I would like to suggest that Cloudways publishes an article or other document that describes how Cloudways maintains, patches, updates servers and secures them.

The intent is not to disclose details that puts security at risk but instead demonstrates the value Cloudways is providing in the area of helping its customers maintain a secure server and application environment.

Information should include frequency of update / patch deployment, frequency of security scans for malware / unauthorized access, firewall ports and services that are open especially those for inbound traffic from the Internet, intrusion protection mechanisms, transparency reports for government information requests and legal processes, etc..

This kind of information will help Cloudways demonstrate value being provided. And, it would be helpful for devs, webmasters, and agencies too ... especially when evaluating Cloudways or building solutions / offerings on servers managed via the Cloudways service.

It will also be helpful to those who strive to document our own security practices.

I am a Cloudways customer, and right now what Cloudways provides and does in the realm of security is a big "black box" that offers no details or documentation of such to its customers or prospective customers.

Like I said, a suggestion ... which I believe is a good one.

So here my suggestion for a better backup scheme. Do something like keeping:
= 1 - 3 monthly backups
+ 3 weekly backups
+ 4 - 6 daily backups
This way a longer period is covered without increasing the space required for backups. You can try keeping it at 8, although 12 would be ideal as it will cover last 3 mo, last 3 wk, and last 6 days.

Other suggestions:
- Allow to choose the time of day to do backup so it won't slow down the server during busy hours.
- Allow to choose external backup destination like S3, Dropbox ... so you don't have to worry about space. Of course you need to create a way for us to be able to recover a full server from a backup too.

===========================================
Current backup as it says on https://support.cloudways.com/how-to-backup-my-server/

"Note about backup retention:
We keep eight days worth of backups (this is a fixed setting that you can’t change)...
How many backups this includes, depends on the backup frequency that you have set:
- If you have set frequency to daily (default), we will keep eight backups (one per day for the last eight days).
- If you have set frequency to seven days (weekly), we will keep just one backup."

I was considering setting it to every 2 days thinking that I'd have 16 days more or less covered. Or weekly to have 8 weeks worth of backups. But according to your article I would only end up with 1 weekly backup. So why not retain 8 backups no matter what the interval was set as?
I also don't see the value of hourly backups if only 8 are kept.

However, in the end, none of these make a good backup scheme.

When a website is SSL secured (https) it is recommended to have redirect rules in place which enforce https (redirect http to https) and of course redirecting to one version (www vs non-www).

It appears that the Let's Encrypt Auto-Renewal does not work. It will fail saying there are htacces rules restricting it from working. I am not sure if this is an issue for Cloudways to fix, or Let's Encrypt.

In either case, the solution provided by Cloudways support is to:
1. Temporarily rename your .htaccess (so it is not in effect)
2. REVOKE your Let's Encrypt Certificate
3. Install a new Let's Encrypt Certificate
4. Revert the name of your .htaccess (so it is back in effect)
(note, even if you remove your .htaccess in step 1, the manual "Renew Now" will say it worked, but it will not work, the old certificate will remain)

I would like to think there is a long term solution whereby the auto-renew will work. Especially since these redirect rules should in fact be in place (if you are not redirection all variants of your website to a single variant, you do not have your site setup correctly).

Is there some way for this to be resolved?