WHM Password Keeps Changing? It's cPHulk — Permanent Fix
Many of our customers report a frustrating pattern: they reset the root password, log in successfully, but a day or two later WHM rejects the same password as wrong. They reset it again, get back in for a while, then it "changes" again.
In almost every case, the password is not actually changing. Something else is making the correct password appear wrong. This article explains what is really happening and how to fix it for good.
What is actually happening
WHM and cPanel ship with a built-in module called cPHulk Brute Force Protection. cPHulk watches login attempts and automatically blocks any IP address that fails to log in too many times in a short window.
By default cPHulk blocks an IP after:
- 5 failed attempts within 5 minutes, or
- 30 failed attempts within 24 hours
Once your IP is blocked by cPHulk, the result is HTTP 401 Unauthorized even when the password you typed is correct. To you, this looks identical to "wrong password" — so you assume the password was changed, and reset it. After the reset, you log in once successfully (because cPHulk's counter is now lower), then a few hours or days later it locks you out again.
Why it keeps happening
There are three common reasons cPHulk keeps locking you (or your customers) out:
1. Brute-force attackers from the public internet
Servers on public IPs receive hundreds of failed root login attempts per day from compromised hosts around the world. Most of these are blocked at the SSH layer, but some hit WHM (port 2087) too. Each round of failures pushes cPHulk closer to a block. Eventually one of those failed attempts collides with your real login and trips the threshold.
2. Auto-fill, browser cache, or stored credentials
If your browser auto-fills WHM with a stored old password — even just trying once — that's a failed attempt. Combined with public-internet noise, you can hit the threshold without doing anything wrong.
3. Multiple devices / users sharing one IP
If your office, home, or VPN puts you behind the same NAT IP as someone else who also tries (and fails) to log in, you all get locked together.
How to confirm cPHulk is the cause
SSH into your server as root and run:
sqlite3 /var/cpanel/hulkd/cphulk.sqlite \
"SELECT USER, NOTES, datetime(EXPTIME, 'unixepoch') AS expires \
FROM login_track WHERE TYPE = -3 ORDER BY LOGINTIME DESC LIMIT 20;"Each row labeled "IP reached maximum auth failures" is an active block. If you see your IP or anyone connected to your account in that list, cPHulk is the cause.
The permanent fix — whitelist your real IPs
Add your office IP, home IP, support IP, and any other location you log in from to cPHulk's whitelist. Whitelisted IPs are never blocked, regardless of how many failures occur.
# Whitelist a single IP
/usr/local/cpanel/scripts/cphulkdwhitelist <your-ip>
# Whitelist a range (e.g., your office subnet)
/usr/local/cpanel/scripts/cphulkdwhitelist 1.2.3.0/24Run this for every IP you actually log in from:
/usr/local/cpanel/scripts/cphulkdwhitelist 65.21.18.133 # TheServerLicense.com support gateway
/usr/local/cpanel/scripts/cphulkdwhitelist <your-office-ip>
/usr/local/cpanel/scripts/cphulkdwhitelist <your-home-ip>You can find your current public IP by visiting icanhazip.com in your browser.
Tune cPHulk for fewer false-positive lockouts
If you have multiple staff or customers who legitimately log in from many different IPs, consider raising the failure threshold:
In WHM: Home → Security Center → cPHulk Brute Force Protection → Configuration Settings
Recommended for shared/multi-staff environments:
- Maximum Failures by IP Address (per One Day): 100 (default 30)
- Maximum Failures by IP Address (per Brute Force Period): 15 (default 5)
- Brute Force Protection Period: 5 minutes (default — keep)
What to do if you are locked out right now
If you cannot get into WHM at all:
- SSH into your server as root (SSH uses a separate auth path and is usually not affected)
- Whitelist your IP:
Terminal
/usr/local/cpanel/scripts/cphulkdwhitelist <your-ip> - Try WHM again — it should now let you in
If you cannot SSH either, your hosting provider's console is the next step. Many VPS providers (Linode, DigitalOcean, Vultr, Hetzner) offer a web-based console that bypasses SSH.
When to contact support
Open a ticket at theserverlicense.com if any of the following apply:
- You followed the whitelist steps but are still being locked out
- You suspect the lockouts are caused by an actual attacker repeatedly succeeding (in that case the fix is different — we will help you secure SSH, audit , and rotate credentials)Terminal
/root/.ssh/authorized_keys - You want us to apply the cPHulk tuning + whitelist for you on multiple servers at once
We are happy to handle this for you across all your servers as a one-time hardening pass.
Bottom line
If you find yourself resetting the root password more than once a quarter, the password is almost certainly not the problem — cPHulk is. Whitelist your real IPs once, tune the threshold, and the "password keeps changing" cycle ends.
Related articles
- Remove the WHM Critical Security Update Banner (4 Steps) — Stop the red 'critical security update' nag banner from appearing in WHM.
- cPanel License Fails After CSF or Firewall Restart — Fix — When license errors appear after a CSF or iptables restart.
- Browse all troubleshooting articles