cPanel in 2026: An Expert Technical Guide to Features, WHM, and Modern Workflows

cPanel still runs more shared hosting accounts than every other control panel combined. It also costs more, gates more features behind tiers, and has shipped more meaningful changes in the last three years than in the prior decade. This guide is the expert level reference: the architecture under the hood, what the 2024 to 2026 release cycle actually delivered, how AutoSSL, MultiPHP, JetBackup 5, Imunify360, DNSSEC, and the API token system fit together, and the workflows that separate someone who clicks around in cPanel from someone who runs a server in it.

Quick orientation. If you are looking for a side by side of cPanel against Plesk, SPanel, and DirectAdmin, that lives on the hosting control panels page. If you want the deep dive on what cPanel itself actually does, keep reading.

What cPanel Is and Why It Still Dominates

cPanel is a Linux server administration suite that exposes file, mail, database, DNS, security, and software management through a browser interface. It runs as a long lived daemon on the host and serves two front ends: cPanel for individual hosting accounts and WHM for the server administrator. Together they let one operator manage thousands of customer sites on one server without ever touching a command line for routine work.

The product launched in 1996 as a panel for Speed Hosting, was spun out into its own company, and spent the next two decades becoming the de facto standard for shared Linux hosting. The dominance came from three things: it ran on every common Linux distribution, it integrated cleanly with the standard hosting stack of Apache, Exim, BIND, and MySQL, and it shipped with a feature set that covered 99% of what a hosting customer ever needed. Competitors like Plesk and DirectAdmin existed and held meaningful share, but cPanel won on the broadest installed base and the largest plugin ecosystem.

The reasons it still dominates in 2026, despite the licensing changes, are inertia and scope. Inertia: every shared hosting tutorial on the internet assumes cPanel. Every backup tool, security scanner, billing system, and migration script targets cPanel first. Scope: replacing cPanel with a self maintained alternative means re implementing two decades of feature work. Hosts that have done this successfully (SPanel from ScalaHosting being the standout example) report it took years and dedicated engineering teams. For most hosts the cheaper answer is still to pay the cPanel license.

For end users the takeaway is practical: if you are buying shared hosting, you are almost certainly going to land on cPanel. Knowing it well is a higher leverage skill than learning niche control panels.

Architecture: cpsrvd, WHM, and What Runs Underneath

Understanding cPanel as a stack rather than a UI is the difference between a casual user and someone who can fix it when it breaks.

The core components, top to bottom:

• cpsrvd is the long lived service that serves the cPanel and WHM web interfaces over HTTPS on ports 2083 and 2087, plus their plain HTTP siblings on 2082 and 2086. It is a forking Perl daemon written in house. Almost every action you take in the UI ends up as a request to cpsrvd, which then dispatches to a script under /usr/local/cpanel/whostmgr or /usr/local/cpanel/cpanel.
• EasyApache 4 is the build system for the web server stack. It produces the Apache or LiteSpeed binary, the PHP versions installed on the server, and every Apache module. Profiles define which versions of each component are present. EasyApache is the single most important admin level concept in cPanel; it is how you upgrade PHP, switch web servers, or add modules without breaking running sites.
• Apache or LiteSpeed serves HTTP. Apache is upstream default. LiteSpeed Enterprise is what most performance focused cPanel hosts ship in 2026 because its per worker memory profile and built in caching beat Apache decisively for WordPress workloads. The full comparison of the options sits on the web servers page.
• Exim handles SMTP. Mail comes in over Exim, gets filtered by SpamAssassin and any host added scanner like Imunify Anti Spam, and lands in user mailboxes via Dovecot for IMAP and POP3.
• MySQL or MariaDB handles relational data for every cPanel account. cPanel ships with a wrapper that creates and removes databases per account and enforces basic permissions. The internals of how this engine actually works are on the database page.
• BIND serves DNS. cPanel writes BIND zone files when domains are added or DNS records change. The server can act as authoritative for the domains it hosts, or as a hidden master with public secondaries elsewhere.
• ProFTPD or Pure-FTPD serves FTP and SFTP. Modern hosts encourage SFTP over the OpenSSH daemon and disable FTP entirely because the protocol does not encrypt credentials.
• cpsrvd hooks and scripts are how custom integrations attach themselves. Backups, security plugins, billing systems, and reseller add ons all install as cPanel plugins under /usr/local/cpanel/whostmgr/docroot/cgi or as standard hooks in /usr/local/cpanel/hooks.

