← Back to Blog

Why We're Offering Free cPanel-to-WHP Migrations

If you operate a website, run a small business off shared hosting, or just manage a personal site or two, the last few weeks have probably looked unusually noisy in your inbox. Hosting providers everywhere have been firing off emergency security notices, forced patch windows, and "please rotate your password" advisories — and the common thread running through almost all of them is cPanel.

We've been watching this cycle play out, and we've made a decision: AnHonestHost is now offering free migrations from cPanel to our Web Hosting Platform (WHP) for any customer who wants one. Existing customers, new customers, anyone bringing a cPanel site over from another host — the migration is on us.

This post explains why, what we'll move for you, and what to expect.

What just happened with cPanel

Between late April and mid-May 2026, cPanel issued three Technical Security Releases covering at least nine CVEs. That's a normal year's worth of advisories compressed into about sixteen days. The standouts:

  • CVE-2026-41940 — A CVSS 9.8 pre-authentication bypass in the cPanel and WHM login flow. An unauthenticated attacker who could reach the login page could promote themselves to a root-level admin session with a single crafted HTTP request. Two-factor authentication was bypassed in the same step. The vulnerability had been actively exploited in the wild since February 23, 2026 — roughly two months before a patch existed. CISA added it to the Known Exploited Vulnerabilities catalog with a federal patching deadline. By early May, Shadowserver was tracking ~44,000 IPs scanning or exploiting cPanel servers, and Censys had identified thousands of hosts carrying ransomware artifacts left by attackers who used the bug.
  • CVE-2026-29202 — A CVSS 8.8 remote code execution flaw in the create_user API, patched May 8. Combined with a stolen low-privilege account from the earlier wave, this gets an attacker code execution on the server.
  • CVE-2026-29203 — A CVSS 8.8 privilege escalation via unsafe symlink handling, also patched May 8. Chains naturally with the RCE above.
  • A third TSR on May 13 patched five more CVEs across every active cPanel tier from 11.86 through 11.136.

In an email to customers, cPanel themselves wrote: "The industry is seeing a sustained rise in discovered vulnerabilities, and AI is accelerating the pace at which they are found and exploited… You will hear from us more frequently as our processes evolve. This is intentional."

That's the vendor telling its own customers to expect this cadence to continue.

Why we're moving customers off, not just patching faster

We patched fast. Our customers were protected. That's not the point.

The point is that we've been quietly unhappy with the direction of cPanel for a long time, and the recent advisories crystallized it. Three things have been bothering us:

Costs keep rising. cPanel licensing has gone up year over year while the panel itself hasn't meaningfully changed. Those increases get passed along the supply chain to customers, and we've never liked that the price of a license has more to do with WebPros' financial targets than with anything we or our customers are getting in return.

Updates have been thin. For a platform whose internet-facing footprint includes the management plane of millions of servers, the pace of meaningful improvement to cPanel itself has been slow. The recent advisories — especially CVE-2026-41940, which sat on top of a sanitizer that had to be opted into by each caller — are symptomatic of a codebase that hasn't been modernized at the pace its exposure demands.

Feature-complete means add-on after add-on. To give customers what we consider a baseline hosting experience, a stock cPanel install pretty much requires a stack of paid add-ons. We've never enjoyed building that pricing back into customer plans, and we don't want to keep doing it.

WHP is our answer. It's our own containerized hosting platform, built from the ground up around the values that drive AnHonestHost: transparency, honest pricing, and a stronger baseline of features included by default. We're not pretending nothing costs extra — when you need more CPU, RAM, storage, additional email accounts, email archival, or our AI-assisted site monitoring, those are real resources or real features and they're priced as such. What we don't do is paywall the basics or stack license-tier-style add-ons on top of features you'd expect to be there from day one. We've been running WHP in production for a while, and we're confident enough in it that we'd rather migrate you over — for free — than keep renewing cPanel licenses for the same money.

What we'll migrate for you

Free of charge, end to end:

  • All website files (public_html and beyond)
  • All databases and database users
  • DNS zones, including custom records
  • Email accounts, including existing inboxes and folders
  • SSL certificates (or fresh ones issued automatically on WHP)
  • Cron jobs, redirects, and account-level configurations
  • WordPress, Joomla, Drupal, or any other CMS install — the underlying files and database come across intact

You don't need to know anything about the source server, and you don't need to do the work yourself. Our team handles the technical side and coordinates the cutover with you.

How to start a migration

Email [email protected] to schedule. We'll ask a few questions about your current setup, agree on a migration window with you, do the bulk of the move in the background, and then schedule a cutover for a time that minimizes any impact on your sites.

You can also read more about WHP — features, philosophy, what's included by default — at the WHP getting-started guide.


