On cPanel & WHM servers, the Apache mod_userdir feature, which allows URL access in the format "http://siteadi.com/~user", although offering a practical use, is a feature that needs to be carefully configured in terms of performance and security.

In this article, we will discuss step by step what mod_userdir is, what it does, what risks it carries, and how to activate mod_userdir protection via WHM.

What is mod_userdir? What Does It Do?

When enabled on Apache servers, mod_userdir provides direct access to user directories in the form "http://domain.com/~username". This can be useful, especially for developers who want to temporarily access the site during the testing process.

For example:

http://ekasunucu.com/~mehmet  → goes to the /home/mehmet/public_html directory.

However, there is an important problem here: All traffic made in this way is reflected in the bandwidth quota of the main domain name, ekasunucu.com. This situation both prevents fair resource usage and is open to abuse in shared hosting environments.

⚠️ Why is mod_userdir Protection Necessary?

Unfair traffic loading: Although the user seems to be accessing the ~mehmet directory, the bandwidth is reflected on ekasunucu.com.
Security vulnerabilities: Some malicious users may try to view the content of other accounts using this feature.
SSL incompatibility: ~user access is not compatible with SSL, HTTPS access errors occur.
Server load: System resources cannot be used correctly, performance decreases.

️ Enabling mod_userdir Protection via WHM

Log in to WHM as root.
Open the Security Center → Apache mod_userdir Tweak section from the left menu.
Check the "Enable mod_userdir Protection" box at the top of the page.
In the user list below, you can select the accounts that you will allow this access as an exception (usually left blank).
Save the settings by pressing the Save button at the bottom of the page.

⚠️ Recommendation: On shared servers, it is recommended that you do not leave this feature open to any user.

What to Do If You Need to Use the mod_userdir Feature Temporarily?

If a domain has not been redirected yet, you can temporarily disable protection for access testing.
Be sure to reactivate it after the test is complete.

Alternatively:

The user can be allowed to test with a temporary URL. (For example, instead of http://ipadres/~user, a preview domain configured directly with the server IP can be used.)

In Summary

Although mod_userdir seems useful, it is not recommended to leave it directly active. Since it brings with it problems related to server quota, security and SSL, activating protection via WHM is the most accurate approach.

We also recommend that you take a look at the following for cPanel & WHM security: