If my users have to access the cPanel from wherever they may be, how does a VPN or SSH reverse proxy help? Not trolling, I'm genuinely ignorant of top level security practices.
Because instead of exploiting cpanel directly from any random IP on the Internet globally, attackers first have to compromise your VPN connection.
It's a pretty significant barrier and dramatically reduces the amount of attack surfaces out there.
Mobile/Desktop OS's have come a LONG way in VPN support, so requiring VPN access for critical access (and administrative access should always be considered critical!) is not near the barrier of entry it used to be. Heck anyone can set a VPN server up on a raspberry pi in minutes that can handle hundreds of megabits of traffic - piVPN with Wireguard is drop dead simple to configure and deploy (WAY easier than the mess that is OpenVPN); the amount of friction to implement a VPN these days is just about negligable. It's a harder problem for service providers like this one that have thousands of customers - but they certainly had some sort of user account management/provisioning system; it' way past time to expect those to be able to handle security certificate management too.
It's far less effort than cleaning up messes like the one being profiled here! And if you have sensitive data? Once your system is compromised it's no longer sensitive. It's now public knowledge :p
