Please advise about specific measures did you take regarding Spectre and Meltdowns recent announced threats in order to give a word of trust to our final customers

It seems logical that updating the password for MYSQL ACCESS in the Cloudways Application Management Access Details would also update the wp-config.php for that application to reflect the new password. But it does not?

Please allow users to insert special characters to change cloudways account password. because a password is used as security gate to enter into any account so it's very essential thing for every Cloudways user to set A Strong Password..

The areas for passwords: Master Credentials, MySQL Access, and Application Credentials are different. It makes it difficult to use a password manager's generator.

It would be great to have some visual reminder on every page of your App settings that SSH is turned on with a simple button to disable it.

Even better would be option to "Turn On for 1 Hour" or something like that so it automatically shuts off without you having to remember to shut it off.

Let's encrypt supports IDN (Internationalized domain name), domain names with accented characters. However Cloudways implementation does not support Let's Encrypt with IDN,. Please update the Cloudways code

The autorenewal of SSLs doesn't work. I know you're working on it. But to minimise the down time could you at least notify by email before the SSL expires so we can quickly act on it and manual renew?

Alternative 2 factor authentication. Currently you only support smart phone app.

Cloudways should allow their users to connect to their databases with the MYSQL GUI of their choice. I was unable to use MySQL Workbench and Cloudways support essentially told me they couldn't help me because the tech believed there was an incompatibility with the OSX version and the Cloudways server. So I'm stuck using the Cloudways interface, which is not nearly as powerful as Sequel Pro.

Duo is a great platform for two-factor authentication and already supported by a great number of platforms. It would be very nice if it would also be supported by Cloudways.

Add a securi site scan bundle for an extra $5 per month for a scan and report every 24 hours

Instead of only scanning bar code, I would request you to add sms msg for this as all smartphones are not supportive. Thanks

Godaddy Cloud Servers are about the same price as DigitalOcean and already provide DDOS protection by default. This information is something you will find if you call them for it's not listed on their website.

Applications on the same server currently have write access to each others' files by default, which is an unnecessary security risk. For example, if you have multiple Wordpress applications on the same server and one gets compromised, the hacker could also compromise any other applications on the same server. If possible, it would be worthwhile to at least have the option to lock down file write access on a per application basis. I believe you already have apache running under separate users for each application, so this might be as simple as disabling the www-data group permissions.

Two factor authentication is important but at the moment I don't really feel I have this option.

Please add SMS as an option for two factor authentication.

I prefer SMS as a two factor authentication method.

I don't really want to use google authentication anymore as I just had the IOS app lose all the settings. Plus I find it more cumbersome than SMS.

Thanks!

Code Guard provides incremental backup where I can roll back as far as I like.
Critically, they also provide an alert if a file has changed which allows me to investigate if it's something I wasn't expecting.
All they need is SFTP and database access but for some reason this is not being allowed by Cloud Ways. In chat I was told that "custom changes" to the server were not allowed.

Please could you find a way to keep up-to-date with Drupal core security updates (eg. current 7.38 has a critical security flaw). It's a PITA to get a security email immediately on install and have to go in and update. Isn't there a way to pull the latest secure core as part of your install process?

Thanks, Neil

The 2 factor authentication is a great feature! You might even get more users on board if there could be an option to receive a text instead of a message through Google Authenticator (ease of use).

Would like to see official statement on how Cloudways has implemented OWASP guidelines, ref: https://www.owasp.org/index.php/Top_10_2013-Top_10