In this article I go over 12 considerations for setting up multiple sites running WordPress, on a single self hosted server. I look at what kinds of hosting options you have and how you can reduce your monthly costs to less than $1 per site. Briefly I cover the architecture needed to support multiple domains, without being nickle and dimed to death. Then I look at how to protect yourself against attack, shutdowns by your host and expensive bandwidth costs.
1. Overall System Design for multiple sites.
2. Minimum Hardware Requirements as related to price.
3. What type of Hosting should I use, Shared, Virtual, Dedicated?
4. Which hosting company should I go with...
5. Does server Location matter? Where should I host?
6. What bandwidth requirements do I have, should I worry about overage?
7. What is the best hosting plan when starting out?
8. How can I lower bandwidth bills if I need to?
9. How do I know which hosting service is more powerful?
10. How can I get my Autoresponder Costs down?
11. Do I need a DATA BACK UP PLAN?
12. How do I protect against DDOS Attacks?
1. Overall System Design for multiple self hosted WordPress sites.
When I began my blogging adventure the first problem I wanted to solve was, "How do I spawn lots of different WordPress sites, quickly and easily, without spending a whole lot of money?". And by that I mean, next to nothing but my time and energy. But I also had another Legacy Software problem. I was running 3 servers at the time, and wanted to consolidate, to save money, so I was going to have to support several different versions of PHP and Mysql.
I had a total of 32 sites that needed a home, with many different types of apps and software.
The goal was to be able to spawn as many sites as I could imagine, surely that's a good thing, right?
How much time does it take?
Starting from scratch with a little prior experience and barely a clue about the new tech. It took about 2 weeks and 4 hours per day, to get up to speed. So maybe 80-100 hours setup time. You might do it quicker, but I had to set up 32 live sites and make sure their plugins and server features were all working.
So here's how I solved the hosting problem.
The ultimate solution for me was to use Docker with Nginx-Proxy on the front end. With the right container setup you can mimic any environment. But more importantly I could consolidate multiple databases and architectures into a single machine. This allowed 2 versions of PHP and 2 versions of Mysql to co-exist. That allowed older WordPress sites to reside with newer wordpress sites, so I could upgrade them when I had the time to.
So this is a general map of how I handled the problem.
The main server is a collection of docker containers which hold.
- Nginx-proxy
- 2 Flavors of PHP
- PHP 5.2
- PHP 7.4 - 3 mysql Databases
- 1 x mysql5.5
- 2 x mysql5.7 - 32 domains
- multiple WordPress sites
- several legacy PHP sites
- several other types of apps
On the main host are several utilities for managing
- SSL renewal automation
- Automated New Site Creation
- Anonymous proxy
- Auto backups
- Firewall
- DDOS and exploit protection
- Updating and maintenance
Advantages of this set up
These tools and scripts give us the ability to spin up new WordPress sites in a matter of seconds, including all the SSL cert setups, and database setup, Apache, Docker and Nginx setups.
Offsite, there are bandwidth reduction strategies like Cloudflare proxying
We reserve the option to move the databases off server.
I moved the mail server off to another machine. So I'll talk about that elsewhere.
We use a combination of Amazon SES, a private mail server and Google Gmail to reduce auto-responder expenses to about $5 per month + 10c per 1000 emails. Google provides spam filtering, while Amazon provides cost effective bulk mailing to lists.
2. Minimum Hardware Requirements as related to price.
Docker requires at least a 4GB system, and when you're dealing with virtual hosts, the 4GB, 2CPU, 80GB SSD with about 3TB-4TB of bandwidth is a standard for $20 per month.
That's good for up to about 100k visitors per day (3 million per month), PROVIDED you can keep your average page load under 1mb per page. To do that, we can employ the help of FREE Cloudflare proxying, and keep auto streaming videos OFF our landing pages.
The mail server only needed a $5 server with 1GB Ram and 1 vCPU. Just make sure you get your swap file setup, because they're not always present on a virtual host. If you dont have a good swap file setup, you can easily crash when you run out of memory.
3. What type of Self Hosting should I use, Shared, Virtual, Dedicated?
Dedicated Hosting Services
So by Dedicated I mean a physical bare metal server machine sitting in a facility somewhere with disk drives and all your hardware in a box. Then there's virtual, on cloud infrastructure hardware of many flavors. In both cases you can have shared resources or private, dedicated is more commonly private.
Shared Hosting Services
With shared services you're going to have hundreds if not thousands of other people taking up resources on that server with you. It only takes one clueless person and you're all in trouble. You can get by here, but you can very easily be disappointed.
Private Hosting services
are going to give you less headaches if you should have any kind of success or if you are developing and experimenting. Shared resources are going to be much cheaper, but if you do anything that resembles the stress of success, you're going to be strangled and squashed and forced to upgrade.
