There is a certain appeal to simplicity. You spin up a VPS, run a one-line install script, and within minutes you have a web interface that handles your websites, files, and databases. No manual configuration. No reading man pages at midnight. That is exactly what AAPanel (also known as BT Panel or aaPanel) promises — and for a personal project or a weekend experiment, it delivers.
But production servers are not weekend experiments.
When you are hosting client websites, running e-commerce stores, or managing a team of developers with different access levels, you need more than a quick setup. You need security isolation, auditability, enterprise-grade email infrastructure, and a panel that can grow with your infrastructure. This is where AAPanel starts to show its limits — and where the conversation about alternatives becomes serious.
The question is not "can AAPanel run a PHP website?" — it clearly can. The question is "what happens to all the other websites on your server when one of them is compromised?"
What Is AAPanel?
AAPanel is a free, open-source server control panel developed by a Chinese company called BaoTa (). It supports Ubuntu, Debian, and CentOS, and provides a web interface for managing Nginx or Apache, PHP versions, MySQL, FTP accounts, cron jobs, and basic firewall settings.
It gained popularity primarily due to its low barrier to entry. The install script is short, the interface is clean, and basic operations — adding a website, creating a database, setting up a cron job — are intuitive. For developers who want to self-host without deep Linux knowledge, AAPanel is genuinely useful.
However, the platform has some fundamental architectural decisions that make it a poor fit for production hosting environments, particularly those serving multiple users or clients.
The Privacy and Trust Problem
This is not a geopolitical argument. It is a practical infrastructure security concern.
AAPanel has been repeatedly documented to communicate with external servers — BaoTa's own infrastructure — without transparent disclosure of what data is transmitted. Security researchers and sysadmins have observed the panel making HTTP requests to bt.cn and related domains on startup, during installation, and during normal operation.
For European businesses subject to GDPR, for US government contractors with data residency requirements, or for anyone hosting sensitive client data, this "phone-home" behavior is a red flag. You cannot verify what is being sent, and BaoTa has never provided a public audit of this telemetry.
Beyond telemetry, the panel's update mechanism pulls code from external Chinese servers. This creates a software supply chain risk that is difficult to mitigate without forking the project entirely.
There is also the matter of the 2020 incident where BaoTa was caught collecting sensitive server information — including installed software, system configuration, and browsing history — without user consent. While the company subsequently modified its privacy policy, the trust damage was significant among the international hosting community.
For Western hosting providers and businesses with compliance requirements, these are not theoretical concerns. They are operational blockers.
Where AAPanel Falls Short for Production
No User Isolation
This is AAPanel's most significant architectural weakness. When you host multiple websites on an AAPanel server, all of them run under the same user context. A PHP vulnerability in website A can read the files of website B. A compromised WordPress installation can access the database credentials of every other site on the server.
This is not a configuration issue — it is a design issue. AAPanel has no concept of per-user Linux namespaces, cgroups, or chroot environments. Every website on your server shares the same attack surface.
No Resource Limits Per Site
Without cgroups integration, there is nothing preventing a single misbehaving website from consuming 100% of your server's CPU and RAM. One runaway PHP process, one poorly optimized database query, or one traffic spike can take down every other site on the server.
No Email Infrastructure
AAPanel does not ship with a mail server. You can install Postfix manually, but there is no built-in management for email accounts, DKIM signing, SPF records, DMARC policies, or spam filtering. Email setup on AAPanel is a manual exercise that requires deep system administration knowledge.
No DNS Management
Similarly, DNS must be managed through your domain registrar or a separate service like Cloudflare. AAPanel provides no built-in BIND management, no DNS zone editor, and no Cloudflare integration.
No Docker Integration
Modern server infrastructure increasingly relies on containers. AAPanel has no native Docker management. You can install Docker on the server separately, but you will manage containers entirely through the command line — outside of the panel, without resource controls, without routing integration, and without any visibility into container status from the panel UI.
No RBAC
AAPanel is essentially a single-admin tool. There is a basic "user" concept but no multi-tier permission system. You cannot create a reseller account with limited permissions, a developer account that can deploy code but cannot modify server configuration, or a read-only monitoring account. Everyone with panel access has full access.
No AI Assistance
Diagnosing server issues, optimizing configuration, and responding to security events is still a manual process in AAPanel. There is no intelligent assistance for interpreting logs, suggesting configuration changes, or automating common operational tasks.
No WordPress Toolkit
Despite WordPress powering 43% of the web, AAPanel provides no WordPress-specific tooling — no one-click updates, no staging environments, no security hardening, no plugin management from the panel.
Community Support in Chinese
The majority of AAPanel's documentation, forum discussions, and tutorials are in Mandarin Chinese. The English documentation is sparse and often machine-translated. For non-Chinese-speaking administrators, troubleshooting issues means navigating language barriers on top of technical ones.
