- Improvement: Fix for 'invalid token' error in login form
- Bugfix: Download the backup file from remote FTP/SFTP if the backup is not locally available
- Improvement: Show full LetsEncrypt error in the hosting panel
- Improvement: Enhance the v-backup-users script to manage long-running processes by terminating those active for over 10 days
- Improvement: Keep 'group = www-data' in FPM pool.d conf for $HOSTNAME vhost
- Bugfix: Fix GPG key handling for sury.org repository in v-commander
- Bugfix: v-move-folder-and-make-symlink: If FROMFOLDER is not an absolute path, make it absolute
- Improvement: Update v-backup-user to resolve symbolic link handling for backup location and ensure accurate disk space validation
- Improvement: phpgate-agent-strings.php update
- Bugfix: Fix backup download logic in v-restore-user to prevent unnecessary downloads if the backup file already exists
- Bugfix: Refactor file path handling in v-df-snapshot-diff
- Improvement: Add installation script for web-fail2ban in v-commander
- Improvement: Support for $WEB_FAIL2BAN_ONLY_NGINX configuration
- Improvement: Support for IPv6 for fail2ban-web filters
- Improvement: Add last log error for backup failures in v-backup-users
- Improvement: Delete the pool.d config file of the previously selected PHP FPM version
- Improvement: v-install-wordpress: Fix check for $NO_PROMPT and suppress output for grep | sed
- Bugfix: v-install-wordpress: Use MAX_DBUSER_LEN=32 if MySQL 8 installed
- Enhance v-df-snapshot-diff and v-df-snapshot-make scripts to use /dev/shm for temporary storage when the root partition is low on space
- Improvement (as temporary solution): Suspend 'v-fix-website-permissions-for-all-websites-only-php' cron during myVesta install
- WordPress Install/Lock/Unlock/Clone/AddAdmin functionalities directly from the hosting panel
- Many other minor bugfixes and improvements...
- Improvement: Introducing a new command: v-change-phpmyadmin-url
- Bugfix: Restarting Nginx if fixssl.conf is applied
- Basic .mdc rules and 'example-of-linux-root-folder' for better AI understanding and faster development in Cursor
- Improvement: Activating FileManager licence for all users (credits to Official VestaCP)
- Introducing a malware cleaning set of tools: v-install-wordfence-cli, v-desinfect-wordpress, v-fix-wordpress-core, v-change-database-password-for-wordpress, v-change-wordpress-admin-passwords, v-delete-inactive-wordpress-plugins-and-themes, v-delete-wordpress-uploads-php-files) (credits to isscbta)
- Improvement: Added support for PHP 8.3 and 8.4
- SRS support for Exim4 (v-add-srs-support-to-exim) (credits to HestiaCP)
- Security: Ensuring that PHP files are visible only to the account they belong to - setting chmod 600 for all .php and .env files (also added as admin cronjob - v-fix-website-permissions-for-all-websites-only-php)
- Added cronjob for disk usage snapshot (size of each folder) to see what folder is growing every day (v-df-snapshot-make, v-df-snapshot-diff [some-day-snapshot] [some-other-day-snapshot])
- Bugfix: SSL fix for Apache 2.4.65+ (fix for '421 Misdirected Request')
- Bugfix: vst-install-debian.sh: ability to install MySQL 8 on Debian 12
- Improvement: Update nginx block-firewall.conf when user blocks 80,443 ports for some IPv4 address in the Firewall section of the admin panel
- Improvement: v-install-wordpress: Support for IDN format domains
- Security: Adding ProFTPD jail rule to Fail2Ban
- Introducing: v-make-main-apache-log - making one log file for PHP requests for all websites
- Security: Introducing a new command: v-fix-php-ini-disable-functions
- Improvement: Introducing myVesta rules for SpamAssassin (enhancing spam filtering)
- Improvement: When deleting a domain, also delete the database if the domain has a database
- Bugfix: Removing temporary Docker container network interfaces from RRD
- Introducing v-run-wp-cli-myvesta that knows the correct terminal width
- Introducing a new command: v-cd-www alias for v-change-dir-www
- Introducing a new command: v-clear-fail2ban
- Introducing a new command: v-get-dns-config (to print zone file in bind9 format)
- Introducing a DISABLE_IP_CHECK as vesta.conf variable (if logged-in user is getting a new IPv4 address every minute)
- Security: Introducing a parse_object_kv_list_non_eval() function in main.sh, to avoid the evil eval command