Virtual Hosting Services
Now I chose to start with Virtual hosting, again because I'm just not big enough yet. It gets down to how much traffic you think you'll be throwing at your sites, and that's because of the potential for bandwidth overage to run your bills up. Most virtual hosting services give you a quota, and then charge around 1c per GB on overage, Heads up though with Amazon AWS, they will charge you 9c per GB so that could get insane. This I found out, AFTER I had everything set up on AWS.. oh dear :(. So if you are on Amazon, you are going to have to keep your finger on the pulse of that one.
4. Which hosting company should I go with...
So I started out by checking out the big virtual hosts,
DigitalOcean,
Amazon LightSail,
Linode,
Upcloud,
Vultr,
and even ArubaIT, (cheap for EU)
Kamatera, (worth checking out)
Hetzner (check their auction)
and Rackspace (no longer the bargain basement).
I also checked out SSDhosts (Which I hate to mention because they look terribly scammy - seriously avoid that one).
And the last but most impressive place I looked was PhoenixNap,
which, if you're going for dedicated servers and not virtual, looks the best of them all in terms of bandwidth AND memory, AND processing power AND distribution.
At $20 per month, does it even matter which hosting company?
What I concluded after days of research was that if price was the issue, then it didn't really matter who I went with. Even with 32 sites, I just wasn't going to be big enough at first to have to worry about problems of scale. That's because my daily traffic was still under 3000 visitors per day and the price and performance of 4GB virtual machines, are all about the same. That's about $20/month. Any cheaper and there would be business affecting trade offs for sure.
So for these reasons I chose to start and stay with Amazon AWS on Lightsail, even though I think all the other virtual hosts are a little more competitive.
5. Does server Location matter? Where should I host?
So you want fast load times and fast responses. An important part of that is distance that your electrical signals travel through the internet to your actual customer. This often gives the measurement of round ping times, a measure of latency between your server and a client location. From USA to USA this is often under 50ms, but USA to Australia or Asia or even Europe and you can have 250ms round trips or worse. Basically for those who want fast responsive websites, every millisecond counts.
Cloudflare to the rescue again.
Cloudflare is a DNS service, with some extra features, like proxy and cache. This can be great for hiding your IP and lowering your bandwidth. But they can also give you a distributed edge by serving your Euro or Asian content from servers in USA to US residents. This can give you the advantage of low cost offshore hosting, with a US presence. Does it actually work like that? I'm not sure actually, but that's the idea. Best thing is, the price is free and the DNS servers are very fast and easy to deal with.
Cloudflare simplifies SSL certification registration and renewal.
Cloudflare also have some very easy to set up SSL scripts that work with letsencrypt, so you can automate your certificate renewal. I was able to set these up in minutes and create a simple script to place my keys and certs where nginx-proxy can handle them.
My location consideration example...
I wanted to target US markets, so really I want a server in the middle of USA, maybe Dallas, possibly Phoenix, but I don't really want to be stuck in a corner of the country, Miami, LA, NY, Seattle, Chicago. All along the top of USA is very congested, and the corners just have terrible ping times. The big data centers however, they go where the electricity is cheap, like along the Columbia River in Oregon where they have wind and water turbines. But from this location you're kind of far away from EVERYONE. So ping and round trip latency wont be the best. But it's cheap!
Many of those competitive virtual hosts (DigialOcean, Linode, Vultr) are in places like Singapore. And you think ping time and latency is bad from Oregon? LOL. ArubIT is in Italy, and SUPER cheap which is great for hitting Europe, but what about L.A? Same deal with Hetzner, great for Europe.
6. What bandwidth requirements do I have, should I worry about overage?
Now I started to worry about bandwidth, so went into my logs and records and found that because I wasn't streaming videos or mpgs or big files, and just serving images and static pages, plus I cached pages through Cloudflare, I didn't even burn .05TB (terrabyte) per month.
If your average page load is about 1mb, you're going to burn 1GB per 1000 visitors and 1TB per million visitors and with the average plans we're going to consider we will have 3TB-4TB up our sleeves.
What does all that mean? Well, if you can keep your average page load under 1mb, then you're good for up to around 100,000 visitors per day. That means without caching or anything you'll come in under 3TB. Now add in a proxy service like Cloudflare and the simplest load balancing techniques (like round robin on your images and videos) and you won't need to worry about keeping out of trouble.
So this is why I say.. "If you're starting out, just go virtual, with a plan to switch to dedicated servers when you start hitting say 25,000 - 50,000 unique visitors per day. That'll keep your budget down around $20 per month, until you're ready to crank it up. "
7. what is the best WordPress self hosting plan when starting out?
"Short Version: If starting out low volume, just go Virtual then switch to dedicated later."
