We handle a couple of sites every week where the user had an old installation of Wordpress, hidden on a subdomain on a separate folder. Which leads to the whole account being removed/hacked etc. This is quite bothersome as well because there is a lot of sensitive stuff in the users homedir, just as an example, the /ssl folder or /mail. We had an idea, where maybe we could through .htaccess/.user.ini control which folders lsphp could access, to go even further, maybe even split read/write, in good cases the users actually know what they are doing and they update the site through ssh, and only allow volatile material through update folders. Have you thought about such a control, is it feasible?