cPanel & WHM Version 136 Released — CSF Signed Updates, Short-Lived SSL, MariaDB 11.8, and Ubuntu 22.04 EOL

cPanel & WHM version 136 has landed, and it is a release that hosting administrators and server managers will want to pay close attention to. This update delivers meaningful improvements across four critical areas: firewall management, SSL certificate handling, PHP administration, and database support — all while drawing a firm line in the sand on Ubuntu 22.04 LTS support.

If you manage cPanel servers for clients, run a hosting reseller operation, or oversee a fleet of web servers, here is everything in version 136 that directly affects your day-to-day operations.

How to Update to cPanel & WHM v136

Before diving into the features, here is how to update your server to version 136. Always run updates during a maintenance window and ensure you have a recent backup.

Check your current cPanel version:

$ /usr/local/cpanel/cpanel -V

Update via the command line (recommended for immediate update):

$ /usr/local/cpanel/scripts/upcp

Force a full update including all components:

$ /usr/local/cpanel/scripts/upcp --force

Alternatively, update via WHM: WHM → Upgrade to Latest Version under the cPanel section.

Verify the update completed successfully:

$ cat /usr/local/cpanel/version

1. CSF via cPanel’s Signed Update System

ConfigServer Security & Firewall (CSF) is the most widely deployed firewall solution in cPanel environments — installed on the overwhelming majority of actively managed cPanel servers worldwide. Prior to v136, CSF received its updates directly from ConfigServer’s own update infrastructure, which meant server administrators were relying on an external, third-party source for a security-critical component.

cPanel v136 changes this. CSF is now delivered through cPanel’s own signed package update system — the same authenticated, cryptographically-verified pipeline used for all other cPanel components. Every CSF update is signed by cPanel/WebPros, verified on arrival, and consistent across all servers running the same cPanel version.

What this means in practice:

• No more dependency on ConfigServer’s availability for security updates
• CSF updates arrive through the same WHM update mechanism as everything else
• Cryptographic verification prevents tampered packages from being applied
• Consistent CSF version across your server fleet — no version drift between servers
• Simplified compliance auditing — one update system to track

For hosting companies managing tens or hundreds of cPanel servers, this is a significant operational improvement. Previously, CSF version inconsistencies between servers were a common source of support headaches. Version 136 standardises that.

Check your current CSF version after updating:

$ csf -v

Restart CSF to apply any pending rule changes:

$ csf -r

2. Short-Lived SSL with Automated Renewal (ACME)

The SSL/TLS landscape is changing. Google’s Chrome team has been driving an industry push toward shorter certificate lifetimes — with proposals to reduce maximum certificate validity from the current 398 days to as low as 90 days, and eventually toward 47-day certificates. Cloudflare and other major infrastructure providers are also moving toward short-lived certificates that are renewed automatically rather than managed manually.

cPanel v136 addresses this directly. The platform now includes native support for short-lived SSL certificates with automated renewal via the ACME protocol. Instead of managing 1-year certificate cycles manually or relying on cron jobs, cPanel’s AutoSSL system can now handle frequent, automated certificate renewals transparently.

What this means in practice:

• Certificates can be issued with significantly shorter validity periods — down to days or weeks
• Renewal is fully automated through the ACME protocol (the same standard used by Let’s Encrypt)
• No manual intervention required as certificate lifecycles become more frequent
• Compatible with Let’s Encrypt, Sectigo, and other ACME-enabled certificate authorities
• AutoSSL handles all renewal timing, ensuring certificates never expire

This change positions cPanel ahead of the industry shift rather than reacting to it after it becomes mandatory. Administrators who have struggled with certificate expiry issues — particularly on servers with large numbers of hosted domains — will find the automated renewal system a significant operational relief.

Check AutoSSL status for a domain via command line:

$ /usr/local/cpanel/bin/autossl_check --user=cpanelusername

Run AutoSSL for all users:

$ /usr/local/cpanel/bin/autossl_check --all

3. Unified SSL/TLS Management Interface

SSL certificate management in cPanel has historically been scattered. AutoSSL lived in one place, manually installed certificates in another, CSR generation in a third location. Administrators switching between managing Let’s Encrypt certificates, manually uploaded certificates, and certificate authority orders had to navigate multiple distinct interfaces.

cPanel v136 introduces a unified SSL/TLS management interface that consolidates the full certificate workflow into a single, coherent location. From one interface you can now:

• View all certificates across all domains on the server in a single list
• See AutoSSL and manually installed certificates together
• Manage certificate installation, renewal, and removal
• Generate and submit CSRs
• View certificate details, expiry dates, and issuance sources
• Configure short-lived certificate settings (new in v136)

For resellers and hosting companies that manage SSL certificates across multiple client accounts, this consolidation significantly reduces the time spent on certificate administration. The new interface is accessible in WHM → SSL/TLS and in each cPanel account under Security → SSL/TLS.