Well for the money, dedicated are way more more powerful than virtual, but they're less flexible and they really have a $100/m minimum entry fee. Virtual give you the ability to expand and contract instantly to meet demands, but that's an expansion strategy you can also keep up your sleeve for later. Like say if you had a big live event and needed to stream, you could spawn virtual machines to handle it but keep your main processing back on your main server.
Phoenix Nap looks the ultimate hosting choice, if you're established.
This is where I found the relatively unheard of, PhoenixNap to be the best, for several reasons.
1. They're super webmaster friendly. Almost unheard of in mainstream, but they're a top 10 player in the mega high traffic realm of the adult entertainment sector, because they're related to CCBill. So they wont go Nazi on you if you actually try to put their systems to work. (Like virtual shared hosts will).
2. Great prices and deals on dedicated servers.
3. Great 15TB base bandwidth quotas.
4. Only 0.0035c per GB on bandwidth. 1/3rd the cost of the average.
The catch with PhoenixNap, is that while you can get a cheap server around $40, such a machine is no good for our purposes until around $100 per month. Unless you only need the server to host images and don't need CPU.
At that price you start dealing with NVMe drives and compute benchmarks over 12,000 with 6+ core CPU's. That's pretty much 3x-6x the power and bandwidth that you'll get at any of these other hosting companies.
But again, when you're starting out, you don't need all that, so wait until you've hit 25,000 unique visitors per day.
Disclaimer: I'm not associated with PhonenixNap nor do I get anything for referring you, I've just been a long time customer of these guys. For over 10 years, and they're a seriously solid operation.
Here's their link and why PhoenixNap are awesome.
https://admin.phoenixnap.com/wap-pncpadmin-shell/orderForm?bmbPath=/order-management/order-form?currencyCode=usd
Check the current deal on an E-2186G with 32GB ram and a 480GB SSD for $90/month.
https://www.cpubenchmark.net/cpu.php?cpu=Intel+Xeon+E-2186G+%40+3.80GHz&id=3346
That's a 6 core CPU running at 13.5k benchmarks.
This deal also comes with a standard 15TB transfer with 0.0035c overage.
Now compare that to any of the big virtual hosts or Amazon Lightsail. They're not even close.
However, once again, here's the problem... If you're just starting out, there's no way you're going to need to service 300,000 visitors per day. So you just don't need that kind of horsepower.
8. How can I lower bandwidth bills if I need to?
Bandwidth TIP #1: You can cut them down to about 1/3rd of average, just by going with this host...
So 1c per GB is $10 per GB. But here's another reason why PhoenixNap crushes. They only charge .0035c per GB on the overage! OMG! After dealing with AWS, that's awesome. The big adult companies use them to push sites that serve up millions of images and videos per day.
The problem with PhoneixNap Virtual services are that they've just announced (in July 2020) they're getting out of virtual hosting. So you can only use dedicated servers with those guys.
That's not too bad a thing though, you can set a cheap dedicated server up to only serve images, with no PHP or anything and load balance through them. Its worth exploring if you're getting big enough that bandwidth cost is your problem. You can get a $100/m server with a 15TB allowance and 0.0035c overage per GB. Try doing that at the big 1c/GB virtual hosts like DigitalOcean, LightSail, Linode, Upcloud, Vultr, and even ArubaIT, Kamatera or Hetzner.
"I'll talk about load balancing and proxying to save money on bandwidth in another article, but it's an easy problem to bring bandwidth down, by just putting your images on another server away from your PHP, you can reduce your loads by 80%-90% easily."
Bandwidth Tip #2: Don't host your own videos at first, to keep within a budget.
If you want to add video streaming off your server though, you'll need to pay attention to the average size of file, and length of views, Take those numbers and work out an average load transfer per month, you can quite easily bust your quota's with video. If you're lucky Cloudflare might cache it for you, but I wouldn't count on it, its more likely they're going to cache HTML and javascript like a virtual CDN. I just cant imagine them taking on the load of your videos if you start pushing 25000 visits per day. Youtube will though, so just embed your videos from their servers instead.
9. How do I know which hosting service is more powerful?
Most hosting services seem to like giving you worthless metrics like vCPU cores, Storage and RAM. I like to use benchmarks on the CPU's themselves from Passmark and places like that. Amazon AWS for example uses a 9 core Xeon E5-2666 V3 dual CPU with an impressive 20k - 25k benchmark.
https://www.cpubenchmark.net/cpu.php?cpu=Intel+Xeon+E5-2666+v3+%40+2.90GHz&id=2471&cpuCount=2
Now keep in mind, 1 core is only going to give you a fraction of that, maybe 2000-4000. And that just so happens to be about on par with a little $30 dedicated machine like this one... The 4 Core Intel Xeon X3440 @ 2.53Ghz which benchmarks at 2566.
https://www.cpubenchmark.net/cpu.php?cpu=Intel+Xeon+X3440+%40+2.53GHz&id=1288
So this is why CPU and core counts are kind of meaningless without knowing what kind of CPU you're delaing with.
