Is CWP still maintained?

Hello,

I have a PRO license of CWP and I have submitted several tickets in the past concerning Varnish not working with Almalinux 9. The initial one was in February 2025 and last one in September 2025.

Almalinux 9 is mentioned as supported by CWP and while I understand that it takes time to deal with everything CWP it is very hard for me to understand 10 months now and no change in the Varnish status.

Secondly, ConfigServer Services has announced the end of support for CSF as of 31st of August 2025 clearly stating that:

Code: [Select]

In order to continue using any of our commercial software after the 31st of August, you must have updated the software to the latest version.
If you did not update the software, any of our commercial software products will cease to function and cannot be reactivated once the download and license servers are shut down.This time had passed with no reaction from the CWP team, again.

My question to the CWP team is: are you still maintaining it? As, by the looks of it, you don't.

Thank you.
P.S. Link to the ConfigServer Services (CSF) announcement: https://configserver.com/announcement/

In 28/08/2025 i sent a ticket to support:
"Since CSF will no longer be updated, is there any alternative for CWP? Since there is no firewall directly in the CWP (only the CSF integration), this can have big downsides for the panel.
Announcement here: https://configserver.com/announcement/"

The response:
"Hello.
Yes, we know about the issue.
Regards,"

Indeed, the lack of comunication is concerning.
And CWP appears even more unmaintained to this point. Nothing really is "new".

And don't forget a preaty bad security issue, that was never explained: https://forum.centos-webpanel.com/centos-webpanel-bugs/critical-multiple-cwp-servers-infected-arbitrary-php-code-execution-via-publ/

This happend, and no, is not a issue with the websites or WordPress in the server. Was a issue with CWP that was never publicly confirmed by the team, and was fixed silently with the updates.

The lack of comunication is concerning, and the lack of new updates is also concerning.

Maybe is better start to look for alternatives, because CWP appears every single day more "dead".

CWP is not dead, was just updated 2 days ago. The security issue was fixed within days and is a non-issue now (but each admin should inspect their servers to ensure there was not a compromise). The ConfigServer team surprised the world by only giving 30 days notice before closing up shop. It is now GPLv3 licensed, so development can continue or it could be forked. There are guides on updating CWP to use the open source version, but probably the best course is to hold tight and wait to see which direction CWP pursues and keep your kit mainline without deviating too far.

The dev team could certainly increase in communication, but it is still a solid product -- I run multiple servers under it. Far better value proposition than cPanel, for sure!

That doesn't solve the issue.
Just because a update was "launch" two days ago, don't say much. Where is the changelog, what changed, do you know?
For what you know, could just be a "minor" bump in the version number...

And the security issue, yes, was solved in days... without any information. Not even a single post from the team to confirm that have existed - and you can see that in the topic. There is still people that think that was because of something in the Wordpress or some website in it...

The lack of comunication IS a problem. The lack of new features is a problem, there is no confirmation about what is going on, the road map, nothing...

CWP is still going and is alive.

As mentioned by @overseer 0.9.8.1218 was just release on 2025-10-06, and 0.9.8.1217 was on 2025-09-22.
These where both bug fixes.

It is noted that AL9 is in beta with CWP.

Never quite understood the whole Apache/Nginx/Varnish thing.
If you have a fast enough server and connection, just plain 'ol Apache works fine, and without any complicated setup/config.

You can try posting your problem at https://www.alphagnu.com/

The PHP issue is with a PHP bug, has Nothing to do with CWP.
Most of the servers where the attack went thru where running CentOS 7.
If you have your PHP configured correctly, and updated, you should be fine.

For your CSF questions, see: https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/csf-firewall-error-oops-unable-to-download-no-host-option-provided/

But if your not happy with CWP, maybe cPanel would suit your needs better.

In 28/08/2025 i sent a ticket to support:
"Since CSF will no longer be updated, is there any alternative for CWP? Since there is no firewall directly in the CWP (only the CSF integration), this can have big downsides for the panel.
Announcement here: https://configserver.com/announcement/"

The response:
"Hello.
Yes, we know about the issue.
Regards,"

Indeed, the lack of comunication is concerning.
And CWP appears even more unmaintained to this point. Nothing really is "new".

