Overview
A proper security audit is how you catch problems before attackers do. Whether you’re on a shared plan, a VPS, or a Dedicated Server, the same core principles apply: reduce your attack surface, monitor what’s changing, and keep software current.
This checklist is structured for 2026 environments running cPanel/WHM, Plesk, or a plain Linux stack (Ubuntu 24.04 LTS or AlmaLinux 9.x are the most common at this point). Not every item will apply to your setup — use your judgment and skip sections that genuinely don’t fit.
I’d recommend running through this fully at least once a quarter, and after any major incident, software upgrade, or new staff member getting server access. Smaller shops often skip the audit entirely until something breaks — don’t be that shop.
Prerequisites
- Root or sudo access to the server (or WHM Administrator access for cPanel environments)
- SSH client — PuTTY on Windows, Terminal on macOS/Linux
- Basic familiarity with the Linux command line (you don’t need to be an expert, but you need to be comfortable running commands)
- A record of what software is supposed to be installed — if you don’t have this, build one during this audit
- Backups confirmed working before you make any changes
Step-by-Step Security Audit Checklist
1. Confirm All Software Is Up to Date
Unpatched software is the single most common root cause of successful server compromises. Run updates first so the rest of your audit reflects the actual current state of the system.
On AlmaLinux / CentOS Stream 9:
Copied to clipboard
dnf update -y && dnf upgrade -yOn Ubuntu 24.04:
Copied to clipboard
apt update && apt upgrade -y && apt autoremove -yIn WHM, navigate toHome > cPanel > Upgrade to Latest Versionand also runHome > Server Configuration > Update Preferencesto confirm automatic updates are enabled for security releases.
📝 Note: On production servers, I’d recommend testing updates on a staging instance first, particularly for major cPanel version jumps. Minor and security updates are generally safe to apply immediately.
2. Audit SSH Configuration
SSH is the front door. Most brute-force attempts target port 22 with default settings, so locking this down is non-negotiable.
Open the SSH daemon config:
Copied to clipboard
nano /etc/ssh/sshd_configCheck or set these values:
Copied to clipboard
Port 2222 # Change from default 22 — pick any unused port above 1024 PermitRootLogin no # Never allow direct root SSH login PasswordAuthentication no # Enforce SSH key auth only PubkeyAuthentication yes MaxAuthTries 3 LoginGraceTime 30 X11Forwarding no AllowUsers youruser # Whitelist specific usersAfter saving, restart SSH — but keep your current session open and test in a second terminal window before closing anything:
Copied to clipboard
systemctl restart sshd⚠ Warning: If you disable password auth before confirming your SSH key works, you can lock yourself out completely. Always test in a separate terminal first.
3. Review Firewall Rules
For cPanel/WHM servers, CSF (ConfigServer Security & Firewall) is the standard. If it’s not installed, install it:
Copied to clipboard
cd /usr/src && wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz && cd csf && sh install.shCheck your current open ports:
Copied to clipboard
csf -l | grep ACCEPTOr on a non-cPanel server using nftables (the default in AlmaLinux 9 and Ubuntu 22.04+):
Copied to clipboard
nft list rulesetThe goal here is simple: if a port doesn’t need to be open, close it. Common ports that get left open unnecessarily include 3306 (MySQL, should only be accessible locally unless you’re running a remote DB connection), 6379 (Redis), and 8080 (dev ports).
📝 Note: CSF’sTESTINGmode in/etc/csf/csf.confshould be set to0on live servers. I’ve seen environments running in testing mode for months because nobody checked — in that mode, CSF won’t actually block anything permanently.
4. Check for Unauthorized User Accounts
List all accounts with login shells:
Copied to clipboard
grep -v '/sbin/nologin|/bin/false' /etc/passwdAny account you don’t recognise needs to be investigated immediately. Also check for accounts with empty passwords:
Copied to clipboard
awk -F: '($2 == "") {print $1}' /etc/shadowFor cPanel servers, audit hosting accounts in WHM underHome > Account Information > List Accounts. Remove any accounts that are no longer needed.
5. Audit File Permissions and SUID Binaries
World-writable files are a common vector for privilege escalation. Find them with:
Copied to clipboard
find / -xdev -type f -perm -0002 -not -path "/proc/*" 2>/dev/nullFind SUID binaries (files that run with elevated privileges):
Copied to clipboard
find / -xdev -perm /4000 -type f 2>/dev/nullCompare the SUID list against a known-good baseline. Common legitimate SUID binaries include/usr/bin/passwd,/usr/bin/sudo, and/usr/bin/pkexec. Anything unexpected deserves a close look.
⚠ Warning: Don’t blindly remove SUID bits from binaries you don’t recognise — some are legitimately required by the OS. Google the binary first.
