What is File Protect?

WHM's Enable File Protect setting automatically configures Apache to prevent users from accessing other users' public_html directories and files. On a shared hosting server, without this protection, a PHP script running under one account could potentially read files belonging to another account. File Protect mitigates this by applying permission restrictions through Apache's open_basedir and ownership checks.

This is a critical security feature for any shared hosting environment and should remain enabled unless you have a specific reason to turn it off.

Steps to Enable File Protect

  1. Log in to WHM as the root user.
  2. Navigate to Home » Server Configuration » Tweak Settings.
  3. In the search box at the top, type File Protect to locate the option.
  4. Under the Security tab, find Enable File Protect.
  5. Set the toggle to On to enable the feature.
  6. Click Save at the bottom of the page.

The protection takes effect immediately for all accounts on the server.

Important Notes

  • This setting is enabled by default on new WHM installations. If it has been disabled, you should enable it unless you have a documented reason not to.
  • File Protect works by setting open_basedir restrictions and configuring Apache directives that prevent cross-account file access.
  • Some custom applications or legacy setups may break if File Protect is enabled, because they rely on accessing files outside their home directory. In such cases, you may need to adjust the specific account's PHP configuration rather than disabling File Protect globally.
  • This is not the same as cPanel's "Shell Access" or "Jailshell" restrictions. File Protect specifically targets web-level (Apache/PHP) access between accounts.
  • Disabling File Protect on a shared server is a significant security risk — it opens the door to cross-site scripting attacks that can read other users' files.

Troubleshooting

  • Website shows errors after enabling: The site may be trying to include files from outside its home directory. Check the application's configuration and move required files within the account's home directory, or use the MultiPHP INI Editor to adjust the open_basedir path for that specific domain.
  • Can't find the option: Use the Tweak Settings search bar and type File Protect. The setting is under the Security tab.
  • Setting keeps reverting: Some server management plugins or custom scripts may override this setting. Check for custom post-installation scripts or third-party security plugins that modify Tweak Settings.

For official documentation, see the cPanel Tweak Settings guide.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How to set Default maximum email quota for new packages via WHM?

The Default maximum email quota for new packages setting in WHM controls the maximum email...
How to set Default disk usage quota for new packages via WHM?

The Default disk usage quota for new packages setting in WHM lets you define a default disk space...
How to set Default bandwidth limit for new packages via WHM?

When you create a new hosting package in WHM, cPanel uses a default bandwidth limit if you don't...
How to change cPanel PHP max POST size via WHM?

The cPanel PHP max POST size setting controls the maximum size of HTTP POST requests that...
How to change cPanel PHP max upload size via WHM?

What is the cPanel PHP Max Upload Size? The cPanel PHP max upload size setting controls the...