Security

Built-in security from server hardening to application isolation.

SSH Hardening & Access Control

The installer disables SSH password authentication by default, enforcing key-based access. Each site gets its own Linux system user with an isolated home directory and PHP-FPM pool, preventing cross-site contamination.

TLS Automation

LiteSoup integrates with Certbot to provision and auto-renew Let's Encrypt certificates. Four TLS modes give you flexibility: none for internal sites, self-signed for staging, Let's Encrypt for production, and custom for existing certificates.

PHP Isolation

Every site runs in its own PHP-FPM pool with a dedicated system user. This means a compromised WordPress plugin on one site cannot read files or access memory from another site on the same server. Pool tiers (small, medium, large, custom) let you control resource limits per site.

Infrastructure Security

The stack includes several security measures out of the box: Redis requires a password (stored in root-only file), MariaDB generates a random root password, Memcached listens on localhost only with UDP disabled, and the installer includes firewall and fail2ban configuration.