Kernel Stack Setup
One-time
A production server
set up correctly.
From day one.
LiteSpeed, JetBackup, CloudLinux, Imunify360, and a correctly configured mail stack. Not a default install — a deliberate baseline that doesn't require cleanup later.
Starting price
$650
One-time · No recurring fee
Single server / single environment. Custom quote after scope review. VAT included.
LiteSpeed / LTS + baseline configWeb server installed and tuned — not left at defaults.
JetBackup + backup policyInstalled and configured with a documented retention schedule.
CloudLinux + Imunify360OS-level account isolation and active malware/intrusion protection.
Mail stack (SPF / DKIM / DMARC)Correct DNS records and mail policy — so your email actually arrives.
Handover documentationWhat was installed, what was configured, and why. Short and usable.
Licenses from your accountCloudLinux, Imunify, JetBackup licenses must be sourced by you. We configure.
What's Included
Every layer, deliberate.
Every layer, deliberate.
Nothing left at defaults.
Kernel Stack Setup is a complete production baseline for a single server. Here's what gets installed, configured, and documented.
01
LiteSpeed / LTS Installation
LiteSpeed Web Server installed and configured with baseline tuning — worker processes, memory limits, PHP handler, and initial cache rules. Not a click-and-forget install.
02
JetBackup + Backup Policy
JetBackup installed with a documented retention and scheduling policy. Backup destinations confirmed and tested. You know what's backed up, where it goes, and how long it's kept.
03
CloudLinux Manager
CloudLinux OS installed and CageFS configured for per-account isolation. Each hosting account runs in its own environment — a compromised account cannot touch others on the same server.
04
Imunify360
Active malware scanner, intrusion detection, and web application firewall. Configured with notification routing, not left at install defaults. Imunify is only useful when it's set up to act, not just alert.
05
Mail Stack — SPF / DKIM / DMARC
Mail service configured with correct DNS records published and verified. SPF, DKIM, and DMARC set up so your outbound email passes authentication checks and doesn't land in spam. Google Workspace setup available as an option.
06
Handover Documentation
A short, readable document covering what was installed, version numbers, what was configured and why, and what to watch going forward. Not a wall of commands — something the next person can actually use.
Stack Architecture
What's running,
What's running,
and why each layer matters.
Every component has a specific role. Nothing is installed because it's popular — each layer solves a concrete problem in production.
01
LiteSpeed Web Server
Event-driven architecture handles concurrent connections at lower memory cost than Apache. Native LiteSpeed Cache integration eliminates the need for an additional caching layer for most WordPress setups.
Web
02
PHP (LTS) + MySQL / MariaDB
Current long-term support PHP version with per-account memory and execution limits. Database tuned for the workload — not generic shared pool settings applied to every account equally.
Runtime
03
CloudLinux + CageFS
OS-level account isolation. Each hosting account runs in its own "cage" — it can't read other accounts' files, can't see other processes, and can't consume more than its allocated resources. Standard shared hosting has none of this.
Security
04
Imunify360
Active malware detection, web application firewall, and intrusion prevention. Catches file-level infections, brute force attacks, and suspicious request patterns. Configured to act — not just log.
Security
05
JetBackup
Scheduled backup system with remote destination support, granular restore (file, database, full account), and configurable retention. Backup policies documented — you know what's protected and for how long.
Backup
06
Mail — SPF / DKIM / DMARC
Outbound mail authentication configured at the DNS level. SPF restricts who can send on your domain. DKIM signs messages cryptographically. DMARC tells receivers what to do with failures. All three required for reliable deliverability.
Mail
Single server, single environment
Kernel Stack Setup is scoped for one server and one environment. Multi-server setups or complex topologies are quoted separately — there's no ambiguity about what's covered.
Licenses sourced by you
CloudLinux, Imunify360, and JetBackup require licenses on your account. We install and configure — the license relationship stays with you. We'll tell you exactly what you need before we start.
Ongoing ops sold separately
Stack Setup is a one-time engagement. Ongoing managed hosting runs on Kernel Host. WordPress maintenance runs on Kernel Care. The stack we set up today becomes the foundation those services run on.
Need Redis on top?
