When an account is suspended in cPanel/WHM, multiple actions occur that affect various services and processes related to the account. Knowing what takes place during an account suspension can help you in troubleshooting or better understanding the process.
1. Account Suspension Flags
When you suspend an account, the system adds the SUSPENDED=1 and SUSPENDTIME=epochdate flags to the account’s /var/cpanel/users/cpuser file, where epochdate represents the Unix time of the suspension.
Result: The appropriate WHM interface marks the account as suspended and lists the reason for suspension.
2. Reseller Control Lock
If you select the Prevent resellers from unsuspending checkbox, the system touches the /var/cpanel/suspended/user.lock file, locking the account.
Result: The reseller cannot unsuspend the account via WHM interfaces.
3. Stopping User Processes
The system stops all processes owned by the suspended account. This action has several effects:
- The system forcibly logs the user out of any current sessions.
- The user’s cron jobs are stopped, and the cron file is moved from
/var/spool/cron/to/var/spool/cron.suspended/.
4. Backups and Access
Although backups can still occur (if configured), the support team cannot access the suspended account to share or create a backup on demand.
5. Mailing List Lock
The system creates a suspended.lists directory in Mailman and moves all mailing list files to this directory.
Result: The account’s mailing lists no longer function.
6. Web Disk Lock
The system adds a *LOCKED* string to the /home/homedir/etc/webdav/shadow password files for all Web Disk users of the suspended account. In this example, homedir is the account’s home directory.
Result: Web Disk access is no longer functional for the account.
7. Email Password Lock
The system adds a *LOCKED* string to the /home/homedir/etc/domain/shadow password files for all email users associated with the suspended account.
Result: Email users cannot download mail, but incoming mail will still be delivered.
8. Incoming and Outgoing Email
The system blocks all outgoing emails for the suspended account and fails any mail currently in the outbound queue.
Email Delivery Behavior: You can configure how the system handles incoming emails for suspended accounts in WHM’s Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager).
Options include:
| Setting | Description |
|---|---|
| Deliver messages normally | Accepts and delivers email via normal logic, including user-defined filters and forwarders. This can be risky, as the user can still retain some access to account resources. |
| Accept and discard messages | Accepts the email but immediately discards it without processing further. |
| Reject messages at SMTP time | Rejects the email and sends a permanent error code to the sender’s email server. |
| Accept and queue messages [Default] | Queues the email until the account is unsuspended or the message expires in the queue (4 days, 8 hours by default). |
9. Apache Configuration Update
The system updates httpd.conf with a VirtualHost include file for the suspended account, located at /etc/apache2/conf.d/includes/account_suspensions.conf.
Result: Visitors to the account’s websites are redirected to the default suspension message. You can edit this message in WHM’s Web Template Editor interface (WHM >> Home >> Account Functions >> Web Template Editor).
10. Shadow Password Lock
The system uses the passwd -l command to prepend two exclamation marks (!!) to the account’s passwords in the /etc/shadow file.
Result:
- The account owner cannot log in to their cPanel account.
- Database users cannot log in to their databases.
- The account’s password cannot be changed.
11. FTP Directory Permissions and Lock
The system sets the public_ftp directory’s permissions to 0000, then creates a /etc/proftpd/user.suspended file. Additionally, the system locks FTP passwords in /etc/proftpd/passwd.vhosts and /etc/proftpd/user password files by prepending them with !!.
Result: The account’s FTP users cannot access the FTP server, and the system cannot back up the public_ftp directory due to the restrictive permissions.
12. MySQL Password Changes
The system changes all of the account’s MySQL user passwords.
Result: MySQL users cannot access their databases.
Suspending an account in cPanel/WHM triggers a series of actions that impact email, website functionality, processes, and more. Understanding these actions can help you effectively manage suspended accounts and troubleshoot any issues that arise.
