A common practice when people are setting up addon domains in CPanel is to create those domains under the main domain. Usually what happens is that people will upload files to the main domain in the public_html whereas all the addon domains will become subfolders inside the public_html. You can see the example below.

Creating Addon Domains in CPanel

(image courtesy InMotionHosting.com)

This is a prevalent practice amongst hosting providers that run CloudLinux license for small businesses which provide one main domain and all the other domains can be added on to the same IP address and linux user.

So, your files may look like this,

  • …/public_html/domain1.com
  • …/public_html/domain2.com
  • …/public_html/includes
  • …/public_html/images
  • …/public_html/css
  • …/public_html/.htaccess
  • …/public_html/index.php

There are two problems with this scenario.

  1. Messy file structure
  2. Security Issue

I’ll now focus on both these issues.

Messy file structure

To fix this messy looking file structure where you could end up deleting an addon domains when you carelessly try to delete a file or a folder in the root domain, all you have to do is to put all the main domains files inside a folder named something you’ll remember, e.g. yoursitename.com. This is to give you a clean directory view.  Take a look below,

Creating Addon Domains in CPanel

Apart from .htaccess, all the rest of the fiels are now properly stacked in their folders and we can easily go to whichever website we want to work.

The trick here is to use power of .htaccess where we’ll just write the following lines.

# to ensure that server already know that you going to use mod-rewrite

RewriteEngine On

# if the request from http is mysite.com or www.mysite.com go to next line (else abort)

RewriteCond %{HTTP_HOST} ^(www.)? mysite.com$ [NC]

# if the request destination is not the folder /mysite.com go to next line

RewriteCond %{REQUEST_URI} !^/ mysite.com/

# if the requested name is not an existed file in public_html directory

RewriteCond %{REQUEST_FILENAME} !-f

# if the requested name is not an existed directory in public_html directory

RewriteCond %{REQUEST_FILENAME} !-d

# forward request to /mysite.com/

RewriteRule ^(.*)$ /mysite.com/$1

# if the request domain is mysite.com (with out any string afterward), go to next line

RewriteCond %{HTTP_HOST} ^(www.)?mysite.com$ [NC]

# forward request to the default file under newsite directory

RewriteRule ^(/)?$ mysite.com/ [L]

Ofcourse change mysite.com part to your own URL. This way your filemanager will be neat and tidy.

Security Issue

I’ll now come to the security issue of the approach with putting main site’s files in the public_html folder. The standard practice is to use FTP accounts to reach these directories. Now, Cpanel hostings provide a main FTP which opens on the public_html folder. This is fine as long as there is only person working on the whole account but when you have more than one person (usually freelancers) then someone ends up getting the main directory’s account login. There is risk of getting all your data copied even when you wanted someone to work on one project instead of all of them. Also, if the ftp password or website is hacked then all the other websites are also at the risk of getting infected. Hence, the security angle that even the main domain should have its separate FTP account and the main CPanel ftp account login must not be shared other than the account owner.

You Also need to go through SSH and set permissions on files and folders so there is even less chance of someone ending up in the unintended area of the hosting.

At DevProvider, we take care of this and other best practices while working with our clients. If you have CPanel which requires tidying up, then send us a hint below. We’ll be happy to help.