Start » WordPress » Workshop » Making a WordPress site [05] Hosting setup and SSL

How to create and secure a WordPress website

Making a WordPress site [05] Hosting setup and SSL

Updated: 04/05/2020.

In the previous posts in the series we have prepared the grounds. Now, after having chosen a domain name and registered it, it is the time to put it all together, on a hosting account – by installing SSL/TLS certificates and doing other recommended hosting account settings, before installing WordPress.

Contents:

  1. Registering a domain and opening a hosting account
  2. Setting up nameservers
  3. Installing SSL/TLS certificates
  4. Basic setup of the hosting account
    4.1. Enabling the display of hidden files in file manager
    4.2. PHP setup
    4.3. Enabling basic caching
    4.4. Hotlink protection
    4.5. Basic protection
    4.6. Email setup
    4.7. Creating database and user
    4.8. Cloudflare Railgun integration


1. Registering a domain and opening a hosting account

We have chosen a domain for our project – 4roomsescape.com – and registered it with Porkbun (affiliate link). Second post in the series explains how to register a domain and protect the registrar account with 2FA.

Next thing is opening a hosting account for the website. For this I used one of my reseller hosting accounts with HostMantis.

Creating a new account in WHM
Creating a new account in WHM
Picture 1

The options are rather straight forward – asking you to enter a domain name, contact email, password, resoruce package etc. One post explains how to create users and packages in WHM (for cPanel), while another explains reseller account setup with DirectAdmin.

You can opt for shared hosting when you will get only one account (one website doesn’t need more than one anyway).


2. Setting up nameservers

Hosting provider should give you nameservers you should use with the account. Since I’m using reseller hosting with my custom nameservers, I could set up something like: ns1.bikegremlin.com and ns2.bikegremlin.com. Still, since for this project we’ll be using Cloudflare, we’ll use their nameservers. I explained in another post how to set up Cloudflare with a WordPress website.


3. Installing SSL/TLS certificates

Since we are using Cloudflare, before attempting to install SSL/TLS certificates, we will first set Cloudflare DNS to “DNS only” (grey cloud). Now on to installing certificates.

For this I also wrote two posts, one explaining how to install SSL/TLS certificates in cPanel and another explaining the SSL/TLS certificate installation in DirectAdmin.

Now we should set Cloudflare DNS back to “Proxied” (orange cloud).


4. Basic setup of the hosting account

I’ll explain the procedure using cPanel, though the principle is the same for DirectAdmin as well. First you should log in to cPanel. I wrote a review DirectAdmin vs cPanel, explaining differences, pros and cons.

cPanel login screen Picture 7
cPanel login screen
Picture 2


4.1. Enabling the display of hidden files in file manager

Next thing I always do first is enabling the display of hidden files in file manager.

Select “File Manager” from cPanel main menu Picture 2
Select “File Manager” from cPanel main menu
Picture 3


While DirectAdmin shows hidden files by default, with cPanel this needs to be set up:

Showing hidden files in cPanel's file manager
Showing hidden files in cPanel’s file manager
Picture 4


4.2. PHP setup

Depending on hosting provider’s setup, in the main menu you will choose either “MultiPHP Manager”, or “Select PHP Version”. The main difference is the first one allows you to choose PHP version for each domain and sub-domain, while the second one lets you choose which PHP extensions you wish to install.

MultiPHP Manager options
MultiPHP Manager options
Picture 5
PHP Selector options
PHP Selector options
Picture 6

For this project PHP 7.3 was chosen. PHP 7.4 is still not stable/tested enough, while there’s no need to go with a version below 7.3 in year 2020.

PHP extensions necessary for everything to work on my websites are the following:

apcu, bcmath, dom, enchant, fileinfo, gd, imagick, imap, intl, ioncube_loader, json, mbstring, redis, mysqlnd, nd_mysqli, opcache, pdo, pdo_sqlite, phar, posix, soap, sockets, tidy, timezonedb, wddx, xmlreader, xmlrpc, xmlwriter, xls, zip.

Basically, it’s best to exclude everything that isn’t needed.


4.3. Enabling basic caching

In cPanel main menu, click on “Optimize Website”.

Enabling basic text content compression
Enabling basic text content compression
Picture 7


4.4. Hotlink protection

There are websites that will use your pictures. Not at least copying them to their server, but by inserting a link to your server within the HTML code of their pages. This causes extra load of your server, that practically serves another website in this case. It is called hotlinking.

