Server Settings of Bluehost

Most Web hosting services don’t need to change settings especially. They are made with user friendly. But if you want to elevate the security of your sites higher, it needs to change the settings.
Also to know the system, you should check them all. It would be done by like this order.

Bluehost has the 2FA from the beginning. Bluehost has high security at this point.

Encryption ( SSL/TLS )

SSL/TLS is an encrypted telecommunication method. Bluehost uses Let’s Encrypt for this encryption ( RSA, key length 2048 bit ). It is highest encryption, so there’s no need to change this setting specially.

By the way, to see the site overview, you can find SSL is not active.

But this URL is started from ” https:// “, so it has already done the encryption. If you don’t buy ” Single Domain SSL ” at the contract, ” SSL is off ” is indicated. Single Domain SSL is like an insurance, so you don’t need to buy soon.

Reset password

At the contract, Bluehost requires a strong password, so it’s not necessary to change the password. But it is said that the strong password is twelve digits or more, if your password is not so, it’s better to change the password.

Going to ” My Profile “, Bluehost requires the configuration of Security PIN, so you must create this security code first. It is required when you will contact with customer support or chat.

Then you change the password. Enter new password until all pull-down menus turn to green. It requires 12 to 14 letters ( at the contract, it requires 8 to 16 letters ).

After entering new password, press ❾ to appear the password, then save it as a text. It’s good to save your ID together. Your Bluehost ID is on ” My Profile ” at the top-right corner.

You save it to USB memory, then hide it somewhere.

Do not stick your ID & password on the monitor.

Lastly, you are going back to Bluehost’s site, and press the save button ( ⓭ ).

Pasting from the text above, you can enter ID & password correctly.

WAF setting

WAF means Web Application Firewall, which will protect your sites or your hosting service. Bluehost itself is not protected by WAF, only your sites can be protected by SiteLock in default.

At the contract, SiteLock is installed unless you uncheck this WAF. As it also has a function of CDN ( elevate the number of access ), it is recommended to use for a while. When you do not use SiteLock, all your sites are protected by SiteLock lite. It will send the malware alerts to you. In the paid version of SiteLock, it can remove malwares automatically.

You can access SiteLock’s dashboard from here.

When you press the button ⓱, it is appeared Terms of Services Agreement first ( Sorry, I forgot to capture it ). The progress is like that —— read the terms ( ⓲ ), check the box ( ⓳ ), then proceed to dashboard ( ⓴ ).

Going to Notification, enter your Email address. Then you can get the malware alerts from SiteLock. The email address is better to be able to read from your smartphone.

Access Log setting

Bluehost can get the access log from cPanel. It only can get the accesses of your sites, and hard to understand. However, it is useful for evidence.

It’s better to configure it.

I don’t recommend to check the button under , which is ” Remove the previous month’s archived logs from your home directory at the end of each month “. Because hackers would try to access illegally on the last day of month ( The unauthorized access to me was done so ). They are considering about cPanel.

You should delete these logs manually.

Anyway, you can see these logs from both cPanel and File Manager. Seeing from file manager is a bit faster than seeing from cPanel ( Raw Access ).

To see it, there needs an extractor of .gz file ( GZIP format ).

It is quite useful when you will prove the hacking at the court.

FTP setting

FTP means ” File Transfer Protocol “, which needs the old-style homepages ( HTML language ). WordPress is written by PHP language, it doesn’t need FTP software specially. Also, WordPress has a file manager as plugin separately.

But there is a risk that the plugin of file manager cannot work when the site is broken. Bluehost uses a separated file-manager so that you can go back to file-manager then correct the broken files.

This file manager cannot be connected by FTP software, so you can avoid the file falsification by remote. If you need a large number of uploads, you have to configure SSH and use SFTP software. But it’s rarely needed.

Email setting

Bluehost’s email is a bit difficult to access. Do it like this.

This is system email so that you cannot change the mailbox to other mailing softwares. To receive emails on your mobile, you have to change the setting.

cPanel’s mailer is seemed that the forwarder and autoresponder can only be used between cPanel’s mail accounts. So you cannot export this email in such ways.