- Security: Enhance package validation, in v-change-user-package 'eval' replaced with 'parse_object_kv_list_non_eval'
- Improvement: Replacing all WordPress scripts to use 'v-run-wp-cli' instead of 'wp'
- Improvement: v-install-wordpress: Almost always use https
- Improvement: Skip the prompt to continue during myVesta installation if the administrator has set all required variables in the command line
- Security: Jailing v-run-wp-cli (running WP-CLI as user, added open_basedir, disabling shell_exec() and other dangerous PHP functions)
- Security: v-commander: removing the ability to set a root password
- Bugfix: DKIM record deletion command in v-delete-mail-domain-dkim script
- Adding FTP / SFTP port for Remote Backup (credits to ikheetjeff)
- Introducing a new command: v-delete-mails - delete emails older than N days (credits to isscbta)
- Introducing new commands: v-blacklist-email-domain, v-blacklist-email-account, v-whitelist-email-domain, v-whitelist-email-account (credits to isscbta)
- Bugfix: v-move-folder-and-make-symlink: use 'mv' instead of 'rsync'
- Improvement: Calculate the size of directories on /hdd too
- Bugfix: v-move-domain-and-database-to-account: Update wordfence-waf.php
- Bugfix: v-add-letsencrypt-domain: Detecting valid status on wildcard variant
- Bugfix: db.sh and v-clone-website: mysqldump --max_allowed_packet=1024M
- Bugfix: web/index.php: Prevent recreation of token by shitty browser add-ons
- Bugfix: v-restore-user: permissions fix while restoring backup
- Bugfix: Add some loops due to 403 errors during LE request in some random cases
- Improvement: v-clone-website: adding --EXCLUDE_UPLOADS parameter
- Bugfix: vst-install-debian.sh - removing phppgadmin
- Bugfix: v-update-firewall: $FIREWALL_STATEFUL conf variable (for Infomaniak VPS servers)
- Bugfix: Awstats template for all systems does not have a closed bracket in line 27 (credits to gkirde)
- Bugfix: Update v-import-cpanel-backup - removing /*!999999- enable the sandbox mode */
- Bugfix: Small PHP syntax fixes in the admin panel
- Introducing nginx template 'wprocket-webp-express-force-https' (credits to Luka Paunovic)
- Improvement: Added functions to check if a domain or user is unsuspended in main.sh
- Introducing a new command: v-update-document-errors-files
- Improvement: new v-backup-user-now command does backup even if the system Load Average is above the limit, or the administrator configured backups to perform only at night
- Improvement: v-install-wp-cli and v-install-wp-cli-myvesta - automatically updates if wp-cli is 30 days old
- Bugfix: Check for SSL certificate existence before deleting web domain SSL in v-install-unsigned-ssl
- Improvement: v-install-wordpress: avoid changing nginx proxy template in apache-less variant
- Added to .gitignore excludes for 'data', 'conf', and 'log' folders
- And many other minor bugfixes and improvements...
- SpamHaus DNSBL removed from exim4
- A lot of small bugs fixed
- Introducing v-run-wp-cli command ( @isscbta )
- Introducing v-add-wordpress-admin command ( @isscbta )
- Few bugs fixed
- Introducing v-edit-php-ini command ( @isscbta )
- Introducing v-edit-domain-php-ini command ( @isscbta )
- Get quick info about a banned IP (Host, Banlist, Location) (many thanks to @VasilisParaschos )
- Few bugs fixed
- Few bugs fixed
- Support for Debian 12 ( in mutual cooperation with @HestiaCP )
- Hosting panel UI perfomance fix
- Redesign of hosting panel
- Fix for WP_CACHE_KEY_SALTs in v-clone-website command
- Fix for "Helo name contains a ip address" in Exim4
- Fix for Exim4 for punycode domains (in collaboration with @HestiaCP )
- Fix for LetsEncrypt Asynchronous Order Finalization (in collaboration with @HestiaCP )
- Many bugfixes
- Hotfix for LetsEncrypt to prevent Apache falling
- New script: v-commander (useful for maintaining the server)
- New script: v-activate-rocket-nginx (serve WP-Rocket cache directly from nginx)
- New script: v-update-myvesta (get the very latest build of myVesta)
- v-clone-website: By default cloning to database: user_domain_com (instead of cloning to database: user_old_db_migrated)
- Many minor bugfixes
- Support for PHP 8.2
- New script: v-move-folder-and-make-symlink
- New script: v-lock-wordpress (to prevent PHP malware) and v-unlock-wordpress
- v-install-wordpress: Installing WordPress to user_domain_com database instead of installing to user_wp database
- Many minor bugfixes
