1) Please check: config.lib.php, Line 535 It displays the user password on the logfile... 2) I think it would be a great idea to have an option to include open_basedir in clients vhosts. From php.ini: ; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory ; or per-virtualhost web server configuration file. For what I understand it could prevent a malicious script to read file contents outside the directory configured for the client in the vhost. Great! 3) Change index.php to be first by default in: DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm Hey Till, I'm sorry for not sending yet the cms manager, but I have been doing some homework, and I will modify plenty code before sending it. Cheers!