> ## Documentation Index
> Fetch the complete documentation index at: https://help.noxity.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Leech Protection

> Catch shared or stolen credentials on a password-protected directory. Set a login limit, suspend accounts that go past it.

Leech Protection watches login attempts on a [password-protected directory](/web-hosting/cpanel/file-management/directory-privacy) and counts the number of distinct IPs that successfully log in with the same username over a two-hour rolling window. If the count goes past your configured threshold, that's a sign the credentials are being shared (or sold), and Leech Protection suspends the account.

Open it from cPanel home → **Security** → **Leech Protection**.

<Frame caption="Leech Protection list of password-protected directories">
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/leech-protection/listing-light.png" alt="Leech Protection page with directory chooser" className="block dark:hidden" />

  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/leech-protection/listing-dark.png" alt="Leech Protection page with directory chooser" className="hidden dark:block" />
</Frame>

## When it applies

Leech Protection only watches directories that already have HTTP basic auth configured via [Directory Privacy](/web-hosting/cpanel/file-management/directory-privacy). On a directory with no protection, there's no login to track.

Common cases for it:

* A members-only download area with shared `members:password` credentials being passed around.
* A staging site with one set of credentials handed to many testers; you want to know if the password leaked.
* An admin-area login at the directory level (the WordPress admin, a control panel) you want to limit reuse on.

## Enable it on a directory

<Steps>
  <Step title="Pick the directory">
    The Leech Protection page lists every directory under your account. Click the folder name to open the protection settings.
  </Step>

  <Step title="Set the login limit">
    Default is two logins per username per two-hour window. Bump it up if your real users normally log in from many networks (mobile + home + office); drop it if you only ever log in from one place.
  </Step>

  <Step title="Set the redirect URL (optional)">
    When a username is suspended, anyone trying to log in with it gets redirected here. Default is your homepage. You can point at a "your access has been disabled, contact us" page.
  </Step>

  <Step title="Set the email alert (optional)">
    cPanel can email you when a username is suspended. Useful for catching incidents in real time.
  </Step>

  <Step title="Toggle Disable Compromised Accounts">
    Off by default. With it on, the username's password is invalidated when it trips the limit; the user has to be re-enabled manually. Off, the limit is logged but the user keeps working.
  </Step>

  <Step title="Click Enable">
    Leech Protection writes a tracker into the directory and starts counting. Existing logins keep working; the count starts from zero.
  </Step>
</Steps>

## What "leeching" looks like in practice

A typical share-the-password situation:

* One paid member logs in from their home IP. Count: 1.
* Same credentials are pasted into a Telegram channel.
* Three people log in from their own IPs over the next hour. Count: 4.

If your limit is `2`, the username is suspended once the third or fourth person logs in. The genuine user gets redirected on their next visit and emails you wondering what happened. Now you know.

## Disable it

Same page, **Disable** button on the directory you want to clear. The tracker is removed, the count resets, no record of past trips is kept.

## Common issues

<AccordionGroup>
  <Accordion title="It triggered on a single legitimate user">
    Mobile networks rotate IPs aggressively. A user on 4G can show as ten different IPs in an hour. Bump the limit, or use a longer-window protection layer like [Imunify360](/web-hosting/cpanel/security-settings/imunify360/overview) instead.
  </Accordion>

  <Accordion title="It's not catching obvious sharing">
    Visitors behind the same NAT (a corporate office, a school) all share one public IP. Leech Protection counts that as one user, even with twenty real people. The tool is for credential sharing across networks, not within one.
  </Accordion>

  <Accordion title="A suspended account keeps trying">
    With **Disable Compromised Accounts** off, the count keeps growing on every attempt. Turn it on to actually invalidate the password; you'll need to re-enable from [Directory Privacy](/web-hosting/cpanel/file-management/directory-privacy).
  </Accordion>
</AccordionGroup>

## Need a hand?

<CardGroup cols={2}>
  <Card title="Open a ticket" icon="life-ring" href="https://members.noxity.io/submitticket.php">
    Best for anything that needs an account check or a config change on our end.
  </Card>

  <Card title="Live chat" icon="messages" href="https://noxity.io/contact">
    Faster for quick questions during business hours.
  </Card>
</CardGroup>