Panelica vs VestaCP
VestaCP is unmaintained since 2018 with a supply-chain backdoor incident, multiple unpatched CVEs (RCE, command injection, privilege escalation) and no PHP 8.x compatibility. If you still run VestaCP, the only question is what to migrate to.
What you actually pay each month
VestaCP has no paid tier. The cost is your security risk, not your wallet.
Where Panelica wins, where VestaCP wins
Feature presence on each platform without third-party add-ons. Partial means the feature exists but is limited or requires a paid extension.
| Feature | Panelica | VestaCP |
|---|---|---|
| Active maintenance | ✓ Weekly releases | Abandoned since 2018 |
| PHP 8.3 / 8.4 support | ✓ Always current | PHP 7.x only |
| Public CVEs unpatched | None | Multiple RCE / CMD inj |
| Supply-chain integrity | Signed releases + checksums | 2018 installer backdoor incident |
| Modern web engine | ✓ Apache 2.4.67 + nginx 1.29 | Old Apache/Nginx without patches |
| Built-in AI co-pilot | OpsAI · 15 experts | , |
| Native iOS & Android apps | ✓ in App Store / Google Play | , |
| 5-layer kernel isolation | ✓ cgroups + ns + chroot + FPM + perms | Basic FPM only |
| One-click migration in (from VestaCP) | ✓ Hash-preserving importer | N/A |
| Docker manager | ✓ 160+ templates | , |
| WordPress Toolkit | ✓ Full toolkit + Redis Boost | , |
| Modern UI | ✓ React 19 + live SSE | 2014-era UI |
| Commercial liability if breached | GDPR-safer with patched stack | Open CVEs = breach risk |
When each one is the right choice
There is no reasonable case for keeping VestaCP. The only honest decision is to migrate. The question is to which panel.
Choose Panelica when…
- You want hash-preserving migration that lets end users keep their existing passwords.
- You want PHP 8.3 / 8.4 support so your applications actually run.
- You want active security patching, not a 2018-frozen stack.
- You want native AI + mobile apps + reseller mode + Docker out of the box.
- You need to reduce your breach liability under GDPR / CCPA / industry audits.
Cases for keeping VestaCP
- We could not find one in 2026. The 2018 backdoor + unpatched RCEs + frozen PHP 7.x make any continued production use a serious risk.
- HestiaCP is the closest spiritual successor if you want a similar UI — it forked Vesta, fixed the backdoor, and continues maintenance.
- Panelica is the natural choice if you also want 2026 architecture and a richer feature set.
Move from VestaCP in one click
The Panelica importer connects to your VestaCP server, discovers every site, then copies files, MySQL databases, Exim mailboxes, DNS zones and SSL certificates while preserving every password hash byte-for-byte. End users never reset a password. Migration is the only safe path off VestaCP.
Free forever. Really.
Use the full feature set for 14 days. After that, you keep one domain forever, free, with no credit card, no expiry, no degraded functionality. Move up to Professional ($4.99/mo) only when you outgrow it.
Real prices, verifiable on our pricing page. No hidden upgrades, no add-on fees, no account-based tiering.
About switching from VestaCP
Is VestaCP really dead?
Yes. The upstream Vesta project is effectively unmaintained since 2018, after a supply-chain backdoor was discovered in its official installer. Multiple CVEs (RCE, command injection, privilege escalation, XSS) remain unpatched at the panel level. The PHP 8.x ecosystem has moved on and VestaCP cannot host modern PHP applications.
What happened to VestaCP in 2018?
An attacker compromised the official installer script and embedded a backdoor that exfiltrated credentials. Any server installed during the compromise window received the backdoor. The project lost maintainer attention shortly afterwards. HestiaCP forked the codebase, removed the backdoor and continues maintenance — but the original VestaCP codebase is not safe to install.
Can I migrate from VestaCP to Panelica?
Yes. Panelica's importer connects to your VestaCP server, copies files, MySQL databases, Exim mailboxes, DNS zones and SSL certificates while preserving SHA512-CRYPT email and MySQL password hashes byte-for-byte. End users never reset a password. Tested on Vesta 0.9.8-x servers.
What about HestiaCP, which forked VestaCP?
HestiaCP is a legitimate step up: maintained, the supply-chain issue fixed, and it covers the basics. If you want minimal change from the VestaCP UI, HestiaCP is the natural target. If you want 2026 architecture (Go + React 19 + cgroups + AI + mobile apps), Panelica is the natural target. Both are free.
Is the VestaCP backdoor still active on installations?
Servers installed during the compromised window in 2018 may still contain the backdoor. Even servers installed before/after may still be running unpatched 2018-era code with multiple open CVEs. The only safe assumption is that any production VestaCP server should be migrated and the source server treated as compromised.