Two-factor authentication is a must
We really need two-factor authentication at least for WHM login. A lot of sites are already implementing this to protect from unauthorized login.
The most doable two-factor authentication would be similar to the Google Authenticator which is just a simple
security token app for Android, iPhone, Blackberry.
How it should work would ideally be like this: the user logs
in to WHM using username and password (first factor), then he will be asked
to enter a code generated by his mobile app (second factor). If it all matches with values from the server, then the login will be
I think it's safe to say it really doesn't have to be "enabled" by
default but an optional service at least for WHM login (for root and
reseller accounts) and if the dev team's time permits, individual Cpanel
This will totally eliminate brute force attacks and will even make password theft useless.
If this is too much, then the absolute easiest way to this is to require email verification for every login. Email verification is not really two-factor but good enough than nothing.