And don't forget a preaty bad security issue, that was never explained: https://forum.centos-webpanel.com/centos-webpanel-bugs/critical-multiple-cwp-servers-infected-arbitrary-php-code-execution-via-publ/

This happend, and no, is not a issue with the websites or WordPress in the server. Was a issue with CWP that was never publicly confirmed by the team, and was fixed silently with the updates.

The lack of comunication is concerning, and the lack of new updates is also concerning.

Maybe is better start to look for alternatives, because CWP appears every single day more "dead".

CWP didn't have anything to do with ConfigServer closing down.
And there is nothing else on the market like CSF/LFD.

But v15.00 works fine, and will continue working.
After all the year, CSF pretty much doesn't need any updates. Which is good.

Again, the PHP Injection Attack, had nothing to do with CWP.
But happened to older servers that where not updated and their PHP hardened.

PHP Injection Attacks are common by script kiddies. And just don't happen to CWP.
GoDaddy's servers are constantly getting hacked, which are using Amazon AWS. lol

There are several articles out there on has to secure you php.ini config.

But if your not happy with CWP, maybe cPanel would suit your needs better.

I don’t think going with a black-and-white mindset is the best way forward. Like I said, CWP isn’t “freeware,” no matter what the price tag is. If we keep thinking cheap means bad or that low cost equals poor communication, then we might as well shut things down and move on.

Your posts, @Starburst, basically prove my point about CWP’s communication. It’s been the community doing the talking and dealing with issues—not the CWP team.

Sure, being a sysadmin means reading a lot and keeping up with updates, but if you’re paying for a product, you expect certain things—like being kept in the loop about what’s happening with the platform that’s supposed to protect your business and income.

Big thanks, @Starburst, for the CSF fix here:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/csf-firewall-error-oops-unable-to-download-no-host-option-provided/
.
Kinda bittersweet though—since this should’ve already been taken care of by CWP themselves.

Kinda bittersweet though—since this should’ve already been taken care of by CWP themselves.

And that is the point.

@Starburst
No one is saying that CSF closure was CWP fault... makes no sense...
What i was saying is that CWP is not providing a clear information about anything. And you are proving that.

Again: yes, there was a update recently in CWP. But you know what was updated? I bet you can't provide anything that confirm WHAT has been updated, besides the version number in your panel. That IS the point.

The vulnerability in CWP. No one talks about it? Let it go under the rug in silence?
That is NOT how the development of a control panel should go... I still dont see ANY information about it. Yes, was patched, but was silently patched - that is worrying.

And the plans for CSF... you are proving my point there again.
Yes, the guides can be great, but they are NOT from the CWP team itself, are from a third party. It is concerning when is a third party that must start to provide information about basic things, and not the developers of the control panel itself.

And even more, your guides can help... but do we know you? Who are you exactly?
You are providing guides to make critical changes in our systems, that some people without knowledge follow... and yes, the could work. But your guides provide your own mirrors, with your own code in the mix.
How do we know that we can trust you and your code?

Some people will follow your guides, without knowing what are they doing.
And you can be a great person, don't get me wrong. You appear to be here to help... but we are in the internet....

I look at your guides, and they are ok - but i would be worry to use code that is in a unknown mirrror. Would be better if CWP team provide those instead? Yes, it will, because at least CWP we know...

Again, the PHP Injection Attack, had nothing to do with CWP.
But happened to older servers that where not updated and their PHP hardened.

PHP Injection Attacks are common by script kiddies. And just don't happen to CWP.
GoDaddy's servers are constantly getting hacked, which are using Amazon AWS. lol

There are several articles out there on has to secure you php.ini config.

That is NOT true.
The issue WAS a vulnerability in CWP. Is NOT fault from the users.

https://fenrisk.com/rce-centos-webpanel
https://gbhackers.com/centos-web-panel-vulnerability/

So not, wasn't the users fault. it WAS a vulnerabilty in CWP.