cPanel’s Important CSF Announcement: Keeping Your Firewall Updated (BaCloud Summary)

BaCloud recently received an important announcement from the cPanel team regarding the future of the ConfigServer Security & Firewall (CSF) plugin. In short, the original developer of CSF has closed shop, and cPanel is stepping in with its own fork of the firewall software to ensure servers stay protected. Below, we summarize what this update means for BaCloud customers and general cPanel & WHM users in a professional, easy-to-follow overview.

Background: CSF Vendor Shuts Down, Code Released Open-Source

ConfigServer Security & Firewall (CSF) is a popular firewall management plugin for Linux servers, widely used in cPanel & WHM environments to secure servers with features like intrusion detection, IP blocking, and login failure monitoring. The plugin was maintained by Way to the Web Ltd. (W2W), also known as ConfigServer. However, W2W permanently shut down on August 31, 2025, ending all official support and development for CSF.

Before closing, the vendor did the community a favor by releasing the CSF code “as-is” under the GNU General Public License v3 (GPLv3). This means the code is freely available, but W2W made it clear there would be no further maintenance or updates from their side. CSF would continue to run on servers in its current state, but without a maintainer, future security patches or improvements were uncertain.

cPanel Steps In: A Public Fork of CSF for Security Updates

Recognizing that CSF is widely deployed on cPanel & WHM servers and plays a critical role in server security, cPanel has decided to step up and maintain the project moving forward. Specifically, cPanel announced it will publish and maintain a public fork of CSF focused solely on critical security and stability fixes. In other words, cPanel will use the latest available CSF code from W2W and continue patching security vulnerabilities and major bugs that could impact server stability.

Importantly, cPanel’s CSF fork will remain open-source (GPLv3) and will be hosted in cPanel & WHM’s public GitHub repository. This keeps the licensing consistent with the original project and allows the broader community to see the code changes. cPanel is not looking to add new features to CSF, but to ensure that this essential firewall tool continues to receive updates needed to protect servers from new threats.

Why is this necessary? Since W2W’s shutdown, the original CSF update infrastructure has gone offline. In fact, any CSF installations still configured to check the old update server (download.configserver.com) can no longer receive updates because that server is now unreachable. This situation not only leaves servers stuck without future security fixes, but it can also trigger error messages during automated update checks (for example, cron jobs failing to connect to the update server). To prevent thousands of servers from gradually becoming vulnerable as exploits are discovered, cPanel is introducing a new update source.

Automatic Update on February 18, 2026

To restore a working update path for CSF, cPanel will roll out an automatic configuration update on February 18, 2026. On that date, cPanel & WHM servers that meet the criteria (explained below) will have their CSF configuration adjusted to use cPanel’s new update mirrors instead of the defunct ConfigServer/W2W source. This means eligible servers will seamlessly start checking for CSF updates in cPanel’s repository, ensuring you won’t miss critical firewall patches going forward.

From a BaCloud perspective, we welcome this change: it’s a proactive move by cPanel to keep firewall defenses up to date for all users. Rest assured, if your server receives this update, it will not change any of your existing firewall rules or settings. It only repoints the update mechanism. The CSF plugin will continue running exactly as it is now, with the same configuration you have in place; the difference is that it can now fetch future security fixes from cPanel’s maintained fork. In essence, it’s like changing the oil in your car without altering how the engine runs – a maintenance tweak to ensure longevity and safety.

Which Servers Will Be Updated Automatically?

Not every server will be touched by the automatic reconfiguration on Feb 18. According to cPanel, the configuration change will apply only if all of the following conditions are true:

• Original CSF Plugin in Use: Your server is running cPanel & WHM with the original CSF plugin installed (i.e., the ConfigServer version of CSF, not a fork or modified variant).

• Using Default Update Server: CSF on your server is still configured to use ConfigServer/W2W’s original update source (the default update URL that pointed to download.configserver.com).

• CSF Version 14.0 or Newer: Your server is running CSF version 14.0 or higher. (Servers on very old CSF releases – 13.x or below – will be excluded).

• Auto-Updates Enabled: The CSF configuration setting “AUTO_UPDATES” is enabled (set to On). This setting allows CSF to automatically check for and apply updates. If it’s turned off, cPanel will not override it.

If all four of the above are true for your cPanel server, then on Feb 18, it will receive the new update mirror setting. If any of the conditions are not true, cPanel will not make any changes to your CSF configuration. For example, if you’re using an alternate fork of CSF, or your CSF version is 13.x or older, or you have disabled auto-updates, your server will be left as-is and no automatic tweaks will occur.

(BaCloud note: If your server doesn’t get the auto-update due to one of these factors, you may want to update CSF manually or enable auto-updates to receive future patches. Our support team can assist if you’re unsure about your current CSF setup.)

