As we reported last August, the venerable ConfigServer Firewall (aka CSF) project has shut down, as of December 31, 2025.

And that’s a shame, because it was an easy-to-install, easy-to-configure adaptive firewall.  While setting up firewall rules to block all ports except 22, 80, and 443 or something like that is pretty simple, CSF’s strength was “block all traffic from China” or “watch the logs and if there are multiple failed ssh attempts from IP 1.2.3.4, block that IP for 10 minutes, escalating time if it continues”, etc.  Sure, you can configure that kind of thing manually, but CSF was all-in-one and dead simple.

It’s also the core firewall product for cPanel, where the CSF Plugin has been a feature since forever.  cPanel has recognized that CSF’s shutdown will leave a whole in their offerings, and so they’ve decided to fork the product and maintain it on their own.

They will probably truly just maintain it rather than develop and extend it.  CSF is GPL-licensed, which means cPanel is probably not thrilled about doing work on something that they’ll have to share with every competitor.  I mean, this is Oakley Capital we’re talking about.  Still, if you run cPanel, this is good news.

Here’s the announcement cPanel sent:

Dear Valued Partner,

We’re writing about ConfigServer Security & Firewall (CSF) and an important update to keep your servers protected.

Way to the Web LTD (W2W / ConfigServer), the vendor behind the CSF plugin, permanently shut down on August 31, 2025, ending all support and distribution for CSF.

Before closing, W2W released the CSF code “as-is” under the GNU General Public License v3 (GPLv3), with no plans for further maintenance or support.

CSF remains widely deployed on cPanel & WHM servers and plays a critical role in server security. To maintain ecosystem security, cPanel will be publishing and maintaining a public fork of CSF focused solely on critical security and stability fixes.

This fork is based on the final upstream release and will be made available in cPanel & WHM’s public GitHub repository under GPLv3, consistent with the original project’s license.

What this means for you

Currently, CSF installations that point to ConfigServer/W2W’s original update server at download.configserver.com cannot receive updates because that infrastructure is offline. This can leave servers without future security fixes and may also trigger update/cron errors during scheduled checks.

To restore a working update path, on February 18, 2026, we’ll automatically update the CSF configuration on eligible cPanel & WHM servers to point to our update mirrors instead of the decommissioned ConfigServer/W2W source.

This configuration update applies only if all of the following are true:

• Your server is using cPanel & WHM with the original CSF plugin.
• CSF is configured to use the original ConfigServer/W2W update source.
• Your server is running CSF version 14.0 or newer.
• The CSF AUTO_UPDATES setting is enabled.

We will not make any changes if any of the following are true:

• Your server is already using an alternate CSF provider.
• Your server is running CSF version 13.x or older.
• The CSF AUTO_UPDATES setting is disabled.

If you’re currently using CSF, it will continue to run with the same rules and configuration you already have in place. This effort is simply to ensure critical security and stability fixes from our fork can still be delivered.

Manage updates yourself (optional)

You’re in control of how CSF updates are handled on your servers – whether you want updates to apply automatically, on your own schedule, or from a different source.

If you do not want cPanel to update your CSF configuration on February 18, 2026, follow these steps before this date to disable automatic updates and exclude the server from the change:

Navigate to ConfigServer Security & Firewall.

Select csf - ConfigServer Firewall.

Open Firewall Configuration.

Under Initial Settings, set AUTO_UPDATES to off.

Save your changes.

If you disable the AUTO_UPDATES setting before February 18, the configuration change will not be applied to your server. If you later decide you’d like updates from the cPanel-maintained fork, run /scripts/autorepair cpanel_csf_install to update the source, then re-enable the AUTO_UPDATES setting.​

Updates will be distributed through the same mechanism the original version used: servers with the AUTO_UPDATES setting enabled will receive patches automatically, and servers with the AUTO_UPDATES setting disabled can apply updates manually.

For more details and further updates, please review our full support article: support.cpanel.net/hc/en-us/articles/37654028162071-Will-cPanel-provide-its-own-fork-of-CSF

If you have questions, our support team is here to help.

Best regards,

The cPanel Team

 

raindog308

Raindog308 is a longtime LowEndTalk community administrator, technical writer, and self-described techno polymath. With deep roots in the *nix world, he has a passion for systems both modern and vintage, ranging from Unix, Perl, Python, and Golang to shell scripting and mainframe-era operating systems like MVS. He’s equally comfortable with relational database systems, having spent years working with Oracle, PostgreSQL, and MySQL.

As an avid user of LowEndBox providers, Raindog runs an empire of LEBs, from tiny boxes for VPNs, to mid-sized instances for application hosting, and heavyweight servers for data storage and complex databases. He brings both technical rigor and real-world experience to every piece he writes.

Beyond the command line, Raindog is a lover of German Shepherds, high-quality knives, target shooting, theology, tabletop RPGs, and hiking in deep, quiet forests.

His goal with every article is to help users, from beginners to seasoned sysadmins, get more value, performance, and enjoyment out of their infrastructure.

You can find him daily in the forums at LowEndTalk under the handle @raindog308.