Skip to main content
Leech Protection watches login attempts on a password-protected directory and counts the number of distinct IPs that successfully log in with the same username over a two-hour rolling window. If the count goes past your configured threshold, that’s a sign the credentials are being shared (or sold), and Leech Protection suspends the account. Open it from cPanel home → SecurityLeech Protection.
Leech Protection page with directory chooser

When it applies

Leech Protection only watches directories that already have HTTP basic auth configured via Directory Privacy. On a directory with no protection, there’s no login to track. Common cases for it:
  • A members-only download area with shared members:password credentials being passed around.
  • A staging site with one set of credentials handed to many testers; you want to know if the password leaked.
  • An admin-area login at the directory level (the WordPress admin, a control panel) you want to limit reuse on.

Enable it on a directory

1

Pick the directory

The Leech Protection page lists every directory under your account. Click the folder name to open the protection settings.
2

Set the login limit

Default is two logins per username per two-hour window. Bump it up if your real users normally log in from many networks (mobile + home + office); drop it if you only ever log in from one place.
3

Set the redirect URL (optional)

When a username is suspended, anyone trying to log in with it gets redirected here. Default is your homepage. You can point at a “your access has been disabled, contact us” page.
4

Set the email alert (optional)

cPanel can email you when a username is suspended. Useful for catching incidents in real time.
5

Toggle Disable Compromised Accounts

Off by default. With it on, the username’s password is invalidated when it trips the limit; the user has to be re-enabled manually. Off, the limit is logged but the user keeps working.
6

Click Enable

Leech Protection writes a tracker into the directory and starts counting. Existing logins keep working; the count starts from zero.

What “leeching” looks like in practice

A typical share-the-password situation:
  • One paid member logs in from their home IP. Count: 1.
  • Same credentials are pasted into a Telegram channel.
  • Three people log in from their own IPs over the next hour. Count: 4.
If your limit is 2, the username is suspended once the third or fourth person logs in. The genuine user gets redirected on their next visit and emails you wondering what happened. Now you know.

Disable it

Same page, Disable button on the directory you want to clear. The tracker is removed, the count resets, no record of past trips is kept.

Common issues

Mobile networks rotate IPs aggressively. A user on 4G can show as ten different IPs in an hour. Bump the limit, or use a longer-window protection layer like Imunify360 instead.
Visitors behind the same NAT (a corporate office, a school) all share one public IP. Leech Protection counts that as one user, even with twenty real people. The tool is for credential sharing across networks, not within one.
With Disable Compromised Accounts off, the count keeps growing on every attempt. Turn it on to actually invalidate the password; you’ll need to re-enable from Directory Privacy.

Need a hand?