The two layers that confuse new users: WHM is the server, cPanel is the account. WHM creates accounts, sets package limits, and reaches every service on the box. cPanel can only see and edit the one account it is logged into. A reseller has WHM access scoped to a virtualised server view that lets them create accounts under their package limits but not touch other resellers. That layered access is what makes cPanel viable for shared hosting in the first place.

Licensing Tiers and What 2026 Pricing Looks Like

The 2019 license restructure replaced cPanel's flat per server fee with per account tiers. The change has been the single most discussed thing about cPanel ever since, with prices increasing roughly every year through 2026.

The current tier structure, simplified:

• Solo for a single cPanel account on a server. Targeted at VPS owners running one site. Cheapest tier and the most popular for self managed VPS users in 2026.
• Admin for up to 5 accounts. Useful for small reseller setups or developer agencies running a handful of client sites on one box.
• Pro for up to 30 accounts. The starter tier for small hosting businesses.
• Premier for 100 accounts at the base price, with metered per account fees beyond that. The dominant tier on shared hosting, where a single physical server typically holds 200 to 800 accounts and the cost is just rolled into the customer plan price.
• Plus for high density operators, starting around 250 accounts and scaling up. Introduced in 2024 to address very large operator demand.

For end users, none of this matters. You pay your host, your host pays cPanel. The cPanel cost is roughly $2 to $4 per account per month rolled into your plan. What does matter to end users is that hosts who are aggressively trying to undercut market price have moved to a non cPanel control panel. SiteGround moved to its own panel in 2020. ScalaHosting offers SPanel as a no cost cPanel alternative. Hostinger ships its own hPanel. These are not technical purity moves; they are direct responses to cPanel licensing economics. The full alternatives breakdown is on the control panel page.

Jupiter: The Modern cPanel UI

Jupiter has been the default cPanel theme since 2021 and the only supported theme since the Paper Lantern retirement in 2023. The 2025 and 2026 releases focused on quality of life rather than new top level features, and the result is the most usable cPanel has ever been.

What changed in the modern Jupiter cycle:

• Universal search across every cPanel feature. Pressing the search icon at the top opens a fuzzy finder that jumps straight to any feature, file manager directory, email account, or database. Once you start using this you stop scrolling the dashboard.
• Per user dashboard pinning. The features each user actually uses can be pinned to the top, with the rest hidden until needed. For non technical users this turns cPanel from a wall of icons into a small focused view of their own work.
• Dark mode shipped properly in late 2024 after years of community requests. Toggled per user, persisted across sessions.
• Mobile responsive across every page in the suite. The 2019 era cPanel had mobile gaps; the 2026 build has none.
• Glance widgets on the dashboard show resource usage, recent backups, AutoSSL status, and security warnings inline rather than buried in subpages. This change alone reduced the average steps to find a problem from five clicks to zero.

The overall feel is the same shape cPanel has always had: a grid of feature tiles grouped into Files, Email, Databases, Domains, Metrics, Security, Software, Advanced, Preferences, and Email subsections. What changed is that every tile actually leads somewhere modern and not to a 2014 era form.

File Manager and FTP in 2026

The file manager is the most used feature in cPanel after email. The 2025 rebuild brought it from passable to genuinely good.

What works in the modern file manager:

• Monaco editor (the engine behind VS Code) replaced the old textarea editor. Syntax highlighting, multi cursor editing, find and replace with regex, and file diff against the saved version. For quick edits to wp-config or .htaccess this is the difference between a workable tool and a real one.
• Multi tab editing. Open several files at once, switch between them, save independently. Big jump for theme and plugin editing without SSH.
• Right click extract for zip and tar archives. Upload a 2 GB site export and extract it in place rather than over FTP.
• Bulk operations across selected files: change permissions, set ownership, compress, move, delete. The progress UI shows per file results so a partial failure does not silently lose work.
• Hidden file toggle persisted per user. Hidden files (anything starting with a dot) are hidden by default; turning the toggle on for an admin session sticks until you turn it off.

