Using WordPress on cPanel: A Few Tips
WordPress is a popular and highly functional content management system written in PHP. The following are some tips on using and maintaining it effectively and safely:
- WordPress can be hosted in many different scenarios, but the most common and simplest is with so-called cPanel hosting. cPanel is a hosting product consisting of web, domain and email hosting and is offered as a product by many hosting providers. The use of cPanel for hosting provides a consistent and reliable experience for IT staff and web developers and makes self-management by savvy users more realistic.
- When selecting a cPanel hosting provider, ensure they maintain their cPanel platform with the latest updates. The various components which contribute to the reliability and safety of WordPress (and therefore your site) are updated regularly. Hosting providers who allow their cPanel platforms to go out of date place the website at risk.
- Select a cPanel hosting provider that offers AutoSSL function which issues free SSL certificates via Let's Encrypt. You should not need to pay for a website certificate.
- Set up the WordPress installation with strong passwords — by default WordPress will suggest random, secure passwords.
- Reset the WordPress Salt Keys on installation. There are plugins for this. Some plugins will reset the keys regularly — this is worthwhile.
- Deploy and test using the latest PHP version, even if it's not “required”. If some element of the site requires an older version of PHP, remove it. If the website becomes stuck on a particular version of PHP, this makes updating the server difficult and introduces security problems down the track.
- Keep the number of plugins required to render the site low. The more plugins, the more opportunities for security faults which allow breaches and other problems. Additionally, not all plugins are updated so after a few years you may end up with out-of-date plugins which should be removed, and that will break the site's functionality.
- If it is necessary to purchase a plugin or theme, make the purchase using an email address on your domain so you can maintain updates etc going forward.
- Don't modify any themes or use any designs which require bespoke coding. This makes it impossible to update in the future and degrades security.
- Ensure links to content on the site are relative paths, and don't reference the main domain name. For example, to link to content at https://www.website.com.au/wp-content/uploads/2020/06/Newsletter.pdf, enter the URL as /wp-content/uploads/2020/06/Newsletter.pdf. (The web browser fills in the full link address.) This makes it much easier to rename the site later, if necessary.
- Don't allow unmoderated comments on pages.
- All forms should have a CAPTCHA to prevent/limit spam entries.
- If the site sends emails, be sure to update your domain's SPF record with the appropriate information for the hosting provider.
- WordPress will generally keep itself up to date, but it is still worth checking it is current, say every three months or so.
- Themes and plugins generally do not update automatically, so it is necessary to let WordPress update those. A monthly update cycle is fine in most cases.
- Back up before making significant changes. Depending on the content on the site, backups may need to be more frequent (for example, ecommerce/shop sites).