- [Security] hash_equals() in /reset/mail/ (credits to @divinity76 )
- Avoid out-of-memory while downloading large log files from panel (credits to @divinity76 )
- Fix for an boring PHP Notice in vesta-php
- Fix for GMail SMTP timeouts on Debian11
- [Security] Fix for Local Sed Injection Vulnerability ( credits to @cleemy-desu-wayo )
- Adding Barracuda RBL to SpamAssassin
- Fixing insane HTML form bug in List backup items page
- Script for easy adding second IP address for SMTP authenticated users only (v-make-separated-ip-for-email)
- Support for MySQL 8
- [Security] Preventing brute-force resetting password (thanks to HestiaCP @hestiacp for fix)
- Many minor bugfixes
- Checking if FreshClam is started after installation
- Support for PHP 8.1
- Function to ensure that pool.d folders are not empty
- Fix for not to match wildcard "domains" and "databases" while restoring
- Added memcached to v-list-sys-services
- Many fixes for "List services" page (v-list-sys-services function)
- Many small bugfixes and CSRF fixes
- Support for Debian 11
- Fixed two bugs in LetsEncrypt generating process
- Enabling TLS for ProFTPD FTPS
- More logical "Restore backup" template
- [Feature] Updating CloudFlare IP addresses
- [Feature] Logging whole LetsEncrypt process to /usr/local/vesta/log/letsencrypt.log and /usr/local/vesta/log/letsencrypt_cron.log
- [Feature] Warn admin once (by sending email) if LetsEncrypt renewing failed for server hostname
- [Bugfix] Correct truncating of CA LetsEncrypt certificate (thanks to HestiaCP @hestiacp for fix)
- [Security] Preventing denial-of-service in openssl library in vesta-nginx service (CVE-2021-3449)
- [Security] Preventing admin to install non-vesta packages from vesta admin panel user interface (Credits to: Numan Türle @numanturle)
- [Bugfix] Preventing multiple execution of v-backup-users
- [UserInterface] CSS fix for Apache status table (Credits to: Milos Spasic)
- [Security] fix for: CSRF remote code execution in UploadHandler.php - CVE-2021-28379 (Credits to: Fady Osman @fady_othman)
- [Security] fix for: Local privilege escalation from user account to admin account via v-add-web-domain (Credits to: Two independent security researchers, Marti Guasch Jiménez and Francisco Andreu Sanz, working with the SSD Secure Disclosure program) (and also thanks to HestiaCP @hestiacp for fix)
- [Security] fix for: Local privilege escalation in v-generate-ssl-cert (potential user to admin or root escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
- [Security] fix for: Local privilege escalation in /web/api/ via v-make-tmp-file (probably admin to root escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
- [Security] fix for: Cross site scripting in /web/add/ip/ (admin to other admin XSS escalation) (Credits to: Numan Türle @numanturle, thanks to HestiaCP @hestiacp for fix)
- [Security] fix for: Admin to root escalation in v-activate-vesta-license (Credits to: Numan Türle @numanturle)
- [Security] Ensure HTML will not be displayed in list log page (Credits to: Kristan Kenney @kristankenney, thanks to HestiaCP @hestiacp for fix)
- [Feature] Support for PHP 8.0, see: https://forum.myvestacp.com/viewtopic.php?f=18&t=52
- [Bugfix] Making sure Apache is in mpm_event mode
- Few bugfixes
- Few bugfixes
- [Security] Fixing useless issue with tokens in "download backup" and "loginas" functions (thanks to HestiaCP for fixes)
- [Security] Fixing XSS in /list/rrd/?period= value
- [Security] Fixing Apache status public access (thanks to HestiaCP for letting us know)
- [Bugfix] Fixing LetsEncrypt deprecated GET method for ACME v2 (thanks to @moucho)
- [Bugfix] Fixing Roundcube to send via authenticated SMTP user instead via php
- [Bugfix] Checking necessary available disk space before doing backup
- [Security] Disabling login with 'root'
- [Feature] Limiting max recipients per email to 15, in order to prevent mass spamming
- [Bugfix] While restoring backup, only exclude logs folder from root, not in public_html
- [Bugfix] Split long DNS TXT entries into 255 chunks
- [Feature] Ability to set some domain to send emails from another IP (command: v-make-separated-ip-for-email-domain)
- [Feature] v-replace-in-file command introduced
- [Security] Making sure new myVesta commands can be called only by root
- [Feature] v-import-cpanel-backup command moved to vesta-bin folder (becoming standard myVesta command)