For programmatic access, cPanel still ships ProFTPD or Pure-FTPD plus SFTP through OpenSSH. Best practice in 2026 is to disable plain FTP entirely at the WHM level and require SFTP. Plain FTP transmits credentials in cleartext and is the source of more compromised cPanel accounts than any other vector. The host side of this is covered on the security threats page.

Email: Accounts, Forwarders, Filters, and Deliverability

Email is where cPanel still differentiates from the modern alternatives. SiteGround pulled email off shared hosting entirely. Hostinger sells email as a separate product. cPanel ships full email accounts, autoresponders, forwarders, IMAP, POP3, SMTP, webmail, mailing lists, deliverability tools, and DKIM and SPF signing in the base install.

The relevant 2026 features:

• Email Deliverability dashboard. One screen shows whether SPF and DKIM are correctly configured for every domain on the account, what the published records look like, and what they should look like. Misconfigured SPF is the most common reason a cPanel host's email lands in spam; this dashboard makes it a one click fix.
• DKIM rotation. The 2024 cycle added support for periodic DKIM key rotation, which Google and Microsoft now reward in deliverability scoring. Older cPanel installs used a single DKIM key forever; modern ones rotate on a schedule.
• Mail filtering at the cPanel level with Sieve rules. The Email Filters page lets a user build conditional rules without touching the server filter file. Rules can route to folders, forward conditionally, or delete on match.
• SpamAssassin plus optional Imunify Anti Spam. Base SpamAssassin works but is dated; Imunify Anti Spam (a WebPros product, separately licensed) replaces it on most reputable hosts and dramatically reduces spam delivery without dramatically increasing false positives.
• Webmail with Roundcube and SOGo. Both are bundled. Roundcube remains the default for most users; SOGo adds shared calendars and contacts for small business use cases.

The deliverability discipline matters more than the UI features. Customers complain about email not arriving. Almost always the problem is one of: SPF includes the wrong sending host, DKIM is unsigned or rotated stale, the IP is on a blocklist from a prior tenant, or the recipient host (Gmail above all) has decided the sending pattern looks spammy. cPanel's tooling helps with the first two. The third needs the host to clean blocklist entries on customer behalf. The fourth is the user's job.

Database Tools in cPanel

cPanel's database tooling is functional rather than fancy. Three features cover almost every workflow.

MySQL Databases page. Create a database, create a database user, grant the user privileges on the database, set a password. Each cPanel account is sandboxed; a user on one account cannot see or touch databases on another. Database names are prefixed with the account username, so a cpaneluser called example creates databases named example_wordpress and so on.

phpMyAdmin. Bundled and pinned to the cPanel session, so opening it does not require a separate login. The 2025 cPanel build ships phpMyAdmin 5.2 which has fewer of the legacy issues that plagued earlier versions. For routine inspection, exports, and one off queries it works fine. For heavy database work, a dedicated tool over SSH is better. The full database tools comparison sits on the database page.

Remote MySQL. The Remote MySQL page in cPanel lets you whitelist external IPs to connect directly to the database server on port 3306. Useful for connecting MySQL Workbench from your laptop or for staging environments that pull data from production. The discipline here is to whitelist specific IPs and never use a wildcard. A wildcard remote MySQL is one of the fastest ways to expose a database to the internet.

Database backups and exports through cPanel work but are not the strategy any serious site relies on for backup. The full backup picture, including why hosting backups alone are insufficient, is on the backup and restore page.

Domains, DNS, and DNSSEC

cPanel manages domains at three layers: the parked or addon domain at the cPanel level, the DNS zone at the BIND level, and the AutoSSL certificate at the web server level. The flow has been simplified considerably across the 2024 and 2025 releases.

Domains page consolidated the older Addon Domains, Subdomains, Parked Domains, and Aliases pages. One screen handles every type of domain attached to the account. Adding a domain creates a folder under public_html, writes the DNS zone, and triggers an AutoSSL run.

