cPHulk is cPanel's built-in brute force protection. It monitors login attempts to cPanel, WHM, webmail, and SSH, and blocks IPs that exceed the failure threshold. Sometimes you need to disable it temporarily from the command line - for example, if you have locked yourself out of WHM.
If cPHulk has blocked your IP from WHM access, SSH into the server and run:
/usr/local/cpanel/scripts/cphulkd_login_dbsetup --disable
# Access WHM, then re-enable:
/usr/local/cpanel/scripts/cphulkd_login_dbsetup --enable01. Disable cPHulk
# Disable cPHulk via command line
/usr/local/cpanel/scripts/cphulkd_login_dbsetup --disable
# Or via WHM API
whmapi1 configureservice service=cphulkd enabled=0This stops the cPHulk daemon and removes all current blocks.
Disabling cPHulk removes brute force protection for cPanel, WHM, webmail, and SSH logins. Only disable it temporarily for troubleshooting, and re-enable it as soon as possible. If you also run CSF, its login failure tracking (LF_TRIGGER) provides a secondary layer of protection.
02. Re-enable cPHulk
/usr/local/cpanel/scripts/cphulkd_login_dbsetup --enable
# Verify it is running
/usr/local/cpanel/scripts/restartsrv_cphulkd
systemctl status cphulkd03. Unblock a Specific IP
Instead of disabling cPHulk entirely, you can unblock a single IP:
# Check if an IP is blocked
/usr/local/cpanel/scripts/cphulkd_login_dbsetup --list-bans | grep "1.2.3.4"
# Remove the ban via WHM API
whmapi1 flush_cphulk_login_history_for_ips ip=1.2.3.4
# Or via MySQL directly
mysql cphulkd -e "DELETE FROM brutes WHERE IP='1.2.3.4';"
mysql cphulkd -e "DELETE FROM logins WHERE IP='1.2.3.4';"04. Whitelist an IP
To permanently whitelist an IP so cPHulk never blocks it:
# Via WHM API
whmapi1 create_cphulk_record list_name=white items=1.2.3.4 comment="Admin IP"
# Or edit the whitelist directly
echo "1.2.3.4" >> /etc/cphulk/whitelist.conf
/usr/local/cpanel/scripts/restartsrv_cphulkd05. Flush All Blocks
# Remove all current bans and login history
whmapi1 flush_cphulk_login_history
# Or via MySQL
mysql cphulkd -e "TRUNCATE brutes; TRUNCATE logins;"
# Restart cPHulk
/usr/local/cpanel/scripts/restartsrv_cphulkdcPHulk and CSF both provide brute force protection but operate independently. cPHulk monitors cPanel/WHM/webmail login attempts specifically. CSF monitors system-level logs (/var/log/secure, exim, etc.). Both should be enabled for layered security. If you use CSF's LF_CPANEL directives, you can optionally disable cPHulk to avoid double-blocking, but most admins keep both active.
Need Firewall or Access Help?
If you are locked out or need help configuring brute force protection, contact our team.
Open a Support TicketQuick Recap
- Disable:
cphulkd_login_dbsetup --disable - Re-enable:
cphulkd_login_dbsetup --enable - Unblock IP:
flush_cphulk_login_history_for_ips - Whitelist: add to
/etc/cphulk/whitelist.conf - Always re-enable after troubleshooting
5,139 users found this article useful · Last updated March 2026 · Browse all Server Maintenance articles