- Starting to log auto-update output
- New ASCII logo in installer
- Deleted favicon when user don't know secret-url of hosting panel
- [bugfix] Minor bug fixed in v-make-separated-ip-for-email
- [bugfix] Minor fix of URL for templates in v-update-dns-templates
- [bugfix] Minor fixes in installer
- [Feature] v-clone-website command moved to vesta-bin folder (becoming standard myVesta command)
- [Feature] v-migrate-site-to-https command moved to vesta-bin folder (becoming standard myVesta command)
- [Bugfix] Fix for ClamAV socket
- Changing Vesta to myVesta in title of hosting panel pages
- [Feature] v-install-wordpress command introduced
- [Feature] v-move-domain-and-database-to-account command introduced
- [Feature] v-make-separated-ip-for-email command introduced
- [Bugfix] Fix for LetsEncrypt issuing in apache-less variant (nginx + php-fpm variant)
- [Bugfix] Fix for configuring phpMyAdmin DB in apache-less variant (nginx + php-fpm variant)
- [Feature] Admins now see changelog when they open myVesta panel after myVesta get updated (changelog will dissapear on next refresh)
- [Bugfix] Better control of opened SMTP concurrent connections (preventing denial-of-service of SMTP) on fresh installed servers - https://github.com/myvesta/vesta/commit/c57b15b5daca2a0ea88ee6a89a2ff5a4ef47d2a3
- Second tuning of php-fpm pool.d config files (perfomances and limits)
- [Feature] Self-signed SSL will be automaticaly added when you add new domain (CloudFlare is fine with that, you don't need LetsEncrypt anymore if you use CloudFlare as reverse-proxy(CDN+Firewall), just set "Full" in SSL section on CloudFlare)
- [Feature] Script for adding self-signed SSL to desired domain [v-install-unsigned-ssl]
- From now, on fresh installed server, default backup cron goes at Saturday at 01 AM (instead of everyday at 05 AM)
- New favicon for hosting panel
- [Security] Fixing unnecessary slash in nginx configs for phpmyadmin and roundcube (Credits to Bernardo Berg @bberg1984 for finding this issue!)
- [Security] Adding escapeshellarg on few more places in php code (Credits to Talha Günay and @Lupul for finding these places)
- [Bugfix] nginx + php-fpm installer variant now finally works
- Adding label that LetsEncrypt can be added when you Edit domain
- [Bugfix] Checking (in order to delete) php7.4 pool config file while deleting domain
- [Feature] Blocking executable files inside archives in received emails (ClamAV)
- [Bugfix] Removing ability to schedule LetsEncrypt issuing while adding new domain (because it can fall in infinite loop whole day)
- [Bugfix] Force acme-challenge to use Apache if myVesta is behind main nginx
- [Bugfix] Adding http2 support to nginx caching.tpl
- [Bugfix] Script that removes depricated 'ssl on;' in nginx templates
- [Security] Ensure UPDATE_SSL_SCRIPT is not set in some config files
- [Bugfix] Script that will ensure that Apache2 will always stay in mpm_event mode
- [Bugfix] Ensure config files will not be overwritten while updating vesta-nginx package
- [Bugfix] Fixing URL in v-update-web-templates script
- [Feature] Additional rates for nginx anti-denial-of-service templates
- [Bugfix] Do not match subdomains while restoring domain [v-restore-user]
- [Bugfix] Fixing NS parameters in v-add-dns-on-web-alias
- [Bugfix] Reverting default clamav socket path
- [Bugfix] Put mail_max_userip_connections = 50 in dovecot
- [Bugfix] Allow quick restarting of nginx if acme-challenge should be added many times
- [Bugfix] Enabling email notification to fresh installed servers about backup success status
- [Bugfix] Timeout 10 sec for apache2 status
- [Feature] nginx templates that can prevent denial-of-service on your server
- First tuning php-fpm pool.d config files (perfomances and limits)
- New logo
- v-clone-website script switched to parameters
- Display new version in console while updating myVesta
- [Feature] Put build date and version in right-bottom corner of control panel
- [Feature] Put build date and version while compiling myVesta
- [Feature] Office365 DNS template
- [Feature] Yandex DNS template
- ProFTPD MaxIstances = 100 for fresh installed servers
- [Feature] Skipping LE renewing after 7 failed attempts
- [Bugfix] Keep conf files during auto-update
- [Bugfix] Do not restart apache while preparing letsencrypt acme challenge
- [Bugfix] Set ALLOW_BACKUP_ANYTIME='yes' for fresh installed servers