Zone Editor exposes the BIND zone for each domain. A, AAAA, CNAME, MX, TXT, SRV, and CAA records are first class. NS records can be added but cannot replace the host's authoritative nameservers without also delegating the domain at the registrar level. The full guide to record types is on the DNS records page.

DNSSEC support landed in cPanel 110 and matured through the 2025 cycle. DNSSEC signs DNS responses cryptographically so resolvers can verify nothing tampered with the record between the authoritative server and the client. The Zone Editor in modern cPanel can generate DS records and provide them to the registrar for delegation. Adoption is still low overall (under 10% of domains) but for any site that handles authentication, payments, or sensitive data DNSSEC closes a real attack surface. The DNS resolution chain it protects is on the nameservers page.

SSL Certificates and How AutoSSL Actually Works

HTTPS on cPanel is a solved problem in 2026 thanks to AutoSSL. Understanding what is happening underneath the one click setup is what separates a casual user from someone who can debug it when something breaks.

AutoSSL is a long running process that lives on the server. Once a night, plus on demand whenever a domain is added or its DNS changes, the AutoSSL daemon walks every domain on the server, checks whether each has a valid certificate, and requests a new one for any domain that does not. Validation uses the HTTP-01 challenge from the ACME protocol: the certificate authority asks the server to serve a specific token at /.well-known/acme-challenge/<file>, the server proves it controls the domain by serving the file, and the certificate issues.

The default certificate authority in cPanel was Sectigo for years. Most hosts have switched to Let's Encrypt through the official Let's Encrypt provider plugin because Let's Encrypt is free, faster to issue, and the de facto industry standard. Both work identically from a user perspective: a green padlock in the browser. The full breakdown of certificate types, where Let's Encrypt fits, and when you would ever pay for a paid certificate is on the SSL certificates and HTTPS page.

Common AutoSSL failure modes worth knowing:

• DNS pointing elsewhere. AutoSSL only issues certificates for domains that resolve to the server. A domain still pointed at a previous host fails validation and never gets a certificate. The fix is to update DNS first.
• HTTP-01 challenge blocked. A custom .htaccess rule or a security plugin that blocks /.well-known/ kills validation. If AutoSSL keeps failing for a domain that obviously resolves correctly, this is almost always why.
• Certificate authority rate limits. Let's Encrypt enforces rate limits per registered domain (50 per week for production certificates as of 2026). A site that bounces certificates repeatedly during testing can hit the limit and have to wait it out.
• Wildcard certificate requests. AutoSSL supports wildcard certificates only with DNS-01 validation, which requires the host to integrate the certificate authority's DNS API. Most do not, so wildcard requests on shared cPanel often fail. The workaround is to issue certificates per subdomain rather than as wildcard.

MultiPHP, PHP Selector, and PHP-FPM

PHP version handling is one of the areas where cPanel made the biggest improvements over the 2023 to 2026 window. The legacy state was a single PHP version per server. The modern state is per domain, per directory PHP versioning with extension level customisation per user.

The relevant features:

• EasyApache 4 PHP profiles install whichever PHP versions the admin chooses. Most servers in 2026 carry 7.4 (deprecated, kept for legacy sites), 8.1, 8.2, 8.3, and 8.4. Each version is a fully separate binary with its own extension set.
• MultiPHP Manager assigns the active PHP version per domain on the account. The .htaccess file gets a Handler directive that routes requests to that specific PHP version's FastCGI handler.
• PHP Selector (the CloudLinux feature, available on hosts running CloudLinux) lets each user pick a PHP version per directory and toggle individual extensions on or off. So one WordPress install can run PHP 8.3 with imagick enabled while a sibling install on the same account runs PHP 8.1 with mcrypt.
• MultiPHP INI Editor exposes the most commonly tuned PHP ini values (memory_limit, upload_max_filesize, max_execution_time, post_max_size) per domain without requiring a developer to edit php.ini directly.
• PHP-FPM integration runs PHP as a long lived process pool rather than spawning a new PHP process per request. The performance and memory benefits are large for any traffic volume above a small site. Modern cPanel ships PHP-FPM as the default. The architecture and tuning of FPM workers is what determines real concurrent throughput on a WordPress site.