How to Opt Out or Manage CSF Updates Yourself

One great aspect of this update is that you remain in control. cPanel is offering this as a safety net, but you can choose to handle CSF updates on your own schedule or even from a different source if you prefer. If you do not want cPanel to automatically adjust your CSF configuration on Feb 18, 2026, you simply need to disable CSF’s auto-update feature before that date. This will exclude your server from the automatic change.

cPanel’s announcement provided steps to turn off AUTO_UPDATES. In WHM (WebHost Manager), you can do the following:

1. Log in to WHM and navigate to Plugins > ConfigServer Security & Firewall (this opens the CSF interface).

2. Click on “csf - ConfigServer Firewall” to go into the CSF settings, then open the Firewall Configuration screen.

3. Under the “Initial Settings” section, find the option labeled AUTO_UPDATES. Change this setting to Off (disabled).

4. Scroll down and Save your changes.

By turning off CSF’s automatic updates, you ensure that cPanel’s Feb 18th configuration change will not be applied to your server. Your CSF will just continue running without trying to update from cPanel’s mirror. Keep in mind, though, that with AUTO_UPDATES off, you will need to update CSF manually when security fixes become available. (The manual update process could involve downloading the updated CSF package from cPanel’s GitHub or using a script to apply updates – similar to how one would update any software without auto-updates.)

What if you opt out now, but later decide you want cPanel’s CSF updates? No problem – cPanel has made it easy to opt back in. If at some point after February 18 you change your mind and want to receive updates from the cPanel-maintained fork of CSF, you can run a provided script to switch the update source. Simply execute the following command on your server as root:

This will reconfigure your CSF installation to use cPanel’s update mirror (essentially performing the same change that would have happened automatically). After running the script, re-enable the AUTO_UPDATES setting in CSF’s Firewall Configuration. Your server will then be back on the auto-update track, downloading patches from cPanel’s CSF fork as they are released.

Whether you choose to stay on automatic updates or manage things manually, updates will be delivered through the same mechanism as before. Servers with AUTO_UPDATES enabled will receive patches automatically via the nightly cron, while servers with it disabled can pull updates on their own schedule. This mirrors how the original CSF worked, minimizing surprises in server administration.

Going Forward: Maintenance-Only Fork (No New Features, Same Support Scope)

It’s important to understand the scope of cPanel’s CSF fork. cPanel has stated that this is a maintenance effort only – the goal is to keep CSF secure and stable, not to develop new features or enhancements for it. Essentially, cPanel is ensuring the status quo of firewall protection continues uninterrupted, but don’t expect CSF to suddenly get new bells and whistles. Any major feature development or changes to how CSF works are not on the roadmap in this fork.

Also, CSF remains a third-party plugin in terms of support. cPanel’s support team will maintain the fork (i.e., write and distribute security patches), but they are not taking on general support for using CSF. This means if you have issues configuring CSF or questions about its behavior, cPanel’s official support may direct you to community resources (forums, documentation, etc.), as they did even before the fork. In other words, cPanel will ensure CSF keeps running safely, but they aren’t offering to troubleshoot your firewall settings for you. At BaCloud, our team will continue to support our customers with CSF configuration and questions as part of our managed hosting services, as we have always done.

On a positive note, cPanel encourages users to report any issues or bugs you suspect might be related to the new CSF updates. If something doesn’t work correctly after the fork updates, cPanel wants to hear about it so they can fix the fork and keep it reliable. This community feedback loop will help the CSF fork remain a dependable security tool for everyone.

Conclusion: Enhanced Security Continuity for BaCloud Clients and cPanel Users

In summary, cPanel’s announcement about CSF is great news for server security. When the original CSF maintainers bowed out, there was a risk that this widely-used firewall would slowly become outdated and vulnerable. cPanel’s decision to fork CSF and provide critical updates ensures that CSF will continue to protect servers in 2026 and beyond. The automatic update on Feb 18, 2026, will seamlessly redirect your firewall to this new update source if you’re running a standard, up-to-date setup, so most users won’t need to do anything to benefit from the continued updates.

For BaCloud customers, this means you can rely on your cPanel & WHM servers to keep getting the latest firewall security fixes without missing a beat. We at BaCloud are committed to maintaining a secure hosting environment, and we’re pleased to see cPanel taking proactive steps that align with that mission. Our team will ensure that all eligible BaCloud servers receive the CSF configuration update or assist in making any necessary adjustments ahead of time.

If you prefer to opt out of the automatic changes, you have the freedom to do so by disabling CSF auto-updates as described above – just let us know if you need any help with that. And if you have any questions or concerns about this update, the BaCloud support team is here for you, as is cPanel’s own support knowledge base with additional details on the CSF fork. Security is an ever-evolving field, but with cPanel’s new CSF maintenance plan and BaCloud’s continued vigilance, you can host with confidence, knowing your firewall will stay up to date against emerging threats.

Stay secure, and happy hosting!