Every hosting panel vendor claims their product is "secure." Security is the word that appears in every feature list, every landing page headline, every sales pitch. It means almost nothing without specifics.
The real security question for a hosting panel isn't "does it have a firewall?" It's: when one of your hosted accounts gets compromised, how much damage can an attacker actually do?
The answer depends almost entirely on user isolation — the mechanisms that prevent a compromised account from accessing other accounts, reading other users' files, consuming all server resources, or escalating to root access. This is the security feature that separates panels that are actually secure from panels that use the word "secure" as marketing.
We audited the isolation architecture of six major hosting panels. Here's exactly what each one does — and doesn't do.
"Security without isolation is just a lock on a door inside a house with no walls."
What User Isolation Actually Means
When a hosting panel says it supports multiple users, there are two fundamentally different implementations:
Soft isolation uses file permissions and PHP open_basedir to prevent users from reading each other's files under normal circumstances. It's better than nothing, but it's a single layer. One configuration error, one PHP vulnerability, one misconfigured upload directory, and the wall falls.
Hard isolation uses kernel-level mechanisms that don't depend on application-layer configuration being correct. Even if PHP is misconfigured, even if a web application has a vulnerability, the kernel prevents the attacker from crossing user boundaries.
Hard isolation is what enterprise hosting environments demand. It's what CloudLinux (which costs extra) provides for traditional panels. It's what Panelica provides natively, for every user, on every plan.
The 5 Layers of Server Isolation
Panelica implements five distinct isolation mechanisms per user. Each layer adds an independent barrier. An attacker who defeats one layer still faces four more.
Layer 1: Cgroups v2 — Resource Containment
Linux Control Groups version 2 (cgroups v2) enforce hard limits on CPU time, memory allocation, disk I/O, and process counts at the kernel level. When a user's account is compromised and an attacker attempts to launch a cryptominer or a DDoS amplification attack, cgroups v2 caps the damage: the attacker cannot consume more than the allocated resources, and the attack cannot degrade service for other users on the same server.
This isn't configured in Nginx or PHP. It's enforced by the Linux kernel. There is no application-layer bypass.
Implementation: Per-user systemd slice at /sys/fs/cgroup/panelica.slice/panelica-user.slice/panelica-user-{username}.slice/ with configurable cpu.max, memory.max, io.max, and pids.max.
Which panels implement this: Only Panelica (natively). Traditional panels require CloudLinux for equivalent functionality, which costs additional licensing fees.
Layer 2: Linux Namespaces — View Isolation
Linux namespaces create isolated views of system resources. Panelica uses PID and Mount namespaces to give each user a CageFS-style isolated filesystem view. Users cannot see processes running under other accounts. They cannot traverse the filesystem to discover other users' home directories or configuration files.
This is the same technology used by container systems like Docker — applied per hosting user. A compromised account sees only its own processes and its own filesystem view. The rest of the server is invisible.
Implementation: Per-user namespace configuration at var/namespaces/{username}/ with isolated rootfs.
Which panels implement this: Only Panelica.
Layer 3: SSH Chroot Jails
When users get SSH or SFTP access, they're placed in a chroot jail — a restricted filesystem environment that prevents navigation above their assigned directory. SFTP-only users can't execute commands at all. Bash users are confined to their chroot environment.
This prevents a compromised SSH session from being used to read /etc/passwd, explore other users' directories, or access system files.
Implementation: Two modes — sshjailed (SFTP-only) and sshfull (bash + chroot). Per-user configuration via var/chroot/{username}/.
Which panels implement this: Panelica, HestiaCP (partial), DirectAdmin (partial), cPanel (via jailshell).
Layer 4: PHP-FPM Per-User Pools
PHP applications run in per-user, per-version PHP-FPM pools. Each pool runs under the user's own system UID/GID, with open_basedir restricting filesystem access and disable_functions blocking dangerous PHP functions. A PHP vulnerability in one site cannot be used to read files from another user's PHP process.
This also prevents the common shared-hosting attack vector where a compromised PHP application reads configuration files from adjacent sites by exploiting overly permissive PHP-FPM pool configurations.
Implementation: Per-user per-version pools in etc/php-fpm-users/{username}/{version}/pool.d/.
Which panels implement this: Panelica (full per-user per-version), CloudPanel (per-site), others (partial or shared pools).
Layer 5: Unix Permissions — Ownership Enforcement
Every user has a dedicated UID and GID. Home directories are set to 700 (accessible only by owner). Files are owned by the user's system account. Panelica enforces ownership on all file operations through a secure write mechanism that prevents privilege escalation during file management operations.
This is the foundational layer that all panels implement, but Panelica's implementation goes further with active ownership enforcement on every operation.
Panel-by-Panel Security Audit
cPanel
cPanel is one of the oldest panels in the industry and has the most mature security tooling — but the most important security features require CloudLinux, which is a separate operating system that costs additional licensing. On standard CentOS/AlmaLinux, cPanel provides SSH jailing via jailshell and solid Unix permissions, but no cgroups-based resource limits and no namespace isolation. CloudLinux adds LVE (similar to cgroups v2) and CageFS (similar to namespaces), but at significant additional cost. ModSecurity is available and well-integrated.
CyberPanel
CyberPanel is built on OpenLiteSpeed and has the weakest isolation of any panel in this comparison. There are no cgroups limits, no namespace isolation, no SSH chroot jails by default, and PHP-FPM pools are not per-user. Unix permissions provide the only user separation. A compromised account on CyberPanel has significantly more lateral movement capability than on any other panel in this list. The 2021 CyberPanel ransomware attack (affecting over 150,000 servers) was partly enabled by weak isolation. Security improvements have been made since, but the architectural isolation remains minimal.
