2FA is two-factor authentication. Besides the password, login needs a 6-digit code from a phone app (Google Authenticator, Authy, 1Password). Even if your password leaks, no one can log in without your phone.
\n
Why enable mandatory
\n
- cPanel is the root of access to everything: site, DB, mail, files
- One compromised password = potential site deletion
- 2FA blocks 99% of automated brute-force attacks
\n
Installing the app
\n
On the phone install one of:
\n
- Google Authenticator — free, simple
- Microsoft Authenticator — with cloud backup
- Authy — sync across devices
- 1Password / Bitwarden — if you already use a password manager
\n
Enabling in cPanel
\n
- Log into cPanel
- Top-right corner — user icon → Two-Factor Authentication
- Click Set Up Two-Factor Authentication
- In the phone app → Add account → scan the QR code
- App shows a 6-digit code — enter it in cPanel
- Done. Save the Recovery Codes — you’ll need them if the phone is lost
\n
If you lost the phone
\n
- Open the recovery codes email (cPanel sent it)
- On the cPanel login page pick Use Recovery Code
- Enter one of the codes
- In settings immediately re-set 2FA on the new phone
