Skip to content

Hosting

Web Hosting Control Panels

A web hosting control panel is a browser-based dashboard that lets you manage a server's hosting services — domains, email, databases, files, SSL certificates, DNS and backups — through point-and-click forms instead of editing config files by hand on the command line. This page explains what a panel does, compares the major ones, and covers when (and when not) to use one.

Tested on

Concepts apply to AlmaLinux 9 / RHEL 9 and Debian/Ubuntu. Each panel supports a specific list of distributions and is normally installed on a fresh, minimal VPS — see each vendor's docs for exact supported versions before you begin.

What a control panel does

If you have read How web hosting works, you know that a working hosting stack is several daemons cooperating: a web server (nginx/Apache), PHP, a database (MariaDB/MySQL), a mail stack (Postfix/Dovecot), a DNS server (BIND/PowerDNS), and an FTP/SFTP service. Configuring and securing each one by hand is the skillset taught in the Linux web-server track. A control panel automates that work and exposes it through a UI.

A typical panel manages:

  • Accounts / sites — create an isolated account per customer or site, each with its own Linux user, document root and resource limits.
  • Domains & subdomains — add domains, configure virtual hosts (see Virtual hosts), set up redirects and parked domains.
  • DNS zones — create and edit MX, A, TXT and CNAME records when the panel also runs an authoritative nameserver (concepts in Domains and DNS).
  • Email — mailboxes, aliases, forwarders, autoresponders, webmail and spam filtering (see Email hosting).
  • Databases — create MySQL/MariaDB databases and users, often with phpMyAdmin bundled (see Databases for hosting).
  • Files — a web file manager plus FTP/SFTP account management.
  • TLS/SSL — one-click or automatic Let's Encrypt certificates and renewals (concepts in HTTPS with Let's Encrypt).
  • Backups — scheduled per-account or full-server backups and restores (see Backups and migration).
  • Monitoring & metrics — service status, resource usage, logs and quotas.

Who they are for

  • Shared/reseller hosting providers who must give hundreds of non-technical customers self-service control over their own sites and email.
  • Web agencies and freelancers managing many client sites without wanting to script everything.
  • Site owners who are comfortable with a GUI but not with editing nginx.conf, BIND zone files or Postfix maps by hand.

Comparison of the major panels

Panel License / cost OS support Web server Standout feature
cPanel / WHM Commercial, per-account tiered subscription RHEL/AlmaLinux/Rocky/CloudLinux (Linux only) Apache (with optional nginx/LiteSpeed) The industry standard; WHM (server admin) + cPanel (per-account) split; huge ecosystem and migration tooling
Plesk Commercial, subscription (editions by site count) Linux and Windows Server nginx + Apache, or IIS on Windows Only mainstream panel with first-class Windows support; large extension catalog
CyberPanel Free (Enterprise tier paid) AlmaLinux/Rocky/Ubuntu OpenLiteSpeed (LiteSpeed Enterprise on paid) Built around the fast OpenLiteSpeed server with built-in LSCache
DirectAdmin Commercial, low-cost tiered (free Lite tier for one account) RHEL/AlmaLinux/Rocky/Debian/Ubuntu Apache and/or nginx, LiteSpeed Lightweight and fast; low resource footprint, popular on small VPSes
HestiaCP Free, open-source (GPLv3) Debian/Ubuntu (primary) nginx + Apache (nginx as proxy) Fully open-source fork of VestaCP; clean modern UI at no cost
Webmin / Virtualmin Free, open-source (Virtualmin has paid Pro) Most major Linux distros (RHEL family, Debian/Ubuntu) Apache or nginx Webmin is a general system-admin UI; Virtualmin adds cPanel-style multi-domain virtual hosting on top

These are illustrative, not exhaustive

Pricing models and supported OS versions change frequently and editions are tiered. Always confirm the current license terms and supported distributions on the vendor's site before committing — especially since cPanel moved to per-account pricing.

When to use a panel vs manual CLI administration

Use a control panel when:

  • You host many sites or customers and need repeatable self-service provisioning.
  • You or your customers prefer a GUI and do not need fine-grained, hand-tuned configs.
  • Time-to-launch and a support contract matter more than minimal footprint.

Stick to manual CLI administration (the Linux web-server track) when:

  • You run one or a few sites and want a lean, fully understood stack.
  • You need custom configurations a panel might overwrite, or you are running in containers/Kubernetes.
  • You want to minimize the attack surface and the resources the panel itself consumes.

A panel largely takes over the box

Panels are designed to own the whole server. They install and manage their own builds of the web server, PHP, mail and DNS, and they rewrite config files automatically. Editing those files by hand often gets reverted on the next panel update. Install a panel on a fresh VPS, not on a server you have already hand-configured — and do not try to run two panels on one host.

Security considerations

A control panel is convenient precisely because it can change almost anything on the server — which makes it a large, high-value attack surface. Treat it as critical infrastructure and apply the server hardening checklist.

  • Keep it patched. Panel vulnerabilities are actively exploited. Enable the panel's auto-update channel and apply OS updates promptly.

  • Restrict access to the admin UI. The control panel ports (e.g. cPanel 2087/WHM, Plesk 8443, HestiaCP 8083) should be firewalled to trusted IPs or behind a VPN, not open to the whole internet.

    # Example: limit HestiaCP's admin port 8083 to one office IP (firewalld)
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.10" port port="8083" protocol="tcp" accept'
sudo firewall-cmd --permanent --add-port=8083/tcp --remove-port=8083/tcp 2>/dev/null
sudo firewall-cmd --reload

  • Strong authentication. Use long unique passwords and enable two-factor authentication for the admin and reseller accounts. Never reuse the root password for the panel.

  • Limit who is root. Give customers per-account access only; reserve the master/WHM/admin login for operators.
  • Lock down brute force. Run the panel's built-in protection (e.g. cPHulk) or fail2ban against the login and SSH/FTP services.
  • Watch the logs. Panels and their managed services write extensive logs; review them when troubleshooting or after a suspected compromise (see Analyzing log files).
  • Disable unused services. If you do not run mail or DNS on the box, turn those modules off to shrink the attack surface.

Verify your work

After installing a panel on a fresh VPS, confirm the basics:

# The panel's web service should be listening (port varies by panel)
sudo ss -tlnp | grep -E ':(2087|8083|8443|10000)'

# The managed web server should be running
systemctl status httpd nginx 2>/dev/null

# Confirm a test site resolves and serves over HTTPS once created
curl -I https://your-test-domain.example
  • Log in to the admin UI over HTTPS and confirm 2FA is enforced.
  • Create a test account, add a domain, issue a Let's Encrypt cert, and create a mailbox to confirm the full pipeline works.
  • Confirm the firewall only exposes the panel port to trusted sources.

Summary

  • A control panel manages domains, email, databases, files, SSL, DNS and backups through a web UI, automating the work otherwise done by hand on the CLI.
  • cPanel/WHM is the commercial industry standard; Plesk adds Windows support; CyberPanel is free on OpenLiteSpeed; DirectAdmin is a lightweight commercial option; HestiaCP and Webmin/Virtualmin are free and open-source.
  • Use a panel for many sites/customers and self-service; use manual CLI for lean, custom, fully-understood single-site stacks.
  • Panels take over the whole box, so install on a fresh VPS — and because they are a big attack surface, keep them patched, restrict and harden access, and monitor logs.

Test yourself