Knowledgebase

Two-factor authentication (2FA) requires both your password and a time-based code from your phone to log in. Even if your password leaks (data breach, phishing, keylogger), your account stays secure. This article walks through enabling 2FA on your cPanel account and your ipxcore client area (WHMCS).

Pick an authenticator app first

You need an app on your phone that generates the rotating 6-digit codes. Any of these work:

• Google Authenticator — the original, no cloud sync (codes are device-local). Lose your phone, lose your codes.
• Authy — cloud sync across devices, PIN-protected. Recommended for most users.
• 1Password / Bitwarden — if you already use a password manager, both have built-in TOTP support. Cleanest option.
• Microsoft Authenticator — cloud sync, free, decent UI.

Pick one and install it before continuing. The codes are TOTP-standard (RFC 6238), so any TOTP app works with any TOTP service.

Enable 2FA in cPanel

1. Log in to cPanel.
2. Open Two-Factor Authentication (under "Security").
3. Click Set Up Two-Factor Authentication.
4. cPanel shows a QR code. Open your authenticator app, tap "Add account" / "+", and scan the QR code.
5. The app starts showing a 6-digit code that changes every 30 seconds.
6. Type the current code into cPanel's "Security Code" field and click Configure Two-Factor Authentication.

From now on, every login requires the code in addition to your password.

Save your recovery codes

cPanel offers backup codes for the case where you lose your phone. Save them somewhere safe — not on the same device, not in cPanel itself. Good places: a password manager, a printed sheet in a fireproof safe, an encrypted note in a separate cloud account.

Without recovery codes, losing your phone means contacting us to verify identity and reset 2FA. We can do this, but it requires a verification process that takes hours, not minutes.

Enable 2FA in WHMCS (your client area)

1. Log in to your client area.
2. Click your name (top right) → Security Settings.
3. Find the Two-Factor Authentication section, click Click here to Enable.
4. Choose Time Based Tokens.
5. Scan the QR code with your authenticator app.
6. Enter the 6-digit code from the app to confirm.
7. Save your backup code somewhere safe.

If you lose your phone

Three escalation levels, in order:

1. You have backup codes: use one to log in, then disable 2FA, then re-enable on the new device. The old QR code is invalidated.
2. You have cloud sync (Authy, 1Password): install the app on your new phone, sign in, and your tokens are restored. No support contact needed.
3. Neither of the above: open a ticket from a registered email address on your account. We'll verify identity through additional questions and reset 2FA. This typically takes 4-24 hours.

Why TOTP and not SMS?

SMS-based 2FA is significantly weaker than app-based TOTP — SIM swap attacks, where someone convinces your carrier to port your number to their device, are common enough that NIST formally deprecated SMS for authentication in 2017. We don't offer SMS 2FA on either cPanel or WHMCS, intentionally.

For resellers: requiring 2FA on your own clients

If you operate a reseller business, you can require 2FA on your WHMCS instance for client logins:

1. WHMCS Admin → System Settings → Two-Factor Authentication.
2. Enable Time-Based Tokens.
3. Set "Force Two-Factor on First Login" to ON for new clients, or send a mass announcement asking existing clients to enable it.

This is excellent practice. The most common attack on hosting accounts is leaked password reuse from other breaches; 2FA neutralizes 99% of those.

Bonus: 2FA on your registrar account

The most catastrophic security failure in hosting isn't losing the cPanel account — it's losing the domain registration. If someone steals your registrar login, they can transfer the domain elsewhere and you may never get it back.

Enable 2FA at every domain registrar where you hold domains. Namecheap, Cloudflare Registrar, GoDaddy, Porkbun — all support it. Do this today.