For the practical user, the takeaway is simple: stay on a current major version of PHP. As of mid 2026 that means 8.3 or 8.4 for new sites. Anything older than 8.1 is unsupported and a security risk. cPanel makes the upgrade itself trivial; the work is testing your themes and plugins against the new version before flipping the switch in production.

Security: cPHulk, ModSecurity, Imunify360, and the Defense Layers

Security in cPanel is layered. The base install ships with three of the four layers in place. The fourth is what reputable hosts add on top.

Layer by layer:

1. cPHulk Brute Force Protection. Watches login attempts at the cPanel, WHM, FTP, SSH, and webmail levels. Bans an IP after a configurable threshold of failures. The default thresholds are reasonable; the common admin tweak is to add allowlist entries for office IPs so legitimate staff do not get locked out.
2. ModSecurity at the Apache or LiteSpeed level. ModSecurity is a web application firewall that inspects every HTTP request against rule sets. The OWASP Core Rule Set is bundled and most hosts ship it enabled. It blocks SQL injection patterns, cross site scripting, common WordPress attack patterns, and known scanning tools. The challenge is false positives; aggressive rule sets break legitimate plugin admin pages, and tuning is ongoing.
3. IP Blocker and ConfigServer Firewall (CSF). CSF is not part of cPanel proper but is installed on essentially every cPanel server. It is the iptables wrapper that handles network level blocking, country level blocking, and integration with cPHulk. The cPanel IP Blocker page hands user level rules to CSF for the user's account.
4. Imunify360 is the optional fourth layer. WebPros owned, integrated with cPanel as a plugin, costs around $12 to $20 per month per server depending on tier. It adds real time malware scanning at the file level, proactive WordPress hardening, malware quarantine, automatic patch application for known plugin vulnerabilities, and outbound traffic anomaly detection. Most reputable cPanel hosts ship Imunify360 enabled by default in 2026.

The 2025 release cycle added two factor authentication enforcement at the WHM level. An admin can require all cPanel and WHM users to enroll in 2FA. Combined with API tokens replacing password auth for scripts, the credential surface area is dramatically smaller than it was even three years ago. The remaining gap is on user side practices: weak email account passwords are still the most common cPanel compromise vector. The breakdown of attack types and where each is mitigated is on the security threats page.

Backups: cPanel Native, JetBackup 5, and What Modern Hosts Use

Backup tooling in cPanel has gone through three eras. The native cPanel backup was always functional but limited. R1Soft and Acronis filled the gap for years. JetBackup, acquired by WebPros in 2020, is now the de facto standard on reputable hosts.

cPanel native backup still exists in WHM under Backup Configuration. It can produce daily, weekly, and monthly snapshots, store them locally or push to remote destinations over FTP, rsync, S3, or Google Drive. It works for small servers. It does not handle per file restore well, has limited retention policy options, and does not support incremental backups, which means storage costs scale linearly with snapshot count.

JetBackup 5 is what most hosts run for customers. The relevant features:

• Per file restore. Browse a backup like a file system and restore one file rather than the whole account. The single biggest practical improvement over cPanel native backup.
• Per database table restore. Same idea applied to MySQL. Restore one wp_options row from yesterday rather than rolling back the whole database.
• Encrypted backups with a per server key. Backups stored offsite are encrypted at rest, which closes one of the larger compliance gaps in older backup tools.
• Multiple destinations per schedule. A backup can land on local disk, push to S3, and replicate to a secondary destination simultaneously. The 3-2-1 backup strategy from the backup and restore page maps onto this directly.
• Incremental snapshots. Only changed blocks transfer to the backup destination, dramatically reducing bandwidth and storage cost for daily snapshot retention.
• Policy based retention. Set rules like "keep 7 daily, 4 weekly, 6 monthly, 2 yearly" and JetBackup enforces it automatically.

What hosts ship varies. Some include JetBackup and full retention in the plan price. Some include the JetBackup interface but with reduced retention (last 7 days only). Some make full retention an upsell. The clarity of the host's backup story is one of the most reliable proxies for whether the host takes operations seriously, and it is worth checking the specifics before buying. Even with JetBackup running, the discipline of testing a restore on a quarterly cadence is the only way to know your backups actually work; the testing protocol is in the disaster recovery guide.

