myVesta is Debian fork of VestaCP that is under development by one of the VestaCP developers.
Focused on security and stability, with a lot of security improvements.

Git

See latest git commits, get source code, report issue.

Go to github »

Forum

Join our community, ask questions, help to others.

Go to forum »

Knowledge base

Place for howtos and documentation. Please help us by writing articles.

Go to our knowledge base »

At least 4407 active servers powered by myVesta

Last 5 git commits:

2025-08-30 Introducing a new command: v-change-phpmyadmin-url
2025-08-24 Update multi-php-install.sh to use apt-get instead of apt and add support for Debian 13 repository for PHP installation
2025-08-23 Update postinst script to check for releases 11 and 12 for tcp_window_scaling configuration
2025-08-23 Merge pull request #203 from myvesta/cursor/Compatibility-with-PHP-8-4
2025-08-22 Temporary skip myvesta dovecot conf files

You can download the nightly build by running: v-update-myvesta

Latest release: 0.9.9-0-13
Latest build date: 2025-08-15

Changelog:

Version 0.9.9-0-13 [2025-08-15]
==================================================
* Improvement: Activating FileManager licence for all users (credits to Official VestaCP)
* Introducing a malware cleaning set of tools: v-install-wordfence-cli, v-desinfect-wordpress, v-fix-wordpress-core, v-change-database-password-for-wordpress, v-change-wordpress-admin-passwords, v-delete-inactive-wordpress-plugins-and-themes, v-delete-wordpress-uploads-php-files) (credits to isscbta)
* Improvement: Added support for PHP 8.3 and 8.4
* SRS support for Exim4 (v-add-srs-support-to-exim) (credits to HestiaCP)
* Security: Ensuring that PHP files are visible only to the account they belong to - setting chmod 600 for all .php and .env files (also added as admin cronjob - v-fix-website-permissions-for-all-websites-only-php)
* Added cronjob for disk usage snapshot (size of each folder) to see what folder is growing every day (v-df-snapshot-make, v-df-snapshot-diff [some-day-snapshot] [some-other-day-snapshot])
* Bugfix: SSL fix for Apache 2.4.65+ (fix for '421 Misdirected Request')
* Bugfix: vst-install-debian.sh: ability to install MySQL 8 on Debian 12
* Improvement: Update nginx block-firewall.conf when user blocks 80,443 ports for some IPv4 address in the Firewall section of the admin panel
* Improvement: v-install-wordpress: Support for IDN format domains
* Security: Adding ProFTPD jail rule to Fail2Ban
* Introducing: v-make-main-apache-log - making one log file for PHP requests for all websites
* Security: Introducing a new command: v-fix-php-ini-disable-functions
* Improvement: Introducing myVesta rules for SpamAssassin (enhancing spam filtering)
* Improvement: When deleting a domain, also delete the database if the domain has a database
* Bugfix: Removing temporary Docker container network interfaces from RRD
* Introducing v-run-wp-cli-myvesta that knows the correct terminal width
* Introducing a new command: v-cd-www alias for v-change-dir-www
* Introducing a new command: v-clear-fail2ban
* Introducing a new command: v-get-dns-config (to print zone file in bind9 format)
* Introducing a DISABLE_IP_CHECK as vesta.conf variable (if logged-in user is getting a new IPv4 address every minute)
* Security: Introducing a parse_object_kv_list_non_eval() function in main.sh, to avoid the evil eval command
* Security: Enhance package validation, in v-change-user-package 'eval' replaced with 'parse_object_kv_list_non_eval'
* Improvement: Replacing all WordPress scripts to use 'v-run-wp-cli' instead of 'wp'
* Improvement: v-install-wordpress: Almost always use https
* Improvement: Skip the prompt to continue during myVesta installation if the administrator has set all required variables  in the command line
* Security: Jailing v-run-wp-cli (running WP-CLI as user, added open_basedir, disabling shell_exec() and other dangerous PHP functions)
* Security: v-commander: removing the ability to set a root password
* Bugfix: DKIM record deletion command in v-delete-mail-domain-dkim script
* Adding FTP / SFTP port for Remote Backup (credits to ikheetjeff)
* Introducing a new command: v-delete-mails - delete emails older than N days (credits to isscbta)
* Introducing new commands: v-blacklist-email-domain, v-blacklist-email-account, v-whitelist-email-domain, v-whitelist-email-account (credits to isscbta)
* Bugfix: v-move-folder-and-make-symlink: use 'mv' instead of 'rsync'
* Improvement: Calculate the size of directories on /hdd too
* Bugfix: v-move-domain-and-database-to-account: Update wordfence-waf.php
* Bugfix: v-add-letsencrypt-domain: Detecting valid status on wildcard variant
* Bugfix: db.sh and v-clone-website: mysqldump --max_allowed_packet=1024M
* Bugfix: web/index.php: Prevent recreation of token by shitty browser add-ons
* Bugfix: v-restore-user: permissions fix while restoring backup
* Bugfix: Add some loops due to 403 errors during LE request in some random cases
* Improvement: v-clone-website: adding --EXCLUDE_UPLOADS parameter
* Bugfix: vst-install-debian.sh - removing phppgadmin
* Bugfix: v-update-firewall: $FIREWALL_STATEFUL conf variable (for Infomaniak VPS servers)
* Bugfix: Awstats template for all systems does not have a closed bracket in line 27 (credits to gkirde)
* Bugfix: Update v-import-cpanel-backup - removing /*!999999\- enable the sandbox mode */
* Bugfix: Small PHP syntax fixes in the admin panel
* Introducing nginx template 'wprocket-webp-express-force-https' (credits to Luka Paunovic)
* Improvement: Added functions to check if a domain or user is unsuspended in main.sh
* Introducing a new command: v-update-document-errors-files
* Improvement: new v-backup-user-now command does backup even if the system Load Average is above the limit, or the administrator configured backups to perform only at night
* Improvement: v-install-wp-cli and v-install-wp-cli-myvesta - automatically updates if wp-cli is 30 days old
* Bugfix: Check for SSL certificate existence before deleting web domain SSL in v-install-unsigned-ssl
* Improvement: v-install-wordpress: avoid changing nginx proxy template in apache-less variant
* Added to .gitignore excludes for 'data', 'conf', and 'log' folders
* And many other minor bugfixes and improvements...