LiteSpeed Cache handles most WordPress caching without Redis. If your traffic pattern requires in-memory object caching, Kernel Boost adds Redis setup and tuning as a separate one-time engagement.
View Kernel Boost
Mail Configuration
Email that doesn't
Email that doesn't
land in spam.
SPF, DKIM, and DMARC are not optional extras. A server without correct mail authentication will see its outbound email rejected or silently discarded — often without any error visible to the sender.
Without correct setup
Mail fails silently. You don't know until a client says they never got it.
-
No SPF record Anyone can send email pretending to be your domain. Receiving servers see no policy, treat it as suspicious.dig TXT yourdomain.com
; no SPF record found -
No DKIM signature Messages arrive unsigned. No cryptographic proof that they came from your server. High spam score.DKIM-Signature: none
Authentication-Results: dkim=fail -
No DMARC policy Receiving servers have no instruction for what to do when authentication fails. Most default to accepting anyway — or silently dropping.
After Kernel Stack Setup
Authentication passes. Mail arrives. You can verify it yourself.
-
SPF published and verified DNS TXT record defines exactly which servers are authorised to send on behalf of your domain.v=spf1 ip4:your.server.ip include:_spf.domain.com ~all
-
DKIM key generated and signed Private key on the server signs outbound messages. Public key published in DNS for receivers to verify.DKIM-Signature: pass
Authentication-Results: dkim=pass -
DMARC policy active Policy published telling receivers to quarantine or reject messages that fail SPF and DKIM. Reporting enabled so you can see authentication results.
Default vs Configured
A default cPanel install
A default cPanel install
is not a production environment.
Most servers ship with sane defaults for a reason — they work for the average case. Production hosting is not the average case. Here's what's missing out of the box.
Default server install
-
✗
No account isolationAll accounts on the server share the same OS namespace. A vulnerable site can read files from other accounts.
-
✗
No active malware protectionImunify is not included by default. Infections go undetected until they cause visible damage or get flagged by a visitor's browser.
-
✗
Backup strategy undefinedcPanel's built-in backup is often misconfigured, stored locally (not useful for server failure), and not tested for restore reliability.
-
✗
Mail records missing or wrongSPF, DKIM, and DMARC require deliberate DNS configuration. Not done by default. Not verified automatically.
-
✗
No handover documentationThe person who set it up knows what they did. When they're gone, so is that knowledge.
vs
Kernel Stack Setup
-
✓
CloudLinux CageFS isolationEvery account runs in its own cage. Resource limits enforced. File system visibility restricted. Standard on Kernel Stack.
-
✓
Imunify360 active and configuredMalware scanner, WAF, and intrusion detection running — configured to act on findings, not just log them.
-
✓
JetBackup with documented policyRemote backup destination, tested restore path, retention schedule documented. You know exactly what's protected.
-
✓
SPF / DKIM / DMARC verifiedAll three DNS records published and confirmed. Authentication passes on setup day — not weeks later after diagnosing delivery failures.
-
✓
Written handover documentationEverything documented — versions, configuration decisions, what to watch. Readable by the next person who has to manage this server.
Scope
What's covered.
What's covered.
What's quoted separately.
Kernel Stack Setup is a single-server, single-environment engagement. Here's the exact boundary.
Included
- LiteSpeed / LTS installation + baseline config
- JetBackup installation + backup policy documentation
- CloudLinux Manager + CageFS configuration
- Imunify360 installation + configuration
- Mail service setup (SPF / DKIM / DMARC)
- Google Workspace basic setup (optional)
- Handover documentation
Not included / quoted separately
- CloudLinux / Imunify / JetBackup licenses (your account)
- Multiple servers or environments
- Complex multi-server or load-balanced topologies
- Redis / object cache setup (→ Kernel Boost)
- Ongoing managed hosting (→ Kernel Host)
- WordPress maintenance (→ Kernel Care)
- Site migration (→ Kernel Deploy)
Licenses stay with you. We'll confirm exactly which licenses you need and at what tier before work begins — no surprise costs mid-engagement.
Build on a foundation
that holds.
Send us your current setup — panel, OS, what's already installed — and we'll confirm scope, what licenses you need, and what the engagement looks like.
One-time engagement · Single server / single environment · Licenses sourced by client