The cPanel API and API Tokens

The API has existed for as long as cPanel has, but the 2024 token system finally made it safe to use without putting account passwords in scripts. Any serious automation around cPanel hosting goes through the API; understanding it is what separates a power user from an average one.

cPanel exposes two APIs:

UAPI is the modern user level API. Scoped to a single cPanel account. JSON request and response format. Authenticated by API token in modern installations. Endpoints follow the pattern https://example.com:2083/execute/Module/function. Every feature in the cPanel UI has a UAPI equivalent. Examples: Email/add_pop creates a new email account, Mysql/create_database creates a database, SSL/install_ssl installs a certificate.

WHM API 1 is the server level API. Scoped to the whole server. Authenticated by API token at the WHM level. Endpoints follow https://server.example.com:2087/json-api/<function>. Used for creating accounts, suspending accounts, and any server wide administration. Hosts that integrate cPanel with their billing system (WHMCS being the standard one) talk to this API constantly.

Token management lives at https://account.example.com:2083/cpsess<token>/frontend/jupiter/security/tokens/index.html for cPanel users and at the WHM equivalent for admins. A token is created once, copied at creation time, and used in scripts as a Bearer header on requests. Tokens can be scoped to specific UAPI modules so a token used for email account creation cannot also delete databases.

What this enables: signup flows that provision email accounts automatically, deploy pipelines that run database migrations before pushing code, monitoring scripts that pull resource usage from WHM nightly, and lightweight admin dashboards built for non technical staff who should not have full cPanel access. None of this needs the user's password anywhere on the script side.

Resource Limits, CloudLinux, and the LVE Model

Shared hosting only works because no one tenant gets to consume the whole server. cPanel by itself has minimal resource limiting. CloudLinux, layered on top of cPanel, is what makes shared hosting actually work in practice. Almost every reputable shared cPanel host runs CloudLinux underneath.

CloudLinux's core feature is the LVE (Lightweight Virtual Environment). Each cPanel account runs inside an LVE that caps CPU, memory, IO operations per second, IO bandwidth, number of processes, and number of concurrent HTTP connections. When the account hits a cap, requests slow down or queue rather than crashing the whole server. The cap is per account; one tenant going viral cannot starve the others.

The relevant 2026 capabilities:

• LVE Manager in WHM exposes per account caps and live usage. An admin can see which accounts are bumping against their CPU limit and either raise the cap or move the account to a higher plan.
• MySQL Governor caps database CPU per account. Without it, a runaway query on one account can bring the database server to its knees for everyone. With it, the runaway query is throttled and the rest of the server stays healthy.
• Inode limits per account. Inodes are file system metadata entries. A sloppy plugin that creates millions of cache files can blow the inode count even on plans with plenty of disk space free. CloudLinux enforces inode caps per account.
• End user statistics are exposed inside cPanel as the Resource Usage page. Each user can see their own CPU, memory, and IO use over time and identify which scripts are responsible.

For a buyer, the question to ask any prospective shared host is whether they run CloudLinux. The answer is yes for every reputable host and no for most cheap ones. The difference shows up the first time a neighbouring account gets hammered: on a CloudLinux server you see a small slowdown, on a non CloudLinux server your site goes offline.

WHM: What Resellers and Server Admins Actually Do

WHM is where server administration actually happens. End users never see it. Resellers see a scoped version of it. Server owners see all of it. The most used WHM features in 2026:

• Account management. Create, suspend, terminate, and modify cPanel accounts. Set package assignments. Run migrations from another cPanel server with the Transfer Tool, which copies the entire account (files, databases, mail, DNS, settings) over SSH and recreates it on the destination in one operation.
• Package definitions. A package is a set of resource limits and feature flags applied to an account: disk quota, bandwidth quota, email account limit, database limit, addon domain limit, and which feature list is exposed in cPanel. Hosts ship a small set of packages that map to their plan tiers.
• EasyApache profiles. Build the Apache or LiteSpeed binary with the chosen modules, PHP versions, and extensions. Profile changes are tested on a staging server before being applied in production because a bad profile can break every site on the host.
• Service Status monitors the long lived daemons and restarts any that fail. Uptime issues caused by service failures are usually caught here before the user ever notices.
• Tweak Settings exposes hundreds of server level configuration toggles. Most should never be changed; the ones that matter relate to email, security, and PHP memory limits.
• WHM Reseller Center creates reseller accounts, defines reseller package limits, and scopes resellers to a virtualised view of WHM. The reseller can manage their own customers without seeing other resellers or the server level admin.