4. Server-Wide PHP Error Logging

PHP error logging has always been configurable in cPanel, but prior to v136, standardisation across a multi-account server was challenging. Each account could have its own PHP logging configuration, and system administrators had no simple way to enforce consistent error logging behaviour across all accounts from WHM.

cPanel v136 introduces server-wide PHP error logging configuration from WHM. System administrators can now:

• Set a global PHP error logging policy that applies to all accounts
• Standardise error_log destinations across all accounts and PHP versions
• Enable or disable specific error types (E_ERROR, E_WARNING, E_NOTICE, etc.) server-wide
• Override or restrict per-account PHP error logging settings where compliance or security requires it

This is particularly valuable for hosting companies with compliance requirements, and for server administrators supporting clients who run PHP applications in production — where inconsistent error logging makes debugging significantly harder.

View PHP error logs for a specific account:

$ tail -f /home/cpanelusername/logs/error_log

Check PHP configuration for a user:

$ /usr/local/cpanel/bin/php_fpm_config --list --user=cpanelusername

5. Enhanced Log Retention Controls

Log management is a perpetual challenge on shared hosting servers. Logs accumulate rapidly — Apache access logs, error logs, FTP logs, email logs — and without proactive management, they can consume significant disk space and reduce the visibility that logs are supposed to provide.

cPanel v136 introduces enhanced log retention controls that give administrators more granular control over how long different log types are retained. Key improvements include:

• Per-log-type retention period configuration (Apache, FTP, email, PHP, cPanel activity)
• Automatic log rotation with configurable compression
• Disk usage visibility — see how much storage is consumed by logs before and after retention policy changes
• Retention policies that balance compliance requirements (some regulated environments mandate minimum log retention) with disk usage management

Check disk usage of log files on your server:

$ du -sh /var/log/
$ du -sh /home/*/logs/

View log rotation configuration:

$ cat /etc/logrotate.conf
$ ls /etc/logrotate.d/

6. Clear EOL vs Hardened PHP Visibility

PHP end-of-life management is one of the most consistently neglected areas of server administration. Servers running PHP 7.4, PHP 8.0, or PHP 8.1 — all of which have reached end-of-life — are a common sight, often because administrators do not have clear visibility into which accounts are using which PHP version and which versions present a risk.

cPanel v136 significantly improves this with clearer EOL (End of Life) vs. hardened PHP version visibility directly in WHM. The new interface:

• Clearly flags PHP versions that have reached EOL — no more guessing which versions are past their support date
• Distinguishes between officially EOL PHP versions and cPanel’s “hardened” PHP builds — versions that have reached upstream EOL but are maintained by cPanel with security backports
• Shows a per-account breakdown of PHP versions in use across the server
• Provides upgrade path suggestions alongside the risk indicators

This is the visibility improvement that makes proactive PHP upgrade management practical rather than manual. Prior to v136, identifying all accounts running EOL PHP required either manual review or custom scripts.

List all PHP versions installed on the server:

$ /usr/local/cpanel/bin/whmapi1 php_get_installed_versions

Check which PHP version a specific account is using:

$ /usr/local/cpanel/bin/whmapi1 php_get_vhost_versions user=cpanelusername

Change PHP version for a domain:

$ /usr/local/cpanel/bin/whmapi1 php_set_vhost_versions user=cpanelusername vhost=yourdomain.com php_version=ea-php83

7. WebPros Account Global Logout

cPanel, WHM, Webmail, and other WebPros services have increasingly converged around WebPros’ single sign-on (SSO) infrastructure. This is operationally convenient — log in once and navigate between services — but it introduced a security gap: logging out of one service did not necessarily terminate all active sessions across the entire SSO ecosystem.

cPanel v136 addresses this with WebPros Account global logout. When a user logs out of their WebPros Account, all active SSO sessions across every connected service are terminated simultaneously. This ensures:

• A user who logs out of cPanel also terminates their WHM and Webmail sessions
• No orphaned active sessions remain after an explicit logout action
• Compliance with security policies that require full session termination
• Reduced attack surface from session hijacking — stolen session tokens cannot be used after the user has logged out

For managed hosting environments, MSPs, and resellers where multiple staff members share access to WHM, proper session management is a security requirement. The v136 global logout closes a meaningful gap in the previous SSO implementation.

8. MariaDB 11.8 Support

cPanel v136 adds native support for MariaDB 11.8 — the latest stable release of MariaDB — via WHM’s Database section. This is a significant database update for hosting providers and server administrators running MariaDB-based applications.

