both root and reseller logins, which should be treated as mandatory, not optional
• SSL/TLS Manager — install, manage, and auto-renew SSL certificates server-wide, including support for Let's Encrypt via AutoSSL
• SSH Password Authorization Tweak — disable password-based SSH authentication from within WHM without manual `sshd_config` editing
• Compiler Access Control — restrict access to compilers (gcc, cc) to prevent privilege escalation via locally compiled exploits

If you are managing SSL Certificates across multiple domains, WHM's AutoSSL feature can automate Let's Encrypt certificate issuance and renewal for every cPanel account on the server, eliminating manual certificate management entirely.

Backup and Restore Architecture

WHM's backup system operates at two levels:

1. WHM Backup Configuration (root level) — defines global backup schedules, retention policies, compression settings, and remote transport destinations (FTP, SFTP, S3-compatible storage, custom scripts via backup transport plugins)
2. Per-account restoration — allows restoring individual cPanel accounts from a full server backup without restoring the entire server, which is critical for minimizing blast radius during account-level data loss events

A common architectural mistake: relying solely on WHM's built-in backup system without verifying that backups are being transported off-server. On-server backups provide zero protection against disk failure, ransomware, or catastrophic server loss. Always configure a remote backup destination.

DNS Management

WHM manages DNS at the server level using BIND (named) or PowerDNS as the underlying resolver. Administrators can:

• Create, edit, and delete DNS zones for all domains on the server
• Configure DNS clustering to replicate zones to secondary nameservers automatically
• Manage SPF, DKIM, and DMARC records for email deliverability across all hosted domains
• Use the DNS Zone Editor to make bulk changes without SSH access

For hosting environments managing multiple client domains, proper DNS configuration in WHM — particularly DKIM and SPF setup — directly impacts email deliverability for all accounts. This is especially relevant when pairing WHM-managed hosting with a dedicated Email Hosting solution for business-critical communications.

How to Access WHM: Step-by-Step

Step 1: Gather Required Credentials

Before attempting access, confirm you have:

• Server IP address or hostname — the public IPv4 (or IPv6) address of the server, or a resolvable hostname pointing to it
• Username — `root` for the primary administrator; a reseller username for reseller-level access
• Password — the root or reseller account password
• 2FA token — if two-factor authentication is enabled, have your authenticator app ready

If you provisioned a Dedicated Server or VPS with cPanel/WHM pre-installed, these credentials are typically delivered via email at provisioning time or accessible through the hosting control panel.

Step 2: Choose the Correct Access URL

WHM is accessible via the following URL formats:

Primary HTTPS access (recommended):

“`

https://YOUR_SERVER_IP:2087/

https://your-domain.com:2087/

“`

HTTP access (fallback, not recommended for production):

“`

http://YOUR_SERVER_IP:2086/

http://your-domain.com:2086/

“`

Redirect-based access (resolves to port 2087):

“`

https://YOUR_SERVER_IP/whm

https://your-domain.com/whm

“`

Replace `YOUR_SERVER_IP` with your actual server IP address (e.g., `https://198.51.100.42:2087/`). The redirect-based URLs are convenient but depend on the web server correctly handling the redirect — use the explicit port URLs when troubleshooting.

Step 3: Handle SSL Certificate Warnings

On a freshly provisioned server, WHM uses a self-signed SSL certificate issued to the server's hostname. Browsers will display a security warning because this certificate is not signed by a trusted Certificate Authority (CA).

This is expected behavior on initial setup. To proceed:

• Chrome/Edge: Click "Advanced" then "Proceed to [hostname] (unsafe)"
• Firefox: Click "Advanced" then "Accept the Risk and Continue"

To eliminate this warning permanently, install a valid SSL certificate for the server's hostname via WHM's Manage Service SSL Certificates section, or configure AutoSSL to issue a Let's Encrypt certificate for the server hostname. This is a one-time setup task that should be completed immediately after provisioning.

Step 4: Authenticate

On the WHM login page:

1. Enter your username (`root` or reseller username)
2. Enter your password
3. If 2FA is enabled, enter the TOTP code from your authenticator app
4. Click Log In

Successful authentication lands you on the WHM dashboard. Failed authentication after multiple attempts will trigger cPHulk lockout if it is enabled — which it should be.

Step 5: Navigate the WHM Dashboard

The WHM dashboard is organized into functional sections accessible via the left-hand navigation panel and the search bar (which is the fastest way to reach any specific tool):

• Account Functions — create, list, modify, suspend, and transfer cPanel accounts
• Packages — define and manage hosting packages applied to accounts
• Resellers — create reseller accounts, set ACL permissions, and monitor reseller resource usage
• Server Configuration — configure server-wide settings including hostname, nameservers, and contact email
• Service Configuration — manage Exim, Apache, FTP, and other daemon configurations
• Security Center — access cPHulk, 2FA settings, SSL management, and firewall integration
• MultiPHP Manager — set PHP versions and PHP-FPM configurations per domain or account
• Backup Configuration — configure backup schedules, destinations, and retention
• WHM Plugins — install and manage third-party WHM plugins (Softaculous, Imunify360, JetBackup, etc.)

