How can you confirm successful logins by ROOT? It is simple as using the “last” utility from the root.
grep "root" /usr/local/cpanel/logs/access_log
Using the command above will be very helpful to see if an account may have been compromised and at what time. Do you travel frequently? For a instant email report, navigate to WHM Home >> Security Center >> cPHulk Brute Force Protection and choose to send a notification upon successful root login when the IP address is not on the whitelist option then save. If someone does guess the credentials, you will be notified so that you can try to take action.