The NHS Cyber Alert About cPanel and WHM: What GP Practices Need to Know

On 30 April 2026, NHS England issued a critical cyber alert (reference CC-4774) about a serious vulnerability in cPanel and WHM. If your practice received an email from your ICB asking you to confirm the security status of your website, this is the source of that request.

The alert is genuinely serious, but for most practice managers it raises more questions than it answers: what is cPanel? Is our website affected? What do we actually need to do? This article walks through the alert in plain English and gives you the practical questions to put to your website provider.

What the NHS Cyber Alert is About

cPanel is a web-based control panel that hosting providers use to manage servers and set up websites. WHM (Web Host Manager) is the parent system that lets a provider manage multiple cPanel accounts at once. Together they sit behind a substantial proportion of generic, off-the-shelf web hosting services in the UK.

The vulnerability flagged by NHS England, tracked as CVE-2026-41940, is what’s known as an authentication bypass. In plain English, that means an attacker can gain access to the cPanel management console without needing valid credentials. The Common Vulnerability Scoring System (CVSS) score is 9.8 out of 10, which puts it firmly in the “Critical” category.

NHS England issued the alert specifically because working exploits are already publicly available, active exploitation has been observed in the wild, and a large number of UK organisations rely on cPanel-based hosting environments. The official cPanel advisory has been issued, patches are available, and any organisation using cPanel or WHM is being urged to apply them as soon as possible.

Why This Matters for GP Practices

A practice website typically doesn’t hold clinical patient data directly. But that doesn’t mean it’s without security implications. A compromised website can:

• Be used to deliver phishing pages targeting patients or staff
• Have malicious content embedded that harvests personal data through fake forms
• Be defaced, causing reputational damage and undermining patient trust
• Be used as a launchpad for social engineering attacks against staff
• Provide attackers a foothold from which to attempt to reach more sensitive systems

The Information Commissioner’s Office and the NHS DSP Toolkit both treat website security as part of an organisation’s overall cyber posture, regardless of whether the site itself contains patient records. A breached website is a notifiable incident, and the practice (not the supplier) is ultimately accountable as the data controller.

That’s why ICBs are reaching out to practices proactively. They can’t see who built each practice’s website, which platform it runs on, or whether any of those platforms use cPanel. Only the practice and the supplier know. Hence the request to ask.

What to Ask Your Website Provider

Four questions, ideally answered in writing so you have a record for your DSP Toolkit:

1. Do you use cPanel or WHM to host our website?
A clear yes or no. If your provider isn’t sure, or has to check, that itself is a useful signal about how closely they manage your infrastructure.

2. If yes, have the patches for CVE-2026-41940 been applied? When?
The fix has been available since late April 2026. A good answer is a specific date, plus confirmation that the cPanel detection script (which checks for signs of prior exploitation) has also been run.

3. When was the last full security audit of the platform we run on?
This question separates suppliers who treat security as a continuous discipline from those who treat it as a one-time setup task. Ideally you want CHECK-approved penetration testing on at least an annual basis, plus regular accreditation against Cyber Essentials or Cyber Essentials Plus.

4. What is your incident response process if a vulnerability is exploited?
Hopefully you never need to use it. But knowing in advance who you call, what timelines you can expect, and how the practice is informed is the difference between a managed incident and a chaotic one.

Why NHS-Specialist Platforms Are Different

A useful piece of context: cPanel typically lives in a shared hosting environment, where dozens or hundreds of websites sit on the same physical server. That model is fine for hobby blogs and small business sites. It’s less appropriate for NHS GP practice websites for two reasons.

The first is shared exposure. If one site on a shared cPanel server is compromised because of a misconfigured plugin or weak password, attackers can sometimes pivot from that compromised site to others on the same server. Your practice website’s security ends up tied to the security posture of every other website on the same box.

The second is the surface area introduced by plugin-based platforms. Generic content management systems gain functionality through third-party plugins, each of which is a potential vulnerability vector. We’ve written separately about why we don’t use WordPress for NHS GP practice websites for exactly this reason.

NHS-specialist platforms are typically bespoke and tightly scoped. There is no plugin ecosystem to worry about, no shared hosting environment with unknown neighbours, and the supplier’s entire engineering effort is focused on one type of website. That doesn’t make a specialist platform automatically secure, but it does mean security is a first-order design concern rather than a feature retrofitted onto a generic platform.

What This Means for Tree View Designs Customers

To answer the question directly, in case any of our customers are reading this:

• Tree View Designs does not use cPanel or WHM
• Our infrastructure is fully patched and continuously monitored
• This specific vulnerability (CVE-2026-41940) does not affect any websites we host
• No action is required from you

For more on our overall security and compliance posture, including Cyber Essentials Plus accreditation, CHECK-approved penetration testing, and our DSP Toolkit alignment, see our security page.

Quick Checklist for Practice Managers

A short list you can copy, paste or screenshot for colleagues:

• Read the official NHS alert at digital.nhs.uk/cyber-alerts/2026/cc-4774
• Email your website provider with the four questions above
• Get the answers in writing
• If your provider confirms cPanel/WHM use, ask for a specific patch date and the result of the cPanel detection script
• Document the response in your DSP Toolkit evidence file
• If your provider can’t answer the questions clearly, escalate to your ICB

Closing Thoughts

GP practice websites are increasingly central to patient access. They handle online consultations, prescription requests, appointment information and the public-facing front door for new patient registrations. That makes them critical infrastructure, not a nice-to-have. Treating them that way means choosing a platform built for the NHS context rather than retrofitting generic web tooling onto NHS requirements.

We’re not suggesting that everyone should switch suppliers. What we are suggesting is that asking your supplier the questions in the checklist above is a good baseline practice. The answers should give you confidence rather than anxiety, and if they don’t, that’s a useful signal in its own right.

If you’re not sure about your current platform’s security posture, or you’d like a no-obligation second opinion on what NHS-grade web security actually looks like in practice, get in touch. We’re happy to talk through it.