not sure where to post this but I've discovered a niggle problem when you install bulletproof security (for securing wordpress files via htaccess etc - really does a very good job as I'm already seeing on my server! https://wordpress.org/plugins/bulletproof-security/ The Installation process fails giving a PHP fatal error - a require once on path /var/www/mywebsite.com/web/.. that is not on the path when ISPConfig sets up a website. when you go in to the Options tab and add this manually (right after the /var/www/mywebsites.com/web entry) in the php open basedir - and save and restart http - problem solved and the installation proceeds just fine. Package really DOES lock down the folders that seem to be letting the nasties get onto the site - number of infections has plummeted on my server and the only remaining one is a false positive! good job all.
So this plugin tries to access a path outside of the web dir? The path /var/www/mywebsite.com/web/.. is basically /var/www/mywebsite.com and that's not the vhost web directory, a web application (especially a security application) should not rely on breaking out of its own vhost. If you want to allow websites to access files outside of the web directory, then change the default open_basedir path under System > Server config > web.
