How to configure Leech Protection in cPanel to protect a private folder

Category: cPanel

Leech Protection helps detect unusual activity in password-protected folders. Use it when you have a private, downloads, or client folder and want to reduce the risk of a shared password being used too many times.

Before you enable it, the folder must already have users configured with Directory Privacy. Leech Protection does not replace access control: it only adds limits, alerts, and actions when a user exceeds the allowed login count.

Before you start

  • Have access to cPanel for the account where the private folder lives.
  • Protect the folder with Directory Privacy first and create the required users.
  • Decide how many logins per user are normal during a two-hour period.
  • Prepare a redirect URL if you want to send users there after they exceed the limit.

Choose the right folder

  1. Log in to cPanel and open Leech Protection from the security section.
  2. If cPanel asks where to begin, choose Web Root (public_html or www) or the domain that contains the folder.
  3. Navigate through the folder icons until you reach the path you want to protect.
  4. Click the folder name to open its Leech Protection settings.

Confirm the path before saving changes. If you choose the wrong folder, you could limit users from another project or leave the folder that mattered unprotected.

Configure the login limit

  1. In the limit field, enter the maximum number of logins each user can make during a two-hour period.
  2. Use a realistic limit: a client folder may need only a few logins, while a work folder may need more.
  3. Add a redirect URL if you want to send users there after they exceed the limit.
  4. Enable the email alert if you need to receive a notice when Leech Protection triggers.

A limit that is too low can block legitimate usage. If you do not have a clear baseline, start with a conservative value and adjust after reviewing real behavior.

Decide whether to disable compromised accounts

  1. Review Disable Compromised Accounts only if you want cPanel to automatically disable users who exceed the limit.
  2. Enable it when the folder contains sensitive information and you prefer to cut off access immediately.
  3. Leave it disabled if blocking users could interrupt an important operation.
  4. Save with Enable to activate Leech Protection on that folder.

If you enable automatic disabling, document how you will reactivate or recreate users after confirming there is no abuse.

Verify that it is active

  1. Go back to the folder inside Leech Protection.
  2. Confirm that cPanel shows the saved configuration for that path.
  3. Check that the alert email address is written correctly if you enabled it.
  4. Run a controlled test with one protected-folder user and confirm normal access still works.

The test should validate legitimate access, not force real lockouts on a production account. If you need to simulate abuse, do it with a temporary user and remove it when you finish.

Common errors

  • The folder does not ask for a password: protect it with Directory Privacy first; Leech Protection only works on restricted folders.
  • Legitimate users get blocked: the login limit is too low for the folder’s real usage.
  • The email alert does not arrive: the address is misspelled or the receiving domain filters the notice.
  • A user keeps logging in after abuse: the option to disable compromised accounts was not active or the limit has not been reached yet.

Still need help?

If this guide didn’t solve your issue, our team can help you via ticket.

Open ticket Go to my account