Tips and Tricks

cPanel Leech Protection: Preventing Password Sharing on Protected Areas

by dotCanada Team
cPanel Leech Protection: Preventing Password Sharing on Protected Areas

If you use cPanel's password-protected directories feature to restrict access to part of your website - a members-only area, a paid content section, a staff portal - you face a problem that is easy to overlook: users sharing their login credentials with others. One person pays for access and forwards their username and password to a friend. Or a staff member shares their login with a colleague who should not have direct access.

cPanel includes a tool specifically designed to address this: Leech Protection.

What Leech Protection Does

Leech Protection monitors login attempts for any password-protected directory it is enabled on. When it detects that a single username is being used to log in from an unusually high number of different IP addresses within a short time frame, it treats that account as a leaked credential - someone sharing their login - and takes action.

The actions available are: redirect the offending user to a URL you specify (typically an error or explanation page), and optionally disable the account entirely so the shared password stops working.

This is not a perfect countermeasure - a technically savvy user can work around it - but it is an effective deterrent against casual credential sharing, which represents the vast majority of cases.

Where to Find It in cPanel

In cPanel, navigate to Security > Leech Protection. You will see your directory structure. Navigate to the directory you want to protect (it must already have password protection enabled via Directory Privacy or .htpasswd) and click the directory name.

The Leech Protection settings for that directory will appear. If cPanel's directory structure shows a different path layout, look for it under the Files section of cPanel.

How to Configure It

Maximum Logins Per Username Per Two Hours - This is the threshold that triggers Leech Protection. A setting of 2 means: if the same username logs in from more than 2 different IP addresses within a two-hour window, it is flagged. A setting of 5 is more lenient. For a staff portal where you know users will log in from consistent locations, 2 to 3 is reasonable. For a member site with users who might legitimately travel or use VPNs, 4 to 5 gives more room.

Redirect to URL - When Leech Protection is triggered, the account is redirected here. Create a page that explains the account has been flagged for credential sharing and instructs the user to contact you. Keep the message professional, not accusatory - VPN usage and shared home networks can occasionally trigger false positives.

Send an Email Alert - Enable this to receive a notification when Leech Protection is triggered. The email will include the username flagged, letting you investigate manually.

Disable Compromised Accounts - Optionally, have cPanel automatically disable the flagged account so the shared credentials stop working immediately. If you enable this, make sure your redirect page explains that the user needs to contact you to have their account reinstated.

Use Cases

Member-only content areas - Online courses, premium content, or community sections where access is tied to a paid subscription. Leech Protection discourages account sharing that directly costs you revenue.

Paid content downloads - A directory of downloadable files (templates, guides, software) protected by a password. Without Leech Protection, a single purchase can be shared indefinitely.

Staff portals - Internal document repositories or staff-only areas. Leech Protection ensures that former employees or contractors cannot continue using credentials shared with them after they should have lost access.

Leech Protection vs. Hotlink Protection

These are two different tools that are sometimes confused. Hotlink Protection prevents other websites from directly embedding or linking to your media files (images, videos) - it stops bandwidth theft from external embedding. Leech Protection addresses shared login credentials for password-protected directories. They solve different problems and can both be active simultaneously.

For any site that monetizes protected access, Leech Protection is a simple and worthwhile configuration that takes about five minutes to set up.

#cpanel#security#password-protection#hosting#tips

Related Articles

Managing MySQL Databases with cPanel and phpMyAdmin
Tips & Tricks

Managing MySQL Databases with cPanel and phpMyAdmin

Behind almost every dynamic website is a database. cPanel makes it easy to create and manage MySQL databases, and phpMyAdmin gives you a powerful visual interface to explore and edit your data. This guide covers everything you need to know.

Read more →
How to Set Up Professional Email with cPanel
Tips & Tricks

How to Set Up Professional Email with cPanel

A professional email address using your own domain instantly builds trust with customers and clients. This step-by-step guide shows you how to create and configure email accounts in cPanel and connect them to the apps you already use.

Read more →
cPanel Tutorial: Getting Started with Your Hosting Control Panel
Tips & Tricks

cPanel Tutorial: Getting Started with Your Hosting Control Panel

cPanel is the control panel that comes with most shared hosting plans, and it puts powerful tools right at your fingertips. This tutorial walks you through the interface so you can manage your website, email, and files with confidence from day one.

Read more →

100% Satisfaction Guarantee

We're so confident you'll love dotCanada that we offer a 30-day money-back guarantee. Not satisfied? Get a full refund, no questions asked.

Ready to Get Started?

Join thousands of Canadian website owners who trust dotCanada for reliable, fast web hosting.

Get Started Today