If you get "GPG error apt.myvestacp.com signatures couldn't be verified, public key is not available NO_PUBKEY 88807D4B2221338C" - see our announcement.

Missed an update? Check out our previous change logs

Screenshots

More about myVesta

myVesta is a fork of VestaCP
Focused on security and stability
Therefore, only Debian is supported - keeping focus on only one eco-system - not wasting energy on compatibility with other Linux distributions
However, it will be always synchronized with official VestaCP commits
VestaCP commercial plugins will be only available for purchase on official vestacp.com website - we will NOT take their earnings, since we are not making this fork for monetary reasons. Instead, we are doing this with open source in mind - to enhance security and to build new features, without being interlocked with official VestaCP release cycles, and without affecting or heavily diverting from the VestaCP's planned development milestones
With previous in mind, all features that are built for this fork (myVesta), will be offered to official VestaCP, via pull requests

Features of myVesta

Support for Debian 12 (Debian 12 is recommended, but previous Debian releases are also supported)
Support for MySQL 8
nginx templates that can prevent denial-of-service on your server
Support for multi-PHP versions
You can host NodeJS apps
You can limit the maximum number of sent emails (per hour) per mail account and per hosting account, preventing hijacking of email accounts and preventing PHP malware scripts to send spam.
You can see what PHP scripts are sending emails, when and to whom
You can completely "lock" myVesta so it can be accessed only via secret URL, for example https://serverhost:8083/?MY-SECRET-URL
- During installation you will be asked to choose a secret URL for your hosting panel
- Literally no PHP scripts will be alive on your hosting panel (won't be able to get executed), unless you access the hosting panel with secret URL parameter. Thus, when it happens that, let's say, some zero-day exploit pops up - attackers won't be able to access it without knowing your secret URL - PHP scripts from VestaCP will be simply dead - no one will be able to interact with your panel unless they have the secret URL.
- You can see for yourself how this mechanism was built by looking at:
  - src/deb/for-download/php/php.ini
  - web/inc/secure_login.php
- If you didn't set the secret URL during installation, you can do it anytime. Just execute in shell:
- echo "<?php \$login_url='MY-SECRET-URL';" > /usr/local/vesta/web/inc/login_url.php
We disabled dangerous PHP functions in php.ini, so even if, for example, your customer's CMS gets compromised, hacker will not be able to execute shell scripts from within PHP.
Apache is fully switched to mpm_event mode, while PHP is running in PHP-FPM mode, which is the most stable PHP-stack solution
- OPCache is turned on by default
Auto-generating LetsEncrypt SSL for server hostname (signed SSL for Vesta 8083 port, for dovecot (IMAP & POP3) and for Exim (SMTP))
You can change Vesta port during installation or later using one command line: v-change-vesta-port [number]
ClamAV is configured to block zip/rar/7z archives that contains executable files (just like GMail)
Backup will run with lowest priority (to avoid load on server), and can be configured to run only by night (and to stop on the morning and continue next night)
You can compile Vesta binaries by yourself - src/deb/vesta_compile.sh
- You can even create your own APT repository in a minute
- We are using latest nginx version for vesta-nginx package
- With your own APT infrastructure you can take security of Vesta-installer infrastructure in your own hands. You will have full control of your Vesta code (this way you can rest assured that there's 0% chance that you'll install malicious packages from repositories that may get hacked)
- Binaries that you compile are 100% compatible with official VestaCP from vestacp.com, so you can run official VestaCP code with your own binaries (in case you don't want the source code from this fork)

Useful scripts

How to move accounts from one (my)Vesta server to another myVesta server
WordPress installer in one second (v-install-wordpress)
Cloning script that will copy the whole site from one (sub)domain to another (sub)domain (v-clone-website)
Script that will migrate your site from http to https, replacing http to https URLs in database (v-migrate-site-to-https)
Script for importing cPanel backups to Vesta (thanks to Maks Usmanov - Skamasle) (v-import-cpanel-backup)
Script that will install multiple PHP versions on your server
How to host NodeJS apps
Script that will install nginx templates that can prevent denial-of-service on your server
Official VestaCP Softaculous installer

How to install

Download the installation script:

curl -O http://c.myvestacp.com/vst-install-debian.sh

Then run it:

bash vst-install-debian.sh

... or use our installer generator.

About VestaCP

VestaCP is an open source hosting control panel.
Vesta has a clean and focused interface without clutter.
Vesta has the latest of very innovative technologies.

Special thanks to vestacp.com and Serghey Rodin for open-source VestaCP project.

Hosting panel redesign by ioTheme !

License

Vesta is licensed under GPL v3 license