For a developer or designer running a handful of client sites on a VPS, learning WHM is the bigger leverage skill than learning cPanel. WHM is where you can fix things at the level cPanel cannot reach.

cPanel Alternatives in 2026 and When to Switch

cPanel is not the only option. Three alternatives are worth knowing in 2026.

SPanel from ScalaHosting. Built specifically as a cPanel replacement. Includes a cPanel migration tool, a feature parity goal across the most used cPanel functions, and is no cost on ScalaHosting plans. The interface is more modern than cPanel Jupiter. The trade off is a smaller third party plugin ecosystem; SPanel is supported by ScalaHosting only, not by every backup tool and security scanner that targets cPanel.

Plesk. The longstanding alternative. Stronger on Windows hosting (cPanel is Linux only). Per server licensing rather than per account. The interface is more polished than cPanel for some workflows and less polished for others. Common on Eastern European and Russian hosting markets. Less common in the United States and the United Kingdom.

HestiaCP, CloudPanel, and other open source panels. Free. Run on a single VPS. Smaller feature footprint. Suitable for a developer running a handful of sites on a server they fully manage. Not suitable for production shared hosting at any scale because the operational tooling, billing integration, and security tooling are not at parity with cPanel.

The decision to switch is always cost driven for hosts and rarely worth it for end users. A host with thousands of accounts can save real money by moving to SPanel. A single user with one VPS faces a migration headache for a dollar saving that does not justify the time. The full side by side of the alternatives sits on the control panel page.

Where to Go Next

If you came here to evaluate cPanel against the alternatives, the head to head with Plesk, SPanel, and DirectAdmin sits on the control panel page. If you are setting up a site on a cPanel host and want the full backup picture, the backup and restore guide is the next read; the JetBackup material above only covers the host side. If your interest is performance and you want to know whether the server underneath your cPanel is actually fast, the web servers page covers Apache versus Nginx versus LiteSpeed and the server hardware page explains how to read CPU and RAM specs without being misled. For the specific threats cPanel security tooling is defending against, the security threats page is the parallel reference.

Frequently Asked Questions

Is cPanel still worth it in 2026 given the licensing cost?

For end users, the cost question is irrelevant. You pay your host, your host pays cPanel. The only thing that changed is that hosts pass roughly $2 to $4 per account per month of cPanel cost into their plan pricing. For server admins and resellers, cPanel is still worth it if the alternative is building your own automation. The hour cost of replacing what cPanel and WHM ship with is enormous. If you can stand up a full cPanel replacement with the same email, DNS, backup, and security feature set in less than 200 hours, you are exceptional. Most teams decide their time is more valuable than the license.

What is the difference between cPanel and WHM?

cPanel is the per account interface. One website, one set of email accounts, one MySQL database group. WHM is the server level interface. It creates and removes cPanel accounts, manages services, controls server wide settings, and is the place a sysadmin or reseller actually administers the host. End customers only see cPanel. Hosts and resellers live inside WHM. Both are part of the same software product and run on the same daemon (cpsrvd) on different ports.

Can I install cPanel myself on a VPS?

Yes. The installer is a single shell command run as root on a clean AlmaLinux, Rocky Linux, or Ubuntu LTS server. The installation takes 30 to 90 minutes and configures the entire stack including Apache or LiteSpeed, Exim, BIND, MySQL or MariaDB, ProFTPD, and the cPanel daemons themselves. You then need to apply a license key, either a paid trial or a cPanel partner license tied to your VPS IP. The tricky part is not the install. The tricky part is keeping it tuned, patched, and secure long term. That is the work paid hosts do for you.

What changed in cPanel after the WebPros acquisition?

