I am thinking about Debian jailkits to partition all the server applications, and I want to pass that thought along to the Hestia developers. For instance I have a setup that runs a untrusted messaging program inside a jail with the jail user sandboxed in to only that application and its libraries. Jailkit checks to make sure there are no configuration snafus that would enable a jail break.
Debian Jailkit make setting up secure chroot jails a breeze. Creation of jailed users and processes can be automated with about a half-dozen to a dozen lines of code for single-purpose jails.
For instance, exim can go in one jail, named/bind can go in another jail, nginx yet another jail, wordpress can be installed to a jail, a copy of mariadb or mysql can go in another jail just for that wordpress install, and each one with a separate unprivileged user granted permissions for its particular application and nothing else. You can get really paranoid with jailkit if you want, without a lot of additional complexity.
As long as nothing is put in the jail that would allow raising SUID it is virtually impossible for an attacker to break free from the jail or escalate privileges in the jail, unless someone put some really bad code or a misbehaving compiler inside the jail.