How Secure are RunCloud/Server Pilot/etc out of the box?

Started by john515, Jun 30, 2022, 09:46 AM

Previous topic - Next topic

john515Topic starter

I have a simple blog that I wanted to start and will need to put it on a new host.

Usually, I start with shared hosting and move to a managed Wordpress service/VPS later if needed.

Sites like Runcloud/Server Pilot seem to be able to make shared hosting and a VPS obsolete: I can get a $5 1GB Digital Ocean drop + 7$ RunCloud, which is the same cost as shared hosting, but faster.

These Runcloud/Server pilots are basically SaaS product, control panels that automatically configure unmanaged VPS services like DO and effectively make them managed; for example, one-click Wordpress installs, server resource monitoring, and they automatically install server security updates (but usually not non-security server updates).

Since this blog is meant to be professional, and although while it probably doesn't matter, I do feel that using a service like Runcloud, leveraging Digital Ocean (which assigns a dedicated IPv4 address), looks more professional than a site on a shared host (potentially with spammy neighbors all sharing the same IP). So, that is another positive.

However, what I'm most worried about is security. With shared hosting, I just leave sites alone and don't worry about server security. Will I be able to do this with Runcloud/Serverpilot? In other words, is there automatic configuration and security updates at default/left alone all that's really needed for the safety of a blog, in the same way shared hosting left alone is secure enough for a blog?


The security setup will always depend on how the provider configured it no matter if you are in a shared hosting environment or using some automatic management platform.

If you go for VPS like DO, you will need to take care of optimization and security and a lot of software license costs, etc...

You do not have to worry about the sharing of IP in shared hosting if you go with a good provider with good security setup with the proper implementation of anti-spam protection.


In regards to shared hosting vs a VM / VPS / Cloud VM... (i will just refer to this as VPS)
It all depends on what you pay.

There are shared hosting providers that offer decent performance, but in the end is all limited with cloudlinux limits, like you are capped to a certain amount of CPU, RAM, IO speed.
Something similar happen with a VPS... right you are limited at the hypervisor for a certain amounts of CPU, RAM, IO, etc. The difference is power. and freedom (also privacy). Until a certain point... then you are better and better with a VPS and the same can be said about the VPS, until a certain point you might be better with a bare metal , full resources.

The difference here is that with a VPS or Bare metal you get full root access, you control everything. There is no limitation in what you install. Also the resources assigned to your instance are just yours, for example you can buy a VPS with dedicated CPU instead of shared CPU. As you go up in the levels there will be a clear difference in performance, a VPS being better than shared hosting. Sometimes you can have big instance enough to be even better than a dedicated server. It all depends on the amount of resources.

In regards to ServerPilot, from past experience, the service is SaaS type and manages the VM. It harden automatically the server. Applying patches, firewall rules, etc.

A 5 dollars VPS might not be better than a shared hosting (depending on the providers) but as you go up the tiers , a VPS will most certainly just be way more performant than shared hosting.

In your case unless you get bigger budget, if you are going to pay just $5 /mo and don't need the freedom of having root access, stick to shared hosting.

Hint: if you are considering shared hosting, ask the provider for the actual limits set. This is usually referred as: cloudlinux lve limits. Have a critical eye for IO speed and RAM.


There may be general disagreement that it's not safe to run this publicly, but here are some tips:

The statement that any pods that open ports are public by default is fundamentally wrong. each module has its own network namespace, so even if it listens to to capture any traffic, it happens exclusively inside this own namespace, so it is not opened from the outside in any way. Until you configure the kubernetes Node Import or Load Balancer sorting service to explicitly present this service (and supporting module ports) on the network. And you will manage this even to a large extent with the help of network policies.


These are two completely different services. More or less modern shared hosting on usual panels can be used even by a blonde, and dedicated is a place where you yourself have to do everything.

Shared does not die, only companies that do not want to develop die. Shared servers transforms into a product, which it should be, into separate panels where you can poke the necessary site with buttons in the constructor ... At the same time, you not only don't have to know at all what a dedicated server, cloud or VPS is, and how the buyer completely and completely doesn't give a shit where it works. You don't need to know what SSL is because you already have it enabled, you don't need to know what FTP is because you don't need it, etc.

Therefore, the question of what is better and what is not better lies solely in the plane of the provider (and what is better for him specifically in order to ensure good uptime, optimal performance and a decent price for the service). For most dinosaur panels like ISP / CPanel and the classic model, which implies a high density of users, it is definitely more profitable than dedicated from 8 threads with a more or less high density of clients.

For modern dashboards like runcloud/serverpilot etc. etc. cheaper cloud instances are more profitable.