First, create a new mail account.

You can receive the mail arrival notification on your mobile, using this mail account.

The below is a case of using Gmail.

It is succeeded when the emails from cPanel is sent. It seems that the system email cannot be sent to another.

With doing this, you can receive emails on your mobile. Change the email address of SiteLock like below (). In this case, ” michirojohn@gmail.com ” is changed to ” niceguy@michirojohn.com “.

Then you can receive the security alert on your mobile.

By the way, Jetpack send a security alert to your ID. No need to change.

Backup setting

If you don’t buy ” CodeGuard Basic ” at the contract, there is no backup in your sites.

It is weak for when something wrong is occurred on your site.

It’s better to buy CodeGuard. It only costs an annual fee and not costly. Then you can get the daily backups. And also easy to use.

However, “CodeGuard Basic” can only restore up to 1GB, but my backup at default is 936.88MB. You would have to upgrade the plan soon. “CodeGuard Professional” can restore up to 5GB.

Bluehost also prepares Jetpack plan, but it is costly. . . It is an option when you will have to backup a huge site.

If you want to cut the cost, there is a way (^^;.

In exact, the threats by malware rarely occur on WordPress. I’ve never faced at such threats for many years. Most threats are the conflicts with plugins or between a plugin and WordPress. In worst, you cannot access your site.

To avoid these conflicts, you should stop the automatic update of plugins.

It’s not troublesome to update manually. You can do it from a WordPress site easily.

Then, you update the plugins from a clone site. It is called ” staging “.

You can create a site from a clone site. After making a draft with it, then upload (deploy) to your live site. You also can update plugins from there. After confirming no conflict, you deploy the change of site.

The way is like this.

When you find a conflict, delete a staging site, then create a new staging site. And then you inspect the reason of conflict.
Most updates are not needed to do immediately, so it’s okay to update after not receiving a vulnerability report from WordPress.org or SiteLock.

Other settings

a. Limitation of Login attempts

Bluehost limits the login attempts originally. The limitation is five times.

There is no way to change it.

b. Acceleration of site

Bluehost prepares Cloudflare as free CDN, which can accelerate your site.

Watching the setting, there is a case that Cloudflare is not on, so you have to check it for all your site. It’s very easy to activate Cloudflare. Just a press. It is an excellent point of Bluehost. Many hosting services cannot do it like this.

Cloudflare had an advantage for acceleration and affiliate. But this is a free version so that you cannot expect the higher acceleration. It only supposed that it increase the number of access as a CDN.

c. Payment

Bluehost only can use PayPal as online payment service ( as of April 2024 ). In addition, when I wrongly pressed the upper plan payment, the payment was done without a confirmation dialog appearing. I asked for cancelling it to Bluehost customer support, but they refused it as not to do it. If you charge by a wrong click, there is no way without terminating your contract.

Be careful when you press the payment button.

And this upgrade is only applied for your current seeing site. Other sites are not applied. You should be careful about upgrading a plan.

2FA ( Two-step authentication )

When you finished a contract, you’ve already had 2FA as a simple email code. This verification disappears after the verification is succeeded ( It would take for several times ).

But in this setting, it is weak for unauthorized access. You can access your site from other PCs or mobiles, after the above verification was disappeared. To think so, Bluehost asked me to configure 2FA ( as of April 2024 ). It looks like something tricky (^^;.

If you can see this suggestion, you will configure this 2FA without hesitation.

Even if you refuse it, you can configure this 2FA from “My Profile” later.

Once you configure this 2FA, you have to enter the verification code every time. It might bother you, but it doesn’t matter because there is a way to access your sites directly ( The way is mentioned after ).

So you should elevate the security higher as possible.

I think it better to buy CodeGuard Professional. No need to buy SiteLock. Because SiteLock Lite has already worked and Jetpack has similar functions. If you want to protect your server with the higher security, you will buy SiteLock. But most malwares would come from your site’s updates and uploads ( but rarely occured ). So, you’re just thinking about protecting your sites first.

To protect from hacking, 2FA is the most effective.