Godaddy Cloud Servers are about the same price as DigitalOcean and already provide DDOS protection by default. This information is something you will find if you call them for it's not listed on their website.

Applications on the same server currently have write access to each others' files by default, which is an unnecessary security risk. For example, if you have multiple Wordpress applications on the same server and one gets compromised, the hacker could also compromise any other applications on the same server. If possible, it would be worthwhile to at least have the option to lock down file write access on a per application basis. I believe you already have apache running under separate users for each application, so this might be as simple as disabling the www-data group permissions.

Two factor authentication is important but at the moment I don't really feel I have this option.

Please add SMS as an option for two factor authentication.

I prefer SMS as a two factor authentication method.

I don't really want to use google authentication anymore as I just had the IOS app lose all the settings. Plus I find it more cumbersome than SMS.

Thanks!

Code Guard provides incremental backup where I can roll back as far as I like.
Critically, they also provide an alert if a file has changed which allows me to investigate if it's something I wasn't expecting.
All they need is SFTP and database access but for some reason this is not being allowed by Cloud Ways. In chat I was told that "custom changes" to the server were not allowed.

Please could you find a way to keep up-to-date with Drupal core security updates (eg. current 7.38 has a critical security flaw). It's a PITA to get a security email immediately on install and have to go in and update. Isn't there a way to pull the latest secure core as part of your install process?

Thanks, Neil

It would be good if there was an option not to run Apache as the same user as SSH / file owner. That way it would be possible to make files & folders read-only as far as the server / PHP is concerned.

The 2 factor authentication is a great feature! You might even get more users on board if there could be an option to receive a text instead of a message through Google Authenticator (ease of use).

A simple button to turn ssh on and off, ssh can be turned off until the admin needs to use it so it adds an additional level of security straight on the dashboard. Thanks

Would like to see official statement on how Cloudways has implemented OWASP guidelines, ref: https://www.owasp.org/index.php/Top102013-Top_10

I would like to have the capability to permit connections to my website only from my country. The site is on our local language and there is little to no reason to permit connections from other places (aside from Google robots).

Vendors (magento) recommend changing the control panel name from "admin" to something else, it would be great if you can provide an edit facility so we can modify the admin URL so that we can launch the control panel from within cloudways as it only permits the default control panel name.