When One Website Shouldn’t Be Able to Poison the Rest

At 040Hosting, we have always liked CloudLinux for a simple reason: it solves real hosting problems instead of inventing fashionable new ones. LVE makes noisy neighbours less of a problem. CageFS adds proper separation between users. It is practical technology, built for shared hosting providers who care about stability and security, not just marketing slides.

Now CloudLinux has introduced something that, frankly, should have existed much earlier: Isolates.

And yes, this one actually matters.

The problem nobody talks about enough

Traditional shared hosting isolation usually stops at the account level. That is already much better than the wild-west hosting setups of the past, but there has always been an awkward gap in the model.

What happens when one customer account contains multiple websites?

Think about the typical real-world setup: one main domain, a few addon domains, maybe a staging site, maybe an old forgotten project that still exists because “we might still need it someday”. Under the traditional model, those websites may live under the same account and therefore still trust each other far more than they should. CloudLinux Isolates is designed to change that by adding isolation between websites inside the same user account, not just between one account and another.

That is not a cosmetic improvement.

That is a real security boundary where one used to be missing.

Why this matters in the real world

In hosting, trouble rarely starts with the website you are proud of.

It usually starts with the one you forgot was still there.

An outdated WordPress test site. A staging copy with a plugin somebody stopped updating. A forgotten addon domain from three years ago. One weak site inside an account has often been enough to create risk for the other websites living next to it.

CloudLinux Isolates aims to contain that. CloudLinux says that if one isolated website is compromised, the attacker cannot access files belonging to the other websites in that same account. That is exactly the sort of containment shared hosting has needed for years.

In other words: one bad apple should no longer get a free tour through the rest of the basket.

This is where CloudLinux got it right

What I like about this feature is that it is not trying to replace common sense. It is reinforcing it.

CloudLinux already provided user-level isolation with CageFS. Isolates takes that one step further and adds per-site isolation within the same account. In the beta release, CloudLinux describes file system isolation per site, flexible activation, and use cases that include shared hosting, VPS environments with multiple sites under one account, and staging environments.

That fits reality.

A lot of customers do not want ten separate hosting accounts just because they run several domains. Agencies often keep multiple projects together. Developers use staging. Small businesses add extra domains over time. The hosting world is full of accounts that contain more than one site, and pretending those sites should all have blind trust in one another has never been a good idea.

It also makes sense operationally

Security is one part of the story. Support is the other.

CloudLinux explicitly says Isolates can reduce cross-site contamination, reduce support overhead, and improve platform stability. That sounds dry, but anyone who has ever had to help clean up a compromised multi-site account knows exactly why that matters.

When malware spreads from one site to another under the same account, cleanup becomes messier, slower, and more expensive. It also creates unpleasant conversations with customers, because suddenly the issue is no longer one vulnerable website. It is now three, or five, or twelve.

Containment matters.

Not because it sounds impressive in a feature list, but because it keeps one mistake from becoming a full account disaster.

There is more coming, and that matters too

CloudLinux is treating Isolates as a broader project, not a one-off trick. Their roadmap breaks it into three phases: per-site CageFS isolation, per-site PHP Selector, and later per-site LVE resource limits. Phase 2 is already in beta and adds per-site PHP Selector plus a two-step activation model where administrators can allow the feature and users can then enable isolation for specific domains themselves.

That is important, because good isolation is not only about file access. Real independence between sites also means flexibility in PHP versions, extensions, and eventually resource control.

That makes this feature more than a security patch.

It starts to become a more sensible model for multi-site hosting as a whole.

There are limits, because of course there are

This is beta, and beta means beta.

CloudLinux documents full support for LSAPI and CGI. PHP-FPM support is partial on supported versions. cPanel is supported today, while Plesk and DirectAdmin are listed for future releases.

So no, this is not yet the final perfect form of the feature.

But that does not make it unimportant. Quite the opposite. It means CloudLinux is moving in the right direction on a problem that hosting providers have had for a long time.

Why I think this deserves attention

The hosting industry has a bad habit of shouting about shiny things and whispering about useful things.

This is one of the useful things.

It does not come with the glamour of some overhyped “AI hosting assistant” or another empty dashboard buzzword. What it does offer is better internal separation between websites that were previously too close for comfort.

That is boring in the best possible way.

Boring security improvements are often the ones that matter most.

Final thought

At 040Hosting, we believe hosting should be built around sane decisions, not around hope. Hoping every site under one account stays equally secure forever is not a sane decision. Building real boundaries between those sites is.

CloudLinux Isolates is a step in exactly that direction: less blind trust, better containment, and a more mature way to handle multi-site hosting. It is still developing, yes. But the core idea is solid, and honestly, long overdue.

Because if one website gets into trouble, that should be one website’s problem.

Not an invitation for the rest to join it.