Topics Map > WordPress

Web Hosting - Wordpress Usage Guide

DoIT Shared Hosting offers support for Wordpress on the Linux/Apache (LAMP) platform starting at the Nickel Hosting level. Anyone interested can apply for a Shared Hosting account.

Your responsibility with WordPress on DoIT Web Hosting

If you are creating a new web site for a department or revamping an existing one, we recommend to you try Wiscweb.

Wiscweb takes care of all WordPress updates, security, etc. and customers can focus solely on their content.  It’s subsidized by campus (free) and hosting thousands of UW-Madison branded web sites.

WordPress is a PHP application with a MySQL database and not static files. We do not restrict your ability to choose plugins & themes, but we suggest plugins that are well established with high reviews and are in active support.

It is the customer's responsibility to manage content and updates to WordPress. Failure to update WordPress and its components, could result in a vulnerable site that may be suspended or may be categorized as inappropriate use by our service's Web Hosting - Terms of Use policy.

For more information see our Web Hosting - Guide for Using Open Source Packages.

If you have never maintained a WordPress site before, we highly recommend the free central campus service called WiscWeb where all WordPress updates are handled for you and you just need to focus on creating and managing your content. 

Web Hosting - Beginners Guide

Plesk WordPress Toolkit

Management:

The Web Hosting service uses Plesk web hosting automation software with tools to help you manage WordPress with a build in Toolkit. You have the freedom to use this toolkit or manage WordPress more traditionally from the WordPress admin dashboard. The WP Toolkit provides a high level view of your WordPress site and with additonal features not included in the WordPress dashboard.

Plesk offers a built-in WordPress Toolkit, which can be optionally used by customers to manage, secure and migrate WordPress content for their sites.

Plesk's WP Toolkit Documentation

WP Toolkit also provides options for Copying Data or Cloning:

Web Hosting - Clone/Copy of WordPress sites

Regarding the "Security" and "Security Measures" section:

  • While this section of the WP Toolkit is intended to make your website more secure, in practice you need to assess each one of the suggested configurations individually. We have had many websites break as a direct result of applying all of them.
  • There are little circled (i) information bubbles which further explain the idea behind each suggestion, and you need to cross-reference what they are trying to do with the suggestions in the official Wordpress Hardening Guide
  • Example: Changing the location and file permissions on wp-config.php may seem like an obvious idea, but if you depend on a plugin that updates wp-config.php directly, it will break that functionality. Keep in mind that we provide an environment where each website is configured to be isolated from other customers.
  • Always test these changes on your test site before applying to your production site. You have options in the WP Toolkit to not only apply the configuration changes, but also to revert them, and please remember to take backups before changing anything.
  • Lastly, please keep in mind that the WP Toolkit is provided as a convenience to you as a way to assist in your responsibilities as outlined in the Division of Responsibilities section of our Terms of Use and echoed in our Wordpress Usage Guide

Backups (Clone and Copy)

DoIT Web Hosting utilizes DoIT's Bucky Backup service to archive web site files nightly. We also capture a MySQL dump of every database nightly to protect data and recover it as needed.  Web Hosting - Web Site Backup and Recovery

It is highly recommended to take backups of your WordPress sites when updating the site and plugins, themes etc.

||  Manually Export/Import  ||  Use a WordPress Plugin  ||  WordPress Toolkit  ||

NOTE: 

  • Many entities on campus have been unable to consistently, perfectly copy a site from one environment to another regardless of which tools were used--your mileage can vary.
  • If you have assets (.css, .js, etc) that are built by your theme or by a plugin, the site clone feature will not edit file paths that exist in the contents of files. For example, all your fonts are defined in styles.css that include the full site domain (example.wisc.edu). Upon clone these assets would still use the example.wisc.edu domain.
  • Need guidance with WordPress? Web Hosting - Wordpress Usage Guide

Option 1: Copy the File-systems, databases and update the base URL in WordPress:

Option 2: Use a WordPress Plugin:

Option 3: Using the built-in Plesk WordPress Toolkit for Copying Data or Cloning:

  • Plesk offers a built-in WordPress Toolkit, which can be used (or not used) by customers to move WP content and databases.
  • The Toolkit doesn’t create test, dev, qa, staging, etc. sites in Plesk.  This would be configured for the account by our team (setup in plesk, SSL, DNS, documentation, etc.) and then you can use the toolkit to migrate content around those environments.  Here you can request to add domains/environments to your account.

IMPORTANT:  We recommend cloning your sites first and then using the "Copy Data", which by default will move your files and databases from one site to another.  Clone first because it creates a new database in your other environment.  Then you'll primarily want to use Copy Data going forward.

Copy Data:

When Cloning your sites:

  • The default will be to place it in a sub-folder and use the existing domain.  It's recommended to use your dev, test, stage, etc. domains and only use sub-folders if you have WP installs in them.
  • The default will be to create a new MySQL every time unless you specify your existing MySQL database name.
  • This can create Back Ups and Restore Points, so you'll want to remove used resources. 
  • Vendor (Plesk) documentation cloning data

Any questions?  Please contact webhosting@doit.wisc.edu

Securing WordPress

It is recommended that WordPress sites turn on automatic updates for core, themes, and plugins, this can be accomplished in the WordPress admin or via the Plesk WP Toolkit. This will greatly reduce the risk of your site becoming vulnerable to web based attacks.

Security Plugins (WordFence):

We also recommend some form of security plugin to help filter out bad traffic to the site. The WordFence security plugin is used by many of our customers and is one we recommend.