AAPanel vs Panelica: Feature Comparison
| Feature | AAPanel | Panelica |
|---|---|---|
| Installation | Yes — One-line script | Yes — One-line script (<3 min) |
| Per-user isolation (cgroups + namespaces) | No | Yes — 5-layer isolation |
| Docker management + templates | No | Yes — 20+ app templates |
| AI server assistant | No | Yes — OpsAI (15 agents) |
| Built-in email (DKIM/SPF/DMARC) | No — Manual install only | Yes — Full mail stack included |
| DNS management (BIND) | No | Yes — Built-in BIND + Cloudflare sync |
| Cloudflare integration | No | Yes — Deep multi-account integration |
| RBAC (multi-tier permissions) | No — Basic only | Yes — ROOT → ADMIN → RESELLER → USER |
| Multi-PHP per user per version | Partial — Multi-version, no per-user | Yes — PHP 8.1–8.5 per-user |
| WAF (ModSecurity + OWASP) | No | Yes — ModSecurity + nftables + Fail2ban |
| SSH chroot jails | No | Yes — Per-user SSH isolation |
| Incremental + remote backups | Partial — Basic tar only | Yes — BTRFS snapshots + S3/SFTP/GDrive |
| Monitoring + Prometheus/Grafana | Partial — Basic resource view | Yes — Full Prometheus + Grafana stack |
| WordPress toolkit | No | Yes — Install, update, staging, hardening |
| One-click migration | No | Yes — cPanel, Plesk, DA, CyberPanel, Hestia |
| API + webhooks | Partial — Limited | Yes — 246 endpoints + webhook system |
| UI (React 19, 42 themes) | Partial — Dated interface | Yes — Modern React 19 + dark/light |
| Mobile app | No | Yes — QR connect, monitoring, management |
| Privacy / no phone-home | No — Documented telemetry | Yes — Self-hosted, no external calls |
| English documentation | Partial — Sparse, often translated | Yes — Full English documentation |
The 5-Layer Isolation Difference
When we say Panelica uses 5-layer isolation, we mean that every user on your server gets five independent security boundaries — not as a premium add-on, but as the default architecture for every plan.
Layer 1: Cgroups v2 — Every user gets hard limits on CPU, memory, disk I/O, and process count. One website cannot starve another. One runaway PHP process cannot consume your entire server.
Layer 2: Linux Namespaces — PID and mount namespaces create a CageFS-style environment per user. Processes in one user's context cannot see or interact with processes in another user's context.
Layer 3: SSH Chroot Jails — SFTP and SSH access for each user is confined to their own directory tree. Users cannot traverse the filesystem and discover other users' files, configurations, or credentials.
Layer 4: PHP-FPM Per-User Per-Version Pools — Each user gets their own PHP-FPM pool with open_basedir restrictions and custom disable_functions. A PHP exploit in one user's application cannot read files outside that user's directory.
Layer 5: Unix Permissions — Dedicated UID/GID per user, home directories set to 700, file ownership strictly enforced. The operating system itself enforces access boundaries.
AAPanel has none of these layers. All websites on an AAPanel server share the same attack surface.
OpsAI: The Operational Assistant AAPanel Cannot Match
Panelica ships with OpsAI — a suite of 15 AI agents that execute real server operations, not just suggestions. When you ask OpsAI why your Nginx is returning 502 errors, it reads the actual logs, analyzes the configuration, and tells you exactly what is wrong. When you ask it to optimize your PHP-FPM configuration for your current traffic patterns, it looks at your actual resource usage metrics and makes specific recommendations.
This is the kind of operational intelligence that would previously require a senior sysadmin on retainer. For small teams and solo operators, OpsAI is the difference between a 3 AM problem and a 3 AM recovery.
Docker Management Built In
With Panelica's Docker manager, you get 20+ pre-configured application templates — Nextcloud, Gitea, Uptime Kuma, n8n, Ollama, and more — each with one-click deployment, automatic subdomain routing, SSL provisioning, and cgroup resource limits. Containers are integrated into the same security and resource management system as your traditional websites.
This is not a bolt-on feature. Docker containers in Panelica are first-class citizens with the same isolation guarantees as PHP websites.
Migrating from AAPanel to Panelica
Panelica's migration system supports importing from AAPanel through its universal migration tool. The process exports your website files, databases, email accounts, and DNS configuration, then imports them into Panelica's isolated user environment.
After migration, each of your sites gets its own isolated environment — cgroups limits, namespace isolation, PHP-FPM pool — without any additional configuration. You are not just moving websites. You are upgrading your entire hosting architecture.
If you currently have sites running on AAPanel that you want to bring into a properly isolated environment, see our comparison guide for a broader look at the server panel landscape.
Ready to Make the Switch?
AAPanel will continue to serve hobby projects and personal servers. But if you are hosting client websites, running production applications, or managing a team with different access levels, you need a panel built with those requirements in mind from the start — not bolted on afterward.
Ready to switch? Install Panelica on Ubuntu 24.04 in under 3 minutes. See the complete setup guide at How to Install Panelica on Ubuntu 24.04.
Your production servers deserve better than a hobby panel.