CloudPanel
CloudPanel runs PHP-FPM pools per-site (not per-user, which is a meaningful distinction in multi-user setups) and enforces Unix permissions. There are no cgroups limits and no namespace isolation. SSH access is standard, not chrooted. For single-user or small team setups where all sites belong to trusted operators, CloudPanel's isolation is adequate. For multi-tenant hosting with untrusted end users, the isolation gaps are significant.
HestiaCP
HestiaCP provides SSH chroot jailing and solid Unix permissions. PHP-FPM configuration is per-user at the pool level. There are no cgroups v2 resource limits and no namespace isolation. For a free, open-source panel, HestiaCP's security baseline is reasonable. But it's missing the two most important kernel-level isolation mechanisms.
DirectAdmin
DirectAdmin's isolation profile is similar to HestiaCP: SSH jailing, Unix permissions, and partial PHP-FPM per-user configuration. No cgroups, no namespaces. DirectAdmin has been adding security features in recent versions, but the architectural isolation remains at the traditional level. CloudLinux integration is available (extra cost) for cgroups-equivalent functionality.
Panelica
All five isolation layers, all plans, no add-ons required. Cgroups v2, namespaces, SSH chroot, per-user per-version PHP-FPM pools, and enforced Unix permissions — all configured automatically when a user is created. The security architecture is built into the platform, not bolted on as a premium option.
The Isolation Scorecard
| Panel | Cgroups v2 | Namespaces | SSH Jail | PHP-FPM/User | Unix Perms | Score |
|---|---|---|---|---|---|---|
| cPanel | No — (CloudLinux +$) | No — (CloudLinux +$) | Yes | Partial | Yes | 2/5 |
| CyberPanel | No | No | No | No | Partial — Basic | 0.5/5 |
| CloudPanel | No | No | No | Yes — Per-site | Yes | 2/5 |
| HestiaCP | No | No | Yes | Partial | Yes | 2.5/5 |
| DirectAdmin | No | No | Yes | Partial | Yes | 2.5/5 |
| Panelica | Yes | Yes | Yes | Yes — Per-user/version | Yes | 5/5 |
Beyond Isolation: Firewalls, WAF, and AI
Isolation prevents lateral movement after a compromise. The other half of the security equation is preventing the initial compromise from happening.
ModSecurity + OWASP CRS
ModSecurity with the OWASP Core Rule Set blocks the most common web application attacks: SQL injection, cross-site scripting, file inclusion, command injection, and more. Panelica ships ModSecurity with OWASP CRS pre-configured and manageable per-domain from the panel interface. Most traditional panels either don't include ModSecurity, require manual compilation, or treat it as a premium add-on.
Fail2ban
Fail2ban monitors log files and automatically bans IPs that show signs of brute-force attacks, port scanning, or credential stuffing. Panelica integrates Fail2ban with configurable rules for SSH, FTP, SMTP, IMAP, and web applications. The bans are applied via nftables rules, which operate at the kernel packet filtering level — faster and more reliable than iptables.
nftables Firewall
Panelica manages the server's nftables firewall directly. Port management, IP whitelisting/blacklisting, rate limiting, and protocol filtering are all accessible from the panel UI. Most panels either don't touch the firewall or integrate it loosely. Panelica treats firewall management as a first-class feature.
IP Blocking and DDoS Protection
Panelica's IP blocking system maintains per-IP and per-subnet block lists, with geographic blocking available. Rate limiting is applied at the Nginx level for web traffic and at the nftables level for raw traffic. Combined with Cloudflare integration (which can absorb DDoS at the edge), the layered protection is comprehensive.
OpsAI Security Analysis
Panelica's OpsAI assistant includes security-focused agents that can analyze server logs for anomalies, identify suspicious processes, check security configurations against best practices, and suggest hardening steps — all from within the panel interface. No other panel in this comparison includes AI-assisted security operations.
Security Advisor
Panelica runs automated security audits (50+ checks) against your server configuration: weak SSH settings, exposed services, misconfigured permissions, outdated software, and more. Results appear in the Security Advisor dashboard with specific remediation steps.
The Real-World Impact
Why does this matter in practice? Because shared hosting compromise scenarios are not theoretical.
A WordPress site with an outdated plugin gets exploited. The attacker uploads a web shell. On a panel with soft isolation, they can now:
- Read configuration files from other users (database passwords, API keys)
- Access other users' files by traversing the filesystem
- Use the compromised PHP process to connect to databases
- Launch resource-intensive processes that degrade service for all users
On Panelica with 5-layer isolation, the same attacker:
- Cannot read other users' files — namespace isolation prevents filesystem traversal
- Cannot see other users' processes — PID namespace isolation
- Cannot consume excessive resources — cgroups v2 hard limits cap CPU, memory, and I/O
- Cannot use PHP to read outside open_basedir — per-user PHP-FPM pool enforcement
- Cannot escalate via SSH — chroot jail contains the session
The damage is contained to the compromised account. Other users on the same server are protected at the kernel level, not just the application level.
Conclusion
Most hosting panels provide the minimum viable security to pass a basic review. One or two isolation layers, applied inconsistently, with the most important kernel-level protections available only via paid add-ons like CloudLinux.
Panelica was built with the assumption that every user on a multi-tenant server is a potential security boundary. All five isolation layers apply to every user account created on the server, regardless of plan level, without any additional licensing.
If you're running a hosting business and your security answer is "we trust our clients to keep their WordPress sites updated," you're one compromised plugin away from a bad day. If your answer is "we have 5 kernel-level isolation mechanisms that contain the blast radius of any compromise," you can sleep at night.
"The question isn't whether your servers will face attacks. It's how much damage those attacks can do when they succeed."
Install Panelica on Ubuntu 24.04 in under 3 minutes. See the complete installation guide.