MariaDB 11.8 brings several improvements relevant to production hosting environments:

• Extended performance improvements for InnoDB and MyRocks storage engines
• Enhanced JSON support and improved JSON function compatibility with MySQL 8
• GTID (Global Transaction ID) improvements for replication environments
• Improved parallel replication for multi-threaded slave configurations
• Spider storage engine updates for distributed database setups
• Security improvements including enhanced TLS configuration options

Check your current MariaDB version:

$ mysql --version

Upgrade MariaDB via WHM: WHM → SQL Services → MySQL/MariaDB Upgrade

Or via command line using cPanel’s upgrade script:

$ /usr/local/cpanel/bin/whmapi1 start_background_mysql_upgrade version=11.8

Always take a full database backup before upgrading MariaDB:

$ /usr/local/cpanel/scripts/pkgacct cpanelusername
$ mysqldump --all-databases --single-transaction -u root -p > /root/all_databases_backup.sql

⚠️ Critical: Ubuntu 22.04 LTS End of Support

Supported operating systems for cPanel going forward:

• AlmaLinux 8 and AlmaLinux 9 (recommended — the primary cPanel platform post-CentOS)
• Rocky Linux 8 and Rocky Linux 9
• CloudLinux 8 and CloudLinux 9
• Ubuntu 24.04 LTS (Noble Numbat) — continued support

Migration Path from Ubuntu 22.04

Check your current operating system version:

$ lsb_release -a
$ cat /etc/os-release

If your server shows Ubuntu 22.04 LTS (Jammy Jellyfish), you have two options:

Option 1: Fresh server migration (recommended)

1. Provision a new server running AlmaLinux 9 or Ubuntu 24.04 LTS
2. Install cPanel on the new server
3. Use cPanel’s pkgacct to export all accounts from the old server
4. Use restorepkg to restore them on the new server
5. Update DNS, verify services, decommission old server

# On the old server — backup each account
$ /usr/local/cpanel/scripts/pkgacct cpanelusername /backup/

# On the new server — restore
$ /usr/local/cpanel/scripts/restorepkg /backup/cpanelusername.tar.gz

Option 2: In-place OS upgrade to Ubuntu 24.04

Ubuntu supports in-place upgrades from 22.04 to 24.04 via do-release-upgrade. However, this carries risk on production servers. A fresh server migration is generally safer and recommended for cPanel environments.

$ sudo do-release-upgrade

What Did Not Change — v136 Scope

It is worth noting what v136 does not include. This is not a ground-up redesign of cPanel’s interface — the core WHM and cPanel UX remain consistent with v134 and v132. The following are not in v136:

• No changes to the Paper Lantern or Jupiter cPanel themes
• No changes to Exim mail configuration defaults
• No new Softaculous or Installatron integrations (these are independent of cPanel versioning)
• No changes to domain management or DNS cluster behaviour

Version 136 is a targeted infrastructure update — firewall integrity, SSL automation, PHP visibility, and database support — rather than a UX overhaul.

Update Checklist for v136

Before and after updating to cPanel v136, run through this checklist:

Before updating:

# Verify current version
$ /usr/local/cpanel/cpanel -V

# Check OS to confirm you are NOT on Ubuntu 22.04 moving to the next release
$ cat /etc/os-release

# Full server backup
$ /usr/local/cpanel/scripts/cpanellogd --verbose

# Check disk space (update requires free space)
$ df -h /usr/local/cpanel /var /tmp

# Disable Munin or monitoring agents that may conflict with upcp
$ systemctl stop munin-node 2>/dev/null; true

Run the update:

$ /usr/local/cpanel/scripts/upcp 2>&1 | tee /root/cpanel_update_$(date +%Y%m%d).log

After updating:

# Verify version
$ /usr/local/cpanel/cpanel -V

# Verify CSF still running correctly
$ csf -v && csf -l | head -20

# Verify AutoSSL can run
$ /usr/local/cpanel/bin/autossl_check --all --verbose

# Check MariaDB/MySQL status
$ systemctl status mysql

# Check Apache/Nginx status
$ systemctl status httpd || systemctl status apache2

# Review update log for errors
$ grep -i error /var/cpanel/updatelogs/$(ls -t /var/cpanel/updatelogs/ | head -1)

Summary

cPanel & WHM v136 is a security and infrastructure-focused release that delivers improvements administrators have been requesting for some time — particularly the CSF update pipeline change and the unified SSL management interface. The MariaDB 11.8 addition keeps the database stack current, and the PHP EOL visibility improvement makes risk management significantly more practical for hosting companies managing large numbers of accounts.

The Ubuntu 22.04 end-of-support announcement is the most operationally urgent item for administrators to act on. If your cPanel servers are running Ubuntu 22.04, the migration planning should start now — before v138 drops and the support window closes.