couldn't any malicious actor easily guess such a URL and brute force it?

Neither the URL nor the username is really a factor in whether or not one can "brute force it". The only thing that matters in a brute force attack is the strength of the password. Certainly obfuscating the username and URL will make it more difficult to some extent, but neither of these are secret or meant to be secret, so the difference is somewhat trivial.

Moreover, it is generally recommended that you log in once as root and create a new user with "sudo" root privileges and then disable the ability to login as root, and from that point forward login as the user you created, but I'm not sure if that is possible with WHM.

On top of what NickMNS said, if you're worried about brute-force attacks succeeding, consider implementing two-factor authentication:
[docs.cpanel.net...]

I'll go the two-factor authentication route, I think that works well and is relatively painless. Thanks.

Another suggestion: change the name of the server to something hard to guess. You're right that a link like server.example.com is easy for anything to guess, but:

jidfkjgerdgfkjhcv.example.com

might be a bit safer.

I know that security is a bit concern for you, so you could always go to the Apache configuration and restrict that port entirely to pre-approved IPs or ranges. That's what I did with mine.

I'd mentioned downloading CSF before, too. That'll block any IP that has a pre-defined number of failed login attempts.

Another suggestion: change the name of the server to something hard to guess

Oftentimes a control panel can also be accessed using the IP address, or any domain that resolves to it even, so long as you use the appropriate port. The easiest way to find servers running cPanel is with an IP range scan for ports 2082-2083, port 8443 for Plesk, etc.

Oftentimes a control panel can also be accessed using the IP address, or any domain that resolves to it even

Does "access" mean access the cPanel log in page or access the cPanel home page?

I can occasionally see the referrer cpanel.example.com (where example.com stands for my actual domain) in my raw access logs. Shared hosting. I do not understand how that referrer could mean that my cPanel has been compromised and no irregularities have been found on the site. But what does such a referrer indicate?

Additionally, the same IPs causing this referrer are blocked in an .htaccess file that otherwise works as it should. I.e. by using the referrer cpanel.example.com it appears to by possible to bypass the IP blocking. Any ideas?

The above may of course be two separate issues although they originate from the same IP.

(Moderators please move to another thread if this post is too off topic.)

Does "access" mean access the cPanel log in page or access the cPanel home page?

The log-in page. You'd still need to log in thankfully ;-) The server often just responds the same way for a request for 1.1.1.1:2083 as it would for cpanel.example.com:2083. I was just pointing out that changing the hostname from server.example.com to something more obscure like j93apw.example.com doesn't really help, since port scans are usually done on IP ranges instead of domains.

I do not understand how that referrer could mean that my cPanel has been compromised

Most likely, it doesn't. Do a lookup on the IP address responsible for the log entry and you'll probably find it's owned by a hosting company, i.e. it's a (rogue) bot. The referrer can easily be faked, too.

Additionally, the same IPs causing this referrer are blocked in an .htaccess file that otherwise works as it should. I.e. by using the referrer cpanel.example.com it appears to by possible to bypass the IP blocking. Any ideas?

A request will still appear in your access logs even when the IP address is blocked, because it still reaches the web server.

A request will still appear in your access logs even when the IP address is blocked, because it still reaches the web server.

These requests with cPanel as referrer get a 200 response, which they should not get as the IP range is blocked in .htaccess. The ranges in question are huge Chinese IP blocks and if the referrer is something else than cPanel I can see that the IP gets a 403 as it should. I am scratching my head and wondering what magic there might be in cPanel as a referrer... However, no harm has been done so far.

I would suggest that you post the htaccess in the Apache section (redacting anything sensitive, of course), we'll look and see if there's any issue letting the offending IP through. But an easy test might be to add your own IP to the list and see exactly what happens when you go there and what shows up in the log.