This can be prevented. Though you should bare in mind that if you prevent hotlinking, you too won’t be able to insert images from your website on various forums, or within email HTML.

In cPanel, it is easily done using “Hotlink Protection” option from the main menu.

Enabling hotlink protection in cPanel
Enabling hotlink protection in cPanel
Picture 8


For those using DirectAdmin, open its file manager and go to:
home/user/domains/domain_name/public_html

There you should create a .htaccess file (unless one exists already) and add the following code in it (of course, 4roomsescape.com should be replaced with your domain name):

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://4roomsescape.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://4roomsescape.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.4roomsescape.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.4roomsescape.com$      [NC]
RewriteCond %{HTTP_REFERER} !^https://4roomsescape.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://4roomsescape.com$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.4roomsescape.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.4roomsescape.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ https://www.4roomsescape.com [R,NC]

Now we will do one more thing. To allow us to share images that we wish to, we will create a subdomain “sharing.4roomsescape.com”.

Create a directory where you will store the subdomain in file manager. Best done in the root directory of your hosting account. We created: “sharing_public_html”.

Choose “Subdomains” option in the main menu.

Creating a subdomain in cPanel
Creating a subdomain in cPanel
Picture 9

As picture 9 shows, one must choose subdomain name and directory where its files will be stored.

After you have finished setting up the subdomain, make sure to add it to Cloudflare’s DNS (if using it), “gray cloud” it, install SSL/TLS certificates, then switch it to “orange cloud”. Using the same principle as explained in chapter 3.


4.5. Basic protection

Add the following code in .htaccess files for domain (and subdomain if it’s used):

# GREMLIN (custom) CHANGES

# directory listing protection
Options -Indexes

# MIME sniffing protection
Header set X-Content-Type-Options nosniff

# XSS protection
Header set X-XSS-Protection "1; mode=block"

# END OF GREMLIN (custom) CHANGES

I wrote on this in more detail in the post: securing a WordPress website – we’ll deal more with this after we have built our website.

Also, we should add redirections to https, so the following code should also be added to .htaccess of the domain:

# GREMLIN CHANGES BEGIN
RewriteEngine on
RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.4roomsescape.com%{REQUEST_URI} [L,R=301]
# GREMLIN CHANGES END

While subdomain’s .htaccess file should get this added:

# GREMLIN CHANGES BEGIN
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www. [NC]
RewriteRule ^ https://sharing.4roomsescape.com%{REQUEST_URI} [L,NE,R=301]
# GREMLIN CHANGES END

This is explained in more detail in the post about website redirections.


4.6. Email setup

Of course, we should also setup email(s). Since I already wrote about this at great length, I will just give links to those posts:


4.7. Creating database and user

Again, so I don’t repeat myself:


4.8. Cloudflare Railgun integration

At the time of writing this, DirectAdmin still doesn’t support Cloudflare Railgun integration. If you are using cPanel hosting, with a provider that offers it, you will be able to activate Railgun.

What is this good for? The advantage of Railgun is that remote visitors have a faster connection to the hosting server. The downside is that most of Cloudflare’s CDN options are bypassed if using Railgun. Hence: the more a website has large images (and/or videos), the better it is without Railgun, while the more it needs database connection (order verification, comments etc.), the more Railgun helps. It’s a tradeoff, test and see what works better for your website.

If you wish to activate Cloudflare, choose that option from cPanel’s main menu.

Then you will be asked for your Cloudflare account’s username and password.

After that, click on a house icon “Home” and enable Railgun.

Activating Cloudflare Railgun from cPanel
Activating Cloudflare Railgun from cPanel
Picture 10

Now go to Cloudflare website, log into your account and test if Railgun works.

Click on "Speed" option in the main menu, then click on "Optimization"
Click on “Speed” option in the main menu, then click on “Optimization”
Picture 11


Scroll down until you see Railgun options, then click on “Test”.

Cloudflare Railgun configuration options
Cloudflare Railgun configuration options
Picture 12


If all was properly set, you should see something like this:

Successful run of Cloudflare Railgun test
Successful run of Cloudflare Railgun test
Picture 13


That’s about it. We are now ready to install WordPress. Of course, when developing, it’s best to do it locally and/or on a “working account”, then when it’s all done and tested, migrate the website to the domain.

Of course, don’t forget the most important thing – backups!

Share...

Leave a Comment