- [Feature] Creating v-normalize-restored-user script (normalize NS1, NS2 and IP of account that is backuped on other server and restored on this server)
- Tweak for hostname FPM conf
- [Security] Forbid changing root password (Credits to Alexandre ZANNI, Orange Cyberdefense, https://cyberdefense.orange.com)
- [Security] Importing system enviroment in v-change-user-password (Credits to Alexandre ZANNI, Orange Cyberdefense, https://cyberdefense.orange.com)
- [Security] Preventing manipulation with $SERVER['HTTP_HOST'] (Credits to @mdisec - Managing Partner of PRODAFT / INVICTUS A.Ş. Master ninja at pentest.blog)
- [Security] Temporary fix for parsing backup conf (Credits to @dreiggy - https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/)
- [Bugfix] Fix that avoid LetsEncrypt domain validation timeout
- [Bugfix] Set timeout in v-list-sys-web-status script
- [Bugfix] mail-wrapper.php from now works
- [Feature] Introducing NOTIFY_ADMIN_FULL_BACKUP, email notification about backup success status
- [Feature] Introducing KEEP_N_FTP_BACKUPS, ability to limit number of remote FTP backups
- [Feature] Introducing force-https-webmail-phpmyadmin nginx template
- [Feature] Trigger for /root/update_firewall_custom.sh
- [Security] sudoers fix for Debian10
- [Feature] Script that will migrate your site from http to https, replacing http to https URLs in database
- [Feature] Cloning script that will copy the whole site from one domain to another (sub)domain
- [Feature] Script that will install multiple PHP versions on your server
- [Bugfix] Roundcube force https
- [Bugfix] Exim compatibility with Loopia for Debian10
- [Feature] Allow whitelisting specific IP for /api/
- [Feature] Allow whitelisting specific IP to avoid secret_url
- [Feature] Allow Softaculous in secure_login gateway
- [Bugfix] apparmor install fix again
- [Bugfix] Turning off MariaDB SQL strict mode
- [Bugfix] Better check if session cron already added
- [Feature] Support for sub-sub-sub-sub versions :))
- [Bugfix] Support for longer username of email accounts
- [Bugfix] apparmor install fix
- [Bugfix] Trying to fix ClamAV broken socket
- Moving to myvestacp.com
- [Bugfix] Let's Encrypt HTTP/2 support (by @serghey-rodin)
- [Bugfix] Fixing broken autoreply output
- [Feature] Multi-PHP support for PHP 7.4
- [Feature] Multi-PHP installer for Debian 8
- [Bugfix] Cron for removing old PHP sessions files
- [Bugfix] New CloudFlare IPs
- [Security] MySQL port blocked by default from outside
- [Feature] Warning when server hostname is not pointing to server IP
- [Feature] max_length_of_MySQL_username=80
- Support for Debian 10 (previous Debian releases are also supported, but Debian 10 is recommended)
- Support for multi-PHP versions
- You can limit the maximum number of sent emails (per hour) per mail account and per hosting account, preventing hijacking of email accounts and preventing PHP malware scripts to send spam.
- You can see what PHP scripts are sending emails, when and to whom
- You can completely "lock" myVesta so it can be accessed only via secret URL, for example https://serverhost:8083/?MY-SECRET-URL
- Literally no PHP scripts will be alive on your hosting panel (won't be able to get executed), unless you access the hosting panel with secret URL parameter. Thus, when it happens that, let's say, some zero-day exploit pops up - attackers won't be able to access it without knowing your secret URL - PHP scripts from myVesta
- We disabled dangerous PHP functions in php.ini, so even if, for example, your customer's CMS gets compromised, hacker will not be able to execute shell scripts from within PHP.
- Apache is fully switched to mpm_event mode, while PHP is running in PHP-FPM mode, which is the most stable PHP-stack solution
- OPCache is turned on by default
- Auto-generating LetsEncrypt SSL for server hostname (signed SSL for Vesta 8083 port, for dovecot (IMAP & POP3) and for Exim (SMTP))
- You can change Vesta port during installation or later using one command line: v-change-vesta-port [number]
- Backup will run with lowest priority (to avoid load on server), and can be configured to run only by night (and to stop on the morning and continue next night)
- You can compile Vesta binaries by yourself
- Script that will convert Vesta to myVesta
- Wordpress installer in one second
- Script for importing cPanel backups to Vesta
- Official Vesta Softaculous installer