Skip to content
ProtocolPorts

Port reference

Port 2087 (TCP) – WHM (WebHost Manager, TLS)

TLS web port for WHM, the server-level administration panel for cPanel hosting (root/reseller control).

tcpRegisteredCommonly attacked

Default state

Open on cPanel servers running WHM; serves HTTPS, with the non-TLS variant on 2086.

Common attacks

  • Credential brute force and password spraying against the root/reseller login
  • Exploitation of repeated cPanel/WHM vulnerabilities (auth bypass, XSS, RCE)
  • Mass automated scanning of hosting servers for exposed WHM panels
  • Privilege abuse after account or reseller compromise

Hardening

  • Restrict WHM access to allowlisted IPs / VPN rather than the open internet
  • Enforce strong unique root/reseller passwords, MFA, and cPHulk protection
  • Replace the default certificate and keep cPanel & WHM patched
  • Apply least privilege to reseller accounts and disable unused features
  • Monitor logins and audit reseller/account activity

nmap snippet

nmap -p2087 --script ssl-cert,http-title,http-auth <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 2087?

Port 2087 is the TLS web port for WHM (WebHost Manager), the server-level administration panel for cPanel hosting. While cPanel manages a single account, WHM administers the whole server — creating and suspending accounts, managing services and packages, and configuring the host with root or reseller privileges. The non-TLS variant runs on 2086.

Why it matters for security

WHM is effectively the master control panel for a hosting server, so a compromise of 2087 can mean takeover of every site on the box. It is exposed on a large number of servers, making it mass-targeted, and cPanel & WHM carry a long history of security advisories — authentication bypasses, XSS, and occasional RCE — that automated tools exploit rapidly.

How it's attacked

Attackers brute-force and password-spray the root/reseller login and scan hosting fleets for exposed WHM. They chain known cPanel/WHM vulnerabilities for authentication bypass or code execution, and after compromising a reseller or account they abuse privileges to control more sites or escalate to root on the server.

Hardening checklist

Restrict WHM to allowlisted IPs or a VPN rather than the open internet. Enforce strong unique root/reseller passwords, MFA, and cPHulk brute-force protection, replace the default certificate, and keep cPanel & WHM patched. Apply least privilege to reseller accounts, disable unused features, and monitor logins and reseller activity. The nmap snippet inspects the certificate, title, and auth on systems you are authorized to test.

Related ports

Port 2082Port 2083Port 2086Port 2096

Frequently asked questions

What is port 2087 used for?
It is the TLS port for WHM (WebHost Manager), the server-level control panel that administers a cPanel server — creating accounts, managing services, and configuring the host with root or reseller privileges. The non-TLS variant is 2086.
Is it safe to expose port 2087 to the internet?
No. WHM grants root/reseller control of an entire hosting server and is a constant brute-force and CVE target. Restrict 2087 to allowlisted IPs or a VPN, enforce MFA and cPHulk, replace the default certificate, and keep WHM patched.