Troubleshooting WHM Access Issues

Port 2087 Is Unreachable

This is the most common access failure. Causes and resolutions:

• Firewall blocking port 2087 — verify the server's firewall (iptables, firewalld, or CSF) has port 2087 open. Run `iptables -L -n | grep 2087` or check CSF's `/etc/csf/csf.conf` for `TCP_IN` rules. Also verify that your hosting provider's external firewall or security group (if applicable) allows port 2087.
• cpsrvd service not running — WHM is served by the `cpsrvd` daemon. If it is stopped, no access is possible. Restart it via SSH: `service cpsrvd restart` or `/usr/local/cpanel/scripts/restartsrv_cpsrvd`
• IP address has changed — if the server's IP changed (e.g., after a network reconfiguration), update your access URL accordingly

Authentication Failures and Lockouts

• cPHulk lockout — if your IP is locked out by cPHulk after failed login attempts, whitelist your IP via SSH: edit `/etc/cphulk/whitelist` or use the WHM API. Alternatively, temporarily disable cPHulk: `whmapi1 set_cphulk_config enabled=0`
• Root login disabled — some hardened configurations disable direct root WHM login. In this case, use a sudo-capable user or re-enable root login via SSH and the cPanel configuration
• Forgotten root password — reset via SSH using `passwd root`, or through your hosting provider's out-of-band console (IPMI/KVM) if SSH access is also unavailable

SSL and Browser Issues

• Mixed content or redirect loops — occur when accessing WHM through a reverse proxy or CDN. WHM should be accessed directly via the server IP or a hostname that resolves directly to the server, not through Cloudflare or similar proxies
• Certificate hostname mismatch — the self-signed certificate is issued to the server's configured hostname. If you access WHM via IP address, the hostname mismatch warning is unavoidable until a proper certificate is installed
• Browser cache — stale session cookies can cause redirect loops. Clear site data for the WHM URL specifically, or use a private/incognito window

WHM Loads but Features Are Missing

• Reseller ACL restrictions — if you are logged in as a reseller and certain features are absent, the root administrator has restricted those functions via ACL. Contact the root administrator to adjust permissions.
• License issues — cPanel/WHM requires a valid license tied to the server's IP address. An expired or invalid license causes WHM to enter a restricted mode. Verify license status at `https://verify.cpanel.net/`

Security Hardening Checklist for WHM

Running WHM on a production server without hardening is a significant security liability. Apply these measures immediately after provisioning:

• Enable 2FA for root and all reseller accounts — WHM Security Center > Two-Factor Authentication
• Enable cPHulk with aggressive thresholds and whitelist your administrative IPs
• Disable root SSH password login — use SSH key authentication exclusively
• Install CSF/LFD and configure it to block port scanners, brute-force attempts, and outbound SMTP from non-mail processes
• Configure AutoSSL to issue valid Let's Encrypt certificates for the server hostname and all hosted domains
• Restrict compiler access — WHM Security Center > Compiler Access
• Enable ModSecurity via EasyApache 4 with a reputable ruleset (OWASP CRS or Imunify360)
• Set a strong password policy — WHM Security Center > Password Strength Configuration
• Regularly audit reseller ACLs — remove permissions that are not explicitly required
• Configure remote backup transport — never store the only copy of backups on the same server

Decision Matrix: When to Use WHM vs. Alternatives

Technical Key Takeaways

• WHM operates on port 2087 (HTTPS) and 2086 (HTTP); ensure these ports are open in both the OS-level firewall and any upstream network firewall
• The `cpsrvd` daemon must be running for WHM to be accessible; it is the first thing to check when WHM is unreachable
• Never run WHM without 2FA on the root account — port 2087 is actively scanned by automated bots
• AutoSSL eliminates manual certificate management across all hosted domains; configure it immediately after provisioning
• Reseller ACLs are the primary mechanism for delegating administrative access without granting root — audit them regularly
• EasyApache 4 is the correct tool for PHP version and extension management; bypassing it with OS package managers breaks cPanel's handler configuration
• Remote backup transport is not optional in production — on-server backups provide false confidence
• WHM's DNS clustering capability is essential for any multi-server environment requiring nameserver redundancy

Frequently Asked Questions

What is the difference between WHM and cPanel?

WHM is the server-level administrative interface used by root administrators and resellers to create and manage cPanel accounts, configure server services, and control security policies. cPanel is the account-level interface used by individual website owners to manage their own files, databases, email, and domains. WHM creates and governs cPanel accounts; cPanel cannot manage other accounts or server-wide settings.

What port does WHM use, and can it be changed?

WHM uses port 2087 for HTTPS and port 2086 for HTTP by default. The port is determined by the `cpsrvd` daemon and is not configurable to an arbitrary port through the standard WHM interface. If port 2087 is blocked by a firewall, the redirect URLs (`/whm`) will also fail since they resolve to the same port.

Can WHM be accessed without root credentials?

Yes. Reseller accounts have WHM access scoped to the permissions granted by the root administrator via Access Control Lists (ACLs). Resellers can log into WHM using their own username and password and manage only the cPanel accounts under their ownership.

Why does WHM show an SSL certificate warning on first access?

By default, WHM uses a self-signed SSL certificate issued to the server's hostname. Since this certificate is not signed by a trusted Certificate Authority, browsers display a security warning. This is expected and safe to bypass during initial setup. The permanent fix is to install a valid SSL certificate for the server hostname using WHM's AutoSSL or by manually installing a certificate via Manage Service SSL Certificates.

What should I do if WHM is inaccessible after a server reboot?

First, verify that the `cpsrvd` service started correctly by connecting via SSH and running `service cpsrvd status`. If it failed to start, check `/usr/local/cpanel/logs/error_log` for diagnostic output. Also confirm that the firewall rules for port 2087 were restored after reboot — some firewall configurations do not persist across reboots without explicit save commands (`service iptables save` or `csf -r`).