Leech protection prevents users from sharing their login credentials for password-protected directories. If a user's credentials are used from too many different IP addresses within a set time period, the account is automatically disabled.
Please note: Screens and options may vary slightly depending on your cPanel version and hosting plan.
Enabling Leech Protection
- Log in to your cPanel account.
- In the Security section, click Leech Protection.
- Navigate to the directory you want to protect and click the folder name.
- Configure the settings:
- Maximum Logins — The number of times a username can log in within the time period before triggering protection (e.g. 5). - Within the Time Period — The number of hours over which logins are counted (e.g. 2 hours). - Redirect URL — Where to send users who trigger leech protection. You could use a page explaining that credential sharing is not permitted. - Send Email Alert — Tick this and enter an email address to be notified when leech protection is triggered. - Disable Compromised Accounts — Tick this to automatically disable the account that has been shared.
- Click Enable.
When to Use Leech Protection
Leech protection is useful for:
- Members-only areas where users pay for access.
- Client portals with sensitive information.
- Any password-protected directory where credential sharing would be a problem.
Tips
- Set the maximum logins threshold high enough that legitimate users aren't affected. Someone might access the site from their phone and laptop in the same time period.
- Leech protection works alongside the Directory Privacy feature. Enable Directory Privacy first, then add leech protection.
- If a legitimate user is locked out, re-enable their account by adjusting the settings on this page.
What Next?
- Password Protecting a Directory — Set up the password protection that leech protection monitors.
- Enabling Two-Factor Authentication (2FA) — Add stronger authentication to your cPanel account.