  1.  First starting on your test site, Download Wordfence plugin, should be the "Wordfence Security – Firewall, Malware Scan, and Login Security" that has millions of installs
  2.  There will be a new Wordfence Link in the dashboard for Administrators (For multi-site, it's only in the Network Admin dashboard) - click it
  3.   Under Firewall, click the "Manage Firewall" button
  4.   The firewall starts in Learning mode that will try to identify things you'll need to exclude. Mostly, this learning mode just surprises people when it switches to fully enabled after 1 week, so we're going to turn it on right now
  5.   Change Firewall Status to "Enabled and Protecting"
  6.   Scroll down to "Allowlisted URLs" - we're going to add exceptions that enable the UW-Theme to work, as well as a few other plugins
  7.   We're looking for these 3 things as the end state:
  •   /wp-admin/admin-ajax.php request.body[table]
  •   /wp-admin/admin-ajax.php request.body[acf]
  •   /wp-admin/admin-ajax.php request.body[messagebody]
  •   Adding Allowlisted URL/Param:
    •  Enter URL: /wp-admin/admin-ajax.php
    •   Keep: "Param Type: POST Body"
    •   Enter Param Name: acf
    •   Add the other 2 (table, messagebody) as specified above
  •   Finally, click on "Save Changes" in the upper right, so the changes are saved
  •   Congrats! You are now protected by one of the best wordpress firewalls. There are a ton of options you can explore on your own for rate limiting and how quickly to block bruteforce attacks. Remember to test first, and take your time applying these rules, Wordfence works really well out of the box.

    • Mod Security

    DoIT's Web Hosting service platforms employ web application firewalls (ModSecurity) to keep pace with the ever-increasing variety of attacks against open source and custom web applications.  In some cases, Mod Security may interfere with legitimate requests and require an exemption. 

    Web Hosting - Web Application Firewall (ModSecurity Protections)

    Enhance performance w/ Content Delivery Network:

    It allows for the caching of static content and assets, which are served globally on AWS and close to the user.   This helps improve SEO (search engine optimization), reduced load times and optimization of your website's overall user experience.

    DoIT Web Hosting will provide account contacts the CDN information, and instructions for its configuration within the W3 Total Cache (W3TC) plugin.

    Please contact us at: webhosting@doit.wisc.edu if you have a publicly accessible WordPress site and would like to proceed with a CDN and W3 Total cache.

     

    Using WordPress with NetID (Shibboleth)

    All web hosting sites are generally NetID enabled by default. You have the option of securing the entire site or specific areas such as the WordPress Dashboard (admin). If securing the entire site, you can request this setup when requesting an account or email Web Hosting Support

    By default, DoIT Web Hosting provides NetID login integration services and your site should already be NetID Login capable. Web Hosting - Using NetID or Wisconsin Federated login
     
    1. Starting on your equivalent Test environment Web Hosting - Test Site Utilization  
     
    -- Install a trusted SAML/Shibboleth Single Sign plugin via https://wordpress.org/plugins/ or another trusted source.
    -- Do not use the defunct UW Communications plugin.  It is not compatible with modern versions of PHP and has other issues.
     
    2.  Follow the instructions on the install of the plugin. 
     
    NOTE: Many plugins will attempt to set the appropriate directives in WordPress’s .htaccess file automatically.  If not, you will need to manually add the entry for Shibboleth and exemption from the default rewrite rules, which can interfere with Shibboleth if not in place.
     
    At the beginning of the .htaccess file:

    # Shibboleth quick-exit from rewrite rules
     RewriteEngine on
     RewriteCond %{REQUEST_URI} ^/Shibboleth.sso($|/)
     RewriteRule . - [L]
     
     
    # Require Lazy Session
    AuthType shibboleth
    ShibDisable Off
    ShibRequestSetting applicationId yourdomain.wisc.edu
    ShibRequestSetting requireSession 0

     
    3.  Some of the common settings the plugins will require:
     
    General:
     
    Login URL: https://yourdomain.wisc.edu/Shibboleth.sso/Login
     
    Logout URL: https://yourdomain.wisc.edu/Shibboleth.sso/Logout
     
    Users:
     
    Username: uid
    Nickname: uid
    Displayname: uid
    Email: eppn
     
    NOTES:
    • uid and eppn are Shibboleth attributes that are delivered by default.  If you require custom attributes like email, firstname, lastname, etc. you will need to submit an Identity data integration request
    • If you select the managed option, you cannot manually change them.  An example of when you may not want a field managed is an email address.  eppn is an email address in the form of netid@wisc.edu but is not necessarily the preferred email address of the user.
    You will also want to uncheck "Update User Roles" if your site is protected at the root and add Require valid-user:


    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require valid-user
    ShibUseHeaders On
     
     
     

    WordPress Development / Support

    The Web Hosting staff does not design, develop, or troubleshoot our customer's sites. For assistance with content management and development of custom WordPress sites there are several options: 

    1. Join the Wordpress collaboration groups on campus
    2. DoIT Academic Technology provides Wordpress development for academic departments on campus. They are available for consultations.
    3. Web Development Services

    Keywords:
    web site blog hosting shared wordpress drupal open source linux apache mysql php lamp word press wordpress 
    Doc ID:
    33416
    Owned by:
    Jake S. in DoIT Web Hosting
    Created:
    2013-09-17
    Updated:
    2025-03-26
    Sites:
    DoIT Web Hosting