diff --git a/lib/php-scanner.sh b/lib/php-scanner.sh
index be0e3ea..b760263 100755
--- a/lib/php-scanner.sh
+++ b/lib/php-scanner.sh
@@ -484,25 +484,38 @@ find_domain_access_log() {
     case "${SYS_CONTROL_PANEL:-unknown}" in
         cpanel)
             # cPanel standard locations for access logs
-            # Primary: /var/log/apache2/domlogs/DOMAIN (or DOMAIN-error_log, etc)
-            # Secondary: /home/USER/access-logs/ (symlink to above)
+            # CRITICAL: Must check HTTPS (ssl_log) first since that's where 95%+ of traffic is
+            # Format: /var/log/apache2/domlogs/DOMAIN-ssl_log (HTTPS) or DOMAIN (HTTP)
             local log_file
 
-            # Try standard cPanel domlogs directory FIRST (primary location)
-            log_file=$(find "/var/log/apache2/domlogs" -maxdepth 1 -type f -name "*${domain}*" 2>/dev/null | head -1)
+            # Try standard cPanel domlogs directory FIRST - PREFER SSL LOG (HTTPS)
+            # Most modern traffic is HTTPS, so -ssl_log has the real traffic data
+            if [ -f "/var/log/apache2/domlogs/${domain}-ssl_log" ]; then
+                log_file="/var/log/apache2/domlogs/${domain}-ssl_log"
+            elif [ -f "/var/log/apache2/domlogs/${domain}" ]; then
+                log_file="/var/log/apache2/domlogs/${domain}"
+            fi
 
             # If not found, try user's access-logs directory (symlink, follows)
             if [ -z "$log_file" ]; then
                 local owner
                 owner=$(find_domain_owner "$domain")
                 if [ -n "$owner" ] && [ -d "/home/${owner}/access-logs" ]; then
-                    log_file=$(find -L "/home/${owner}/access-logs" -maxdepth 1 -type f -name "*${domain}*" 2>/dev/null | head -1)
+                    if [ -f "/home/${owner}/access-logs/${domain}-ssl_log" ]; then
+                        log_file="/home/${owner}/access-logs/${domain}-ssl_log"
+                    elif [ -f "/home/${owner}/access-logs/${domain}" ]; then
+                        log_file="/home/${owner}/access-logs/${domain}"
+                    fi
                 fi
             fi
 
             # Try alternative cPanel path
             if [ -z "$log_file" ] && [ -d "/etc/apache2/logs/domlogs" ]; then
-                log_file=$(find "/etc/apache2/logs/domlogs" -maxdepth 1 -type f -name "*${domain}*" 2>/dev/null | head -1)
+                if [ -f "/etc/apache2/logs/domlogs/${domain}-ssl_log" ]; then
+                    log_file="/etc/apache2/logs/domlogs/${domain}-ssl_log"
+                elif [ -f "/etc/apache2/logs/domlogs/${domain}" ]; then
+                    log_file="/etc/apache2/logs/domlogs/${domain}"
+                fi
             fi
 
             echo "$log_file"