Back to Changelog

v1.0.366

Minor Release Released July 12, 2026

Consolidated release: SSL trust defaults, lockout and access-control hardening, migration reliability, WordPress and billing integrations, unified email deliverability, a consistent service list with account recovery, and a localized password reset flow.

New Features

5
  • Added WordPress site management: list installed sites, one-click auto-login, plugin and core updates, and backup and restore.
  • Added root terminal access via a secure WebSocket ticket, and quick phpMyAdmin access without a separate single sign-on step.
  • Added a one-click single sign-on endpoint for billing-platform integrations such as the WHMCS module (short-lived and single-use).
  • The recovery console (port 8444) gained an Account rescue card to reset the panel root password and disable root two-factor authentication when locked out.
  • Added a password reset flow (request a reset link by email, then set a new password), fully translated into all 30 supported non-English languages.

Improvements

3
  • Domain SSL auto-issue now defaults to the publicly-trusted Lets Encrypt certificate authority; Cloudflare Origin CA is only used when explicitly selected, preventing untrusted-certificate warnings for visitors.
  • The PNLCS one-click app template now deploys the IMAP-enabled runtime image required by its ticket mail pipe.
  • Added a unified email deliverability check that validates SPF and DKIM in a single call, fixed DKIM key generation to locate tools in /usr/sbin, corrected SPF detection to require the v=spf1 prefix, and replaced the placeholder disk-usage value with a real calculation.

Bug Fixes

6
  • Fixed panel and mail SSL certificate issuance when the server hostname is also a hosted domain: the ACME HTTP-01 challenge is now vhost-aware, the server hostname can no longer be added as a domain or subdomain, and existing self-signed installs retry Lets Encrypt automatically.
  • Require-2FA can no longer be enabled for a role while an account in it still has two-factor authentication disabled, and users can no longer disable their own 2FA while it is enforced, preventing accidental lockouts.
  • External API delete endpoints (email account, forwarder, autoresponder, cron job, FTP account, database user, redirect) now verify resource ownership before deleting, preventing a per-user API key from deleting resources belonging to another account.
  • Panelica-to-Panelica migration reliability: skips the target generated config and partial temp files, regenerates and validates vhost and ModSecurity configs after migration, records accurate final status, waits for asynchronous user deletion during rollback, adopts already-existing domains on re-run, and derives the source mailbox path when discovery data is missing.
  • Made the service list consistent between the dashboard and the Services page: installed-but-stopped services such as ClamAV and Dovecot no longer disappear, the fail2ban unit is listed, the empty list right after a restart is gone, and both surfaces hide the same auxiliary entries.
  • Fixed Meilisearch reporting inactive while it was actually running.
See the Demo