Cpanel is Perl, not PHP. Probably the grayest of the gray beards. Perhaps not enough Perl Wizards left to maintain it nowadays.

Remember &#x27;webmin&#x27;?As someone who pretty much exclusively uses debian, freebsd and openbsd for server OS work, I was also rather surprised recently to see the default web gui that comes on a new fedora install.<a href="https:&#x2F;&#x2F;cockpit-project.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;cockpit-project.org&#x2F;</a>

&gt; The concept of a GUI wrapper on top of the Linux ecosystem is what&#x27;s brokenThat is a nugget, it&#x27;s so true.Wrappers in general are such an issue in software. Wrappers built on top of wrappers, this desire to abstract everything away makes things look simpler, but every layer slows things down and hides what is actually happening. Every wrapper is another layer of complexity, another hoop to jump through when you&#x27;re looking for a solution to a problem.

Of course is the architecture and the creator of such a thing, isn’t the point of a tool like that for users that don’t have the tech knowledge? I have only used those systems on shared hosting, host providers are the one maintaining and should be keeping them up to date and WHM&#x2F;Cpnel have plenty of customers to worry too patch holes, if they can’t then who’s fault is it, Architecture, or provider? Hope is the customers fault?

The concept of a GUI wrapper on top of the Linux ecosystem is what&#x27;s broken.Not because of a fundamental limitation of that architecture, but because in practice the type of people that will use it do not want to learn or develop the necessary skills to administer it, and critical information like man pages and parameter lists are hidden.You can&#x27;t take shortcuts without consequences.

I was thinking about php-nuke I while back and it&#x27;s terrible security rep. I figured it was just the regular PHP foot guns of the era, but I took a look at the code recently and boy howdy that was some truly atrocious code. I&#x27;m not security person (although perhaps security minded) and I found a million problems after a cursory glance.

Php-nuke was the hacking testing ground. Nuke was atrocious for exploitation.

I mostly disagree on your disagreement unless the entire project was based on top security practices and good code in the first place. The vast majority of these web panels are a security nightmare.

As a coder who just hit 50, trust me, it does.

I don&#x27;t agree that &quot;old&quot; necessarily implies vulnerability.

Ages ago I used php-nuke to manage my forum and it got hacked and I thought it would get taken seriouslySeeing these CPanel hacks remind me how old these codebases are and how much more vulnerability remain

But those are updated automatically. It&#x27;s unlike Windows or Linux, where the user decides when to update. cPanel updates are decided by cPanel

If you look at the usage numbers, you could argue we are still in that era.

I miss this era, we overcomplicated everything

CPanel and hosters who use them are in big trouble now; there are millions of servers running them, many of them for decades. Their clients can run code as an user without much sandboxing&#x2F;guardrails at all.

Not all webhosting companies are using cpanel. Cpanel increased their prices exponentially in the last few years.

So CPanel&#x27;s security is just as bad as their UI, who would have thought?

Many years ago. Maybe 2005 to 2015? I had a friend who used cpanel to run a web hosting company. He made quite a bit of money doing that. He was not a programmer, but he could setup up wordpress and install plugins. I remember asking him once if he was worried he would get hacked and then lose control of his servers? Lose his customers?He said he was worried but he had backups upon backups. I saw him restore a bunch of websites once, using cpanel, and I thought it is an amazing little bit of software with all of the click a button to setup many different things (like WAF). A real time saver and provides some guidance if you are not a unix-internet guru.

Wow, similar sentiments about this being a throw back. I’d rather roll my own almost everything these days, may not be as good, but certainly won’t be targeted exploited broadly.

44,000 servers compromised? Sounds like somebody could&#x27;ve used a software building code

Mediawiki seems pretty solid on that front in my 10+ years of running and using it

Most LAMP FOSS web apps have a long history of being hacked.Is there any specific LAMP web app(s) that has a very good history of not being hacked?I can&#x27;t think of any readily but I imagine someone here knows one or two.

The alternatives to cpanel would mostly be all-in-one hosting providers like &#x27;squarespace&#x27; or similar, which have rolled their own web GUI to automate a basic normie workflow of domain registration, putting basic DNS records in a zone, hosting the DNS, getting TLS certs, putting basic content on a httpd. It&#x27;s interesting to see the &quot;set up your small business website now!&quot; advertising to totally non technical people.

Yes, there are many ways to do that now, in under 5 minutes. Cloudflare will set all of that up just fine. GSuite is much easier to set up than CPanel.

Friendly reminder that there aren&#x27;t that many ways for a normie to create their own (sub)domain with TLS and an email in under five minutes. That&#x27;s cPanel for ya.

And even if it doesn’t look like it chances are it still is with a fancier ui on top.

I wonder how much shared hosting is there really left, I imagine much of it move to VPS or cheap cloud boxes.

Most shared hosting plans use cpanel.
It&#x27;s still widely used yes for a lot of smaller websites.

The ROI has just increased by like 10x or 100x this week.

There are a lot of things that have been up for decades. The ROI on moving a simple PHP or static website to new hosting situation hasn’t been that compelling… though that could change. Thing is, I suspect most users of shared hosting which is Cpanel’s bread and butter are not reading the latest cybersecurity news.

Half of the entire internet is Meta properties.

And if it&#x27;s not cpanel, it&#x27;s Plesk

CPanel on shared hosting running WordPress PHP is literally half of the entire internet still.

I run an entire saas that 36 companies pay for, built in PHP, and I drag and drop the files to the server via cpanel.

The AI safeguards are indeed a joke, you can get around their classifier by simply masking out all the unsafe words and it will happily work on your rootkit.

&quot;AI safeguards&quot; are not working I guess.. or maybe they&#x27;re only working against those who&#x27;d like to secure their software.. good job Anthropic + OpenAI!

Why, is there a better alternative to the PHP-based forums? (I tried Discourse and it sucks.)

PHP (apart from the Hack offshoot) isn&#x27;t a compiled language, so it&#x27;s nowhere &quot;close&quot; to anything.LAMP apps are frequently mentioned in RCE CVEs.

Nothing wrong with those stacks. They’re akin to assembly language for the backend. Nitty gritty but super close to the metal.

&gt; CPanelNow there&#x27;s a name I haven&#x27;t heard since the 2005 or so era.How is that thing still around?Next you&#x27;re going to tell me people still run phpBB and vBulletin somewhere. And use FileZilla FTP. And manage their database with phpMyAdmin.

CPanel's Black Week: 3 New Vulnerabilities Patched After Attack on 44k Servers