The 2018 acquisition by Oakley Capital and the rebrand to WebPros brought several changes. Pricing moved from a flat per server fee to per account tiers in 2019, with progressive increases since. The Paper Lantern theme was retired in favour of Jupiter. PHP and database stack handling was modernised through MultiPHP and easy PHP Selector. AutoSSL was integrated by default. JetBackup was acquired by WebPros in 2020 and became the preferred backup tool. The release cadence accelerated, with feature releases every six to eight weeks instead of the older quarterly schedule. The flagship 2025 and 2026 releases focused on API tokens, two factor enforcement, AutoSSL improvements, DNSSEC integration, and tighter Imunify360 hooks.

Does cPanel work with LiteSpeed and not just Apache?

Yes. LiteSpeed Web Server has had a cPanel plugin since 2010 and is the default web server on many performance focused hosts in 2026. The plugin integrates with EasyApache so the LiteSpeed configuration regenerates whenever a user changes a PHP version or adds a domain. OpenLiteSpeed has a less polished cPanel integration and is less common on cPanel servers. Apache remains the upstream default. Most managed cPanel hosts that advertise speed are running LiteSpeed Enterprise underneath.

What is the cPanel API and when should I care about it?

cPanel exposes two APIs: UAPI (the modern one, JSON, scoped per cPanel user) and the legacy WHM API (server level). Both can be authenticated with API tokens, which you create in the cPanel or WHM interface and use in place of a password. You care about the API when you outgrow clicking through the GUI. Common use cases: provisioning new email accounts from a signup form, automating database creation during deploys, triggering backups from a CI pipeline, or building a lightweight dashboard for non technical staff. The API token system added in recent releases is the secure way to do all of this without putting account passwords in scripts.

How does AutoSSL actually work in cPanel?

AutoSSL is the cPanel feature that issues and renews free SSL certificates automatically. Out of the box it uses Sectigo as the certificate authority, but most hosts configure it to use Let's Encrypt instead through the official Let's Encrypt provider plugin. Every night, AutoSSL scans every domain on the server, requests a certificate for any domain that does not already have a valid one, and installs it. Renewal is automatic. Validation uses the HTTP-01 challenge by default, with DNS-01 supported on hosts that have configured it. The result for a normal user is that HTTPS just works without any setup. For an admin, AutoSSL replaces the old job of manually issuing certificates one by one.

Is cPanel secure enough on its own or do I need extra security tools?

cPanel ships with a baseline that is decent but incomplete. cPHulk handles login brute force protection. ModSecurity is included and most hosts ship the OWASP Core Rule Set enabled. The IP blocker handles network level rules. AutoSSL handles HTTPS. What is missing is malware scanning at the file level, real time WordPress and CMS hardening, and outbound traffic anomaly detection. Most reputable cPanel hosts pair the base install with Imunify360 (also a WebPros product), which fills those gaps. If you are running cPanel yourself on a VPS, plan for either Imunify360 at $12 to $20 per month or an open source equivalent such as ClamAV plus rkhunter plus a WAF in front. The full picture of who handles which threat is on the security threats page.

What is the difference between cPanel Solo, Admin, Pro, Premier, and Plus tiers?

The tiers differ in how many cPanel accounts a single license can host. Solo is for one account only and is meant for VPS owners running a single site. Admin allows up to 5 accounts. Pro allows 30. Premier allows 100 accounts at the base price, with overage charges per account beyond that. Plus is the high volume tier introduced in 2024 and goes from 250 accounts upwards. Pricing scales with the tier and there have been near annual increases since 2019. From an end user perspective the tier you are on is invisible. From a host perspective, the Premier and Plus tiers dominate the shared hosting market because the per account economics work out better at scale.

Can I migrate away from cPanel to a different control panel?

Yes, and several panels exist specifically to make this easy. SPanel ships with a cPanel migration tool. Plesk has a cPanel importer. CloudPanel and HestiaCP have migration scripts that extract account data, databases, mail, and DNS from cPanel and recreate them. The migration is rarely a single command, but it is a known process. The decision to migrate usually comes down to license cost at scale. A host with 5,000 cPanel accounts can save tens of thousands of dollars per year by moving to SPanel or DirectAdmin. For a single user with one VPS, the migration effort is rarely worth it unless cPanel itself is causing specific problems. The full comparison of cPanel against the alternatives is on the control panel page.