6. Review Running Processes and Listening Services
See everything listening on a network port:
Copied to clipboard
ss -tlnpReview every line. If something is listening that you didn’t expect — especially on a public interface (0.0.0.0 or ::) — find out what it is before continuing.
Check for processes running as root that shouldn’t be:
Copied to clipboard
ps aux | grep root7. Check Logs for Suspicious Activity
Failed SSH login attempts accumulate fast. See the worst offenders:
Copied to clipboard
grep 'Failed password' /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | head -20On Ubuntu, the log is at/var/log/auth.loginstead of/var/log/secure.
For web server logs, scan for common attack patterns like../traversal attempts orwp-login.phphammering. On managed WordPress hosting, this is something Host & Tech handles at the infrastructure level, but if you’re self-managing, check Apache logs at/var/log/httpd/access_logor/var/log/apache2/access.log.
8. Verify SSL/TLS Certificates
Expired certificates cause trust warnings that users see as security issues even when the server itself is fine. Check expiry dates with:
Copied to clipboard
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -datesIn cPanel, go toHome > SSL/TLS > Manage SSL Hoststo see all installed certificates and their expiry dates in one view.
9. Test Your Backup and Recovery Process
A backup you’ve never tested is just data you haven’t verified is corrupt yet. Restore a single file or database to a test location and confirm the content is intact. This step gets skipped constantly and it’s the one that matters most when something goes wrong.
10. Run a Malware Scan
On Linux servers,maldet(Linux Malware Detect) combined with ClamAV gives solid coverage:
Copied to clipboard
maldet --scan-all /home clamscan -r /home --infected --remove=no --log=/var/log/clamscan.logUse--remove=noon your first scan to review what it finds before deleting anything. False positives happen, particularly in WordPress plugin directories.
Common Issues and Troubleshooting
SSH Login Succeeds But Immediately Disconnects
Usually caused by incorrect permissions on~/.ssh/authorized_keysor the~/.sshdirectory itself. The SSH daemon is strict about this. Fix it with:
Copied to clipboard
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys chown -R youruser:youruser ~/.sshCSF Blocking Legitimate Traffic
If CSF has blocked an IP that shouldn’t be blocked, the logs are at/var/log/lfd.log. To temporarily unblock an IP:
Copied to clipboard
csf -dr 203.0.113.45To permanently whitelist it, add the IP to/etc/csf/csf.allowand restart CSF withcsf -r.
Maldet Reports Thousands of Infected Files After a WordPress Hack
This is annoyingly common, and the official maldet docs aren’t great on recovery. Don’t just delete everything maldet flags — some of it may be false positives in cached or minified JS files. Instead, isolate the account, restore from a known-good backup if you have one, and then rerun the scan to confirm clean. Patching over an active infection rarely works.
nft or iptables Rules Not Persisting After Reboot
On AlmaLinux 9, rules written directly withnftcommands don’t persist by default. Save them to the config file:
Copied to clipboard
nft list ruleset > /etc/nftables.conf systemctl enable nftablesfind Command Takes Forever or Hangs During Permission Audit
Without the-xdevflag,findwill cross into mounted filesystems including/procand/sys, which can hang indefinitely. Always include-xdevin recursivefindcommands on live servers.
FAQ
Frequently Asked Questions
How often should I run a server security audit?
At minimum, quarterly. After any security incident, major software update, or staff change, run it again immediately. Monthly is better if you’re handling sensitive customer data or running eCommerce. Audits that don’t happen on a schedule just don’t happen.
Do I need root access to run a server security audit?
For a full audit, yes — many of the checks require root or sudo. If you’re on shared hosting, your ability to audit is limited to your own files and account settings. VPS and dedicated server customers have full root access and can run every step in this checklist.
Is ClamAV good enough for server malware scanning?
ClamAV alone misses a lot of PHP webshells and fileless threats. Pair it with Linux Malware Detect (maldet), which is specifically tuned for shared hosting and web server environments. Running both together gives you much better coverage than either tool alone.
Can I run this checklist on a cPanel shared hosting account?
Partially. Steps like SSH hardening, firewall rule changes, and process auditing require server-level access you won’t have on shared hosting. You can still check file permissions, review your account’s error logs, and verify SSL certificates. For full control over server hardening, you’ll need a VPS or dedicated server.
What's the difference between a security audit and a penetration test?
A security audit reviews your configuration, settings, and software against known best practices — it’s largely checklist-driven. A penetration test involves actively attempting to exploit vulnerabilities, often done by a specialist. Audits are something you can run internally on a regular basis; pen tests are typically scheduled annually or after major infrastructure changes.
Related Articles
How to Secure Your Linux Server: A Practical Hardening Guide