Frequently Asked Questions

Why do you need my email passwords?

Because there is no way to migrate email contents without authenticating to the mailbox. When email lives on someone else's server (your current host's), the only portable way to retrieve the messages, folders, flags, and read status is to log in over IMAP, pull everything down, and push it into the destination. That requires the password.

We don't store the password after the migration completes. It's used for the transfer and then discarded. If you'd prefer to rotate the password at the source host first, use a temporary password for the migration, and then change it again afterward, that's a sensible workflow and we'll happily work with you that way.

If you don't want to migrate email contents — for example, you're fine starting fresh, or your team uses Gmail/Outlook/etc. for actual mailbox storage — we can skip this step entirely. We'll just recreate the email accounts on WHP and you can reconfigure your clients.

How long does a migration take?

Most sites and mailboxes finish within a few hours of background work, with the customer-visible cutover happening in a scheduled window of a few minutes (DNS change plus a verification pass). For larger sites — big WordPress installs, large mailboxes, or many accounts — we'll quote a realistic window when we schedule.

Will my site go down during the migration?

The migration itself happens in the background while your existing site stays online. The cutover — the moment we flip DNS and tell the world your new server is the authoritative one — is the only point where there's any chance of a hiccup. We schedule that with you, and in practice most sites see no perceptible downtime because we pre-stage everything and the DNS change propagates quickly.

What about email after the cutover?

Mail delivery follows DNS. Once your MX records point at WHP, new mail arrives at the new server. We migrate the existing inbox contents ahead of cutover, so when you log into your mailbox on WHP, your old messages are already there.

If you're worried about mail-in-flight during the cutover, we can run both old and new in parallel for a short period to catch any stragglers — just ask.

What happens to my SSL certificates?

WHP issues free SSL via Let's Encrypt automatically for every domain it manages. If you have a paid certificate with time remaining, we can carry it over; otherwise we'll just issue fresh certs and you can let the old ones lapse.

Do I need to be technical to do this?

No. The whole point is that we do the work. If you can answer "what's the login to your current host?" and "when's a good time to flip the switch?", we can take it from there. If you'd rather be hands-on and learn how WHP works as we go, we're happy to walk you through it.

How is WHP different from cPanel under the hood?

WHP is containerized — each customer's environment runs in an isolated container, which means a problem in one account can't leak into another, updates can be rolled forward and back cleanly, and the management plane isn't a giant shared Perl daemon listening on a single set of ports. The interface gives you the things you'd actually use cPanel for (files, databases, email, DNS, SSL, cron, one-click installs) without the add-on-pricing layer cake on top.

What costs extra on WHP?

WHP plans include a strong baseline by default — what we consider the essentials for actually running a site. What we charge for separately is anything that's a real resource consumption decision or an extra-cost feature on our end:

  • Resources: additional CPU, RAM, and storage above your plan's baseline.
  • Email: additional email accounts beyond your plan allowance, and email archival if you want long-term retention.
  • AI-assisted site monitoring: an optional add-on for customers who want proactive monitoring with intelligent alerting.

The principle we apply: if it costs us real money to provide it, we price it transparently rather than burying the cost in the base plan. If it's a feature that should reasonably be included in hosting, it is. We're not trying to claim WHP is free of every possible add-on — we're trying to make sure that the things you pay extra for are things you'd actually expect to pay extra for, not basic functionality being held hostage behind a license tier.

Is WHP open source?

WHP is our own platform, built and operated by AnHonestHost. We're transparent about what's running, how it works, and what we charge for it — that's a core part of why we built it ourselves rather than continuing to renew commercial licenses indefinitely. If you'd like more detail on the architecture, the getting-started docs are a good place to start, and our support team is happy to talk shop.

I'm currently on someone else's cPanel host, not yours. Can I still migrate?

Yes. The free migration offer applies to any customer moving to AnHonestHost on WHP, whether you're with us today or coming from another provider. We've moved customers off shared hosting from most of the big names, and we're set up to handle it.

What if I want to stay on cPanel?

We get it. cPanel has a 25-year head start on muscle memory, reseller ecosystems, and integrations, and not every site is ready to leave that behind. We're not pushing anyone off cPanel — this is an offer, not a mandate. If you'd rather stay on a cPanel plan with us, we'll keep patching aggressively and you'll keep getting the same support you always have. The migration is here when you want it.

What about my reseller account or my customers' sites?

If you run a reseller account on cPanel/WHM, contact us directly. Reseller migrations involve more moving parts (per-customer accounts, per-customer DNS, per-customer email) and we'll scope the work with you to make sure nothing slips. The migration itself is still free; we just want to do it right.


If you have a question we haven't answered here, send it to support. We'll add the good ones to this post.