Server Mode → Settings → Security Settings controls who can access the Panel and under what conditions. These settings apply exclusively to Panel login and access — they do not affect hosting account SSH, FTP, or email credentials.
Two-Factor Authentication
When Require 2FA for all admin accounts is enabled, every user with an admin role must enroll in TOTP-based 2FA before they can access the Panel. Users who have not yet enrolled are redirected to the enrollment flow on their next login.
Reseller accounts are not subject to this enforcement unless you also enable Require 2FA for resellers.
If an admin loses their 2FA device, recover access via SSH on the server:
# Reset 2FA for a specific admin user
php /opt/opterius/artisan user:reset-2fa admin@example.com
Session Timeout
Sets how long an idle authenticated session remains valid before the user is logged out. Default is 120 minutes.
Lower values increase security but may frustrate admins who keep the Panel open in a background tab. A value of 30–60 minutes is a reasonable balance for most setups.
Sessions are invalidated on logout regardless of this setting.
Allowed Admin IP Ranges
Restrict Panel admin login to specific IP addresses or CIDR ranges. When set, login attempts from outside the listed ranges are rejected with a 403 before the login form is even submitted.
Enter one IP or CIDR per line:
203.0.113.10
198.51.100.0/24
2001:db8::/32
Warning: If you lock yourself out by entering the wrong IP range, you will need to edit the Panel configuration directly on the server:
# Clear IP restrictions via Artisan
php /opt/opterius/artisan settings:set security.allowed_ips ""
Leave the field empty to allow logins from any IP (default).
Login Attempt Limits
Sets the number of failed login attempts before an account is temporarily locked. Default: 5 attempts → 15-minute lockout.
Locked accounts can be unlocked manually in Server Mode → Users or by waiting out the lockout period. Unlock via command line:
php /opt/opterius/artisan user:unlock admin@example.com
API Access
Toggle to enable or disable the Opterius REST API entirely. When disabled, all API requests return 503 API access is disabled.
Disable the API if you are not using WHMCS integration or any other API client and want to reduce the attack surface. See WHMCS Installation if you need the API enabled for WHMCS provisioning.