If you run a members-only area or any password-protected section, there’s a risk that one person shares their login publicly and suddenly hundreds of people are using a single account. cPanel’s Leech Protection catches this by watching for a login being used from too many places at once. Here’s how to set it up.
The problem it solves
“Leeching” is when a legitimate login gets passed around — posted on a forum, shared in a group — so that many people use one account they never paid for or were never authorised to have. It undermines paid memberships and can overload your site. Leech protection detects the tell-tale sign: a single username logging in from an unusual number of different locations in a short time.
How it works
Leech protection monitors password-protected directories. If it sees a single account exceed a threshold of logins within a two-hour window, it assumes the credentials have been leaked and takes action — suspending the account and alerting you. This stops a shared login from being useful to a crowd.
Setting it up
- In cPanel, open Leech Protection under the Security section.
- Browse to the protected directory you want to monitor and select it.
- Set the number of logins allowed within a two-hour period before the account is flagged.
- Optionally, provide a URL to redirect leeching users to, and an email address to notify when leeching is detected.
- Choose whether to suspend the compromised account automatically.
- Click Enable.
Choosing a sensible threshold
Set the limit high enough that a genuine user switching between their phone, laptop and office won’t trip it, but low enough to catch mass sharing. A limit somewhere in the range of a handful of logins per two hours suits most single-user accounts. Watch the notifications after enabling and adjust if legitimate users are being caught.
It requires a protected directory
Leech protection works on directories you’ve secured with Directory Privacy. If you haven’t set up password protection on the area yet, do that first — leech protection then monitors those logins for abuse.
Where it fits
This tool is most relevant if you sell access to content, run a private client portal, or maintain any area where each login is meant for one person. For a normal public website it isn’t needed. But where account sharing would cost you money or resources, it’s a smart, automatic safeguard.
Setting up a members’ area and want it protected properly? We can help you combine Directory Privacy, leech protection and other measures into a solid setup.