2026-03-01 Version 0.9.9-0-16
2026-02-25 v-install-wordpress: Use MAX_DBUSER_LEN=32 if MySQL 8 installed
2026-02-23 Fix GPG key handling for sury.org repository in v-commander
2026-02-15 v-move-folder-and-make-symlink: If FROMFOLDER is not absolute path, make it absolute
2026-02-15 Update v-backup-user to resolve symbolic link handling for backup location and ensure accurate disk space validation

Version 0.9.9-0-16 [2026-03-01]
==================================================
* Improvement: Fix for 'invalid token' error in login form
* Bugfix: Download the backup file from remote FTP/SFTP if the backup is not locally available
* Improvement: Show full LetsEncrypt error in the hosting panel
* Improvement: Enhance the v-backup-users script to manage long-running processes by terminating those active for over 10 days
* Improvement: Keep 'group = www-data' in FPM pool.d conf for $HOSTNAME vhost
* Bugfix: Fix GPG key handling for sury.org repository in v-commander
* Bugfix: v-move-folder-and-make-symlink: If FROMFOLDER is not an absolute path, make it absolute
* Improvement: Update v-backup-user to resolve symbolic link handling for backup location and ensure accurate disk space validation
* Improvement: phpgate-agent-strings.php update
* Bugfix: Fix backup download logic in v-restore-user to prevent unnecessary downloads if the backup file already exists
* Bugfix: Refactor file path handling in v-df-snapshot-diff
* Improvement: Add installation script for web-fail2ban in v-commander
* Improvement: Support for $WEB_FAIL2BAN_ONLY_NGINX configuration
* Improvement: Support for IPv6 for fail2ban-web filters
* Improvement: Add last log error for backup failures in v-backup-users
* Improvement: Delete the pool.d config file of the previously selected PHP FPM version
* Improvement: v-install-wordpress: Fix check for $NO_PROMPT and suppress output for grep | sed
* Bugfix: v-install-wordpress: Use MAX_DBUSER_LEN=32 if MySQL 8 installed
* Enhance v-df-snapshot-diff and v-df-snapshot-make scripts to use /dev/shm for temporary storage when the root partition is low on space
* Improvement (as temporary solution): Suspend 'v-fix-website-permissions-for-all-websites-only-php' cron during myVesta install

More about myVesta

• myVesta is a fork of VestaCP
• Focused on security and stability
• Therefore, only Debian is supported - keeping focus on only one eco-system - not wasting energy on compatibility with other Linux distributions
• However, it will be always synchronized with official VestaCP commits
• VestaCP commercial plugins will be only available for purchase on official vestacp.com website - we will NOT take their earnings, since we are not making this fork for monetary reasons. Instead, we are doing this with open source in mind - to enhance security and to build new features, without being interlocked with official VestaCP release cycles, and without affecting or heavily diverting from the VestaCP's planned development milestones
• With previous in mind, all features that are built for this fork (myVesta), will be offered to official VestaCP, via pull requests

Features of myVesta

• Support for Debian 12 (Debian 12 is recommended, but previous Debian releases are also supported)

• Support for MySQL 8

• nginx templates that can prevent denial-of-service on your server

• Support for multi-PHP versions

• You can host NodeJS apps

• You can limit the maximum number of sent emails (per hour) per mail account and per hosting account, preventing hijacking of email accounts and preventing PHP malware scripts to send spam.

• You can see what PHP scripts are sending emails, when and to whom

• You can completely "lock" myVesta so it can be accessed only via secret URL, for example https://serverhost:8083/?MY-SECRET-URL

  • During installation you will be asked to choose a secret URL for your hosting panel
  • Literally no PHP scripts will be alive on your hosting panel (won't be able to get executed), unless you access the hosting panel with secret URL parameter. Thus, when it happens that, let's say, some zero-day exploit pops up - attackers won't be able to access it without knowing your secret URL - PHP scripts from VestaCP will be simply dead - no one will be able to interact with your panel unless they have the secret URL.
  • You can see for yourself how this mechanism was built by looking at:
    • src/deb/for-download/php/php.ini
    • web/inc/secure_login.php
  • If you didn't set the secret URL during installation, you can do it anytime. Just execute in shell:
  • echo "<?php \$login_url='MY-SECRET-URL';" > /usr/local/vesta/web/inc/login_url.php

• We disabled dangerous PHP functions in php.ini, so even if, for example, your customer's CMS gets compromised, hacker will not be able to execute shell scripts from within PHP.

• Apache is fully switched to mpm_event mode, while PHP is running in PHP-FPM mode, which is the most stable PHP-stack solution

  • OPCache is turned on by default

• Auto-generating LetsEncrypt SSL for server hostname (signed SSL for Vesta 8083 port, for dovecot (IMAP & POP3) and for Exim (SMTP))

• You can change Vesta port during installation or later using one command line: v-change-vesta-port [number]

• ClamAV is configured to block zip/rar/7z archives that contains executable files (just like GMail)

• Backup will run with lowest priority (to avoid load on server), and can be configured to run only by night (and to stop on the morning and continue next night)

• You can compile Vesta binaries by yourself - src/deb/vesta_compile.sh

  • You can even create your own APT repository in a minute
  • We are using latest nginx version for vesta-nginx package
  • With your own APT infrastructure you can take security of Vesta-installer infrastructure in your own hands. You will have full control of your Vesta code (this way you can rest assured that there's 0% chance that you'll install malicious packages from repositories that may get hacked)
  • Binaries that you compile are 100% compatible with official VestaCP from vestacp.com, so you can run official VestaCP code with your own binaries (in case you don't want the source code from this fork)

Useful scripts

• How to move accounts from one (my)Vesta server to another myVesta server

• WordPress installer in one second (v-install-wordpress)

• Cloning script that will copy the whole site from one (sub)domain to another (sub)domain (v-clone-website)

• Script that will migrate your site from http to https, replacing http to https URLs in database (v-migrate-site-to-https)

• Script for importing cPanel backups to Vesta (thanks to Maks Usmanov - Skamasle) (v-import-cpanel-backup)

• Script that will install multiple PHP versions on your server

• How to host NodeJS apps

• Script that will install nginx templates that can prevent denial-of-service on your server

• Official VestaCP Softaculous installer

How to install

Download the installation script:

curl -O http://c.myvestacp.com/vst-install-debian.sh

Then run it:

bash vst-install-debian.sh

... or use our installer generator.

About VestaCP

• VestaCP is an open source hosting control panel.
• Vesta has a clean and focused interface without clutter.
• Vesta has the latest of very innovative technologies.

Special thanks to vestacp.com and Serghey Rodin for open-source VestaCP project.

Hosting panel redesign by ioTheme !

License

Vesta is licensed under GPL v3 license