Client found a path to Cpanel … is this normal?

I was running some pen test tools on a site and found a login page for Cpanel. The client says they’ve never set up or used Cpanel before. Could this be something shady?

Ty said:
Cpanel is pretty common for managing websites. If the account is hosted somewhere, it’s not surprising to find a login page for it.

But is it normal if they’ve never used it or set it up?

@Amory
Yeah, it’s normal. Cpanel is a default control panel on many servers. Even if the client hasn’t used it, it’s likely there by default. It depends on the hosting setup.

Mackenzie said:
@Amory
Yeah, it’s normal. Cpanel is a default control panel on many servers. Even if the client hasn’t used it, it’s likely there by default. It depends on the hosting setup.

Could someone have added it as a backdoor?

@Amory
Not likely. Almost every site I’ve worked on in the past 20 years has had Cpanel access unless it’s hosted on something like GoDaddy or a custom system like DigitalOcean. Your best bet is to ask the hosting provider to confirm.

@Mackenzie
Okay, I think the host is Divi? But I’ve checked, and it seems like Cpanel isn’t automatic … you have to set it up.

@Amory
Highly doubtful it’s a backdoor.

@Amory
The hosting provider likely installed it automatically.

Ming said:
@Amory
The hosting provider likely installed it automatically.

The client says no one set it up or uses it.

Amory said:

Ming said:
@Amory
The hosting provider likely installed it automatically.

The client says no one set it up or uses it.

It’s probably just part of the hosting setup. What’s the hosting provider?

@Ming
They think it’s WordPress.

Amory said:
@Ming
They think it’s WordPress.

WordPress isn’t a host. Is it GoDaddy, Bluehost, or someone else?

Ming said:

Amory said:
@Ming
They think it’s WordPress.

WordPress isn’t a host. Is it GoDaddy, Bluehost, or someone else?

I think it’s Quic Cloud.

Amory said:

Ming said:
Amory said:
@Ming
They think it’s WordPress.

WordPress isn’t a host. Is it GoDaddy, Bluehost, or someone else?

I think it’s Quic Cloud.

QUIC Cloud is a CDN, not a hosting provider. You’re probably using a WordPress host like SiteGround, Namecheap, or Hostinger.

@Ciel
They’ve never logged into that page before.

Amory said:
@Ciel
They’ve never logged into that page before.

Maybe the client didn’t set it up, but it could still be a default part of the hosting. Have them check with their host to clarify.

@Ciel
Yeah, they confirmed it’s WordPress.

That’s unexpected.