Benchmarks are more meaningful for performance than CPU and RAM.
Consider that a virtual host like Amazon is going to deliver a benchmark capability of 2000 per core. BUT and it's a big but, if you use more than 20% of your capacity they will throttle you off the server. So you might as well be on a 400 benchmark machine. (I think they call that a Commodore 64) This is why Amazon scores poorly on relative benchmark tests with the other hosts. Don't be surprised if any virtual shared hosts do anything similar.
"So on Amazon, you can only burst CPU for a few minutes, but then you die."
On your dedicated machine, you can at least run at 60% for an hour and be fine. Why would you want to do that? Well you might if you're running a heavy update or an image spider or auto thumbnailer. Run those on shared hosting, and you will be in trouble, if not flat out banned and booted. WordPress sites can get pretty hungry for CPU when they're running lots of updates and plugins. You will need CPU and you cant afford to just go dark when resources overload.
10. How can I get my Autoresponder Price down?
It's smart to have some kind of Autoresponder and email capture strategy for all your sites . Now, while you *could* load this all into your main machine as well, you don't really want to do that.
"Mail machines are their own unique beast with all kinds of compliance and security problems. These will differ from a web server, so better to dedicate an IP and server to it. In this way you can have the correct reverse IP lookup for your mail server.
But mail machines also don't need to be insanely powerful. I'll talk about how you can set that up in detail elsewhere, but for now, we solved it with a $5 virtual host at AWS, a subscription to SES, and by handling the mail reading through Gmail. This brings your cost of mailing out down to 10c per 1000 and will force you thourh the compliance steps needed to inbox effectively. Try doing THAT with Mailchimp or GetResponse.
Which auto-responder plugin for WordPress?
The actual mail software I chose for WordPress is Mailster. I chose this after checking serveral mail systems, but I liked how this one integrated easily with Amazon, and managed bounce and campaign subscriptions for me.
I will have to make another post to talk about how to setup your WordPress autoresponders through Amazon. It's not a terribly difficult thing to do, and if you're running your own servers, you might as well set up your mail server too.
11. Do I need a DATA BACK UP PLAN?
And the last problem you will not want to skimp on, unless you like to live dangerous, is a data backup plan. On Amazon AWS I use several layers of defense. First I just use weekly snapshots. The snapshots cost $2+$4 for each server so a total of $6 per month, and the storage device costs $1.60 for 16GB.
I don't have a lot of data to deal with right now, so a script to tar up the HTML folders and then a script for the databases, packs it all down nicely and stores on an external device. This storage can then be taken offline, so if some hacker gets into the server, they cant touch the backups at all, even with a root kit.
12. How do I protect against DDOS Attacks?
You might not know it yet, but you're going to need a defense against DDOS attacks, because eventually you'll upset someone with the capability to launch one on you. And they can expensive and difficult even for the biggest players in the game, because there are bot networks out there with millions of machines in operation that can be targeted anywhere with malicious intent.
There are several attack vectors, one is just your server, and knowing your IP is the first part of the attack.
So here's how I handled it. Near the top of the map, you can see there's a 4 stage protection plan in place.
1. Cloudflare at the top.
2. Amazon AWS firewalling
3. Fail2ban
4. Firewalld firewall
Cloudflare
At the very top of our system, we have Cloudflare, which can be used to lower bandwidth through proxy and cache. They also have the means to protect against ddos attacks. Of course this requires that you hide all your IP's from the outside world through Cloudflare.
FirewallD
is a decent alternative to iptables, and seems to work great. It's simple enough to administer through command line and config files.
Fail2ban
watches the logs for brute forece attempts on multiple ports, then automatically adjusts
Firewalld to handle it. Fail2ban is our 2nd line of defence within the server.
Amazon Lightsail Default Firewall
Amazon have an external free firewall into the building and in front of your machine which is part of all instances. You can use this to IP restrict critical services, without fear of losing access to your machine. This is great for defending against ICMP attacks.
ICMP DDOS ATTACKS
You might want to just block all ICMP access to your server, vIa the Amazon Litesail firewall. This is because ICMP attacks are one of the most simple and common attacks for running your bandwidth bills up and disabling a server. ICMP attackers construct large packets and fire them through ping requests. This ties your server up by having hundreds and thousands of requests flood into your server from multiple locations.
Now many hosting services have protections in place to deal with ICMP on the front lines. But if you're going for a self hosted WordPress setup, ICMP will probably be your problem to deal with now. This is where Fail2ban, FirewallD and Amazon and Cloudflare all work together to protect you
The greatest challenges
The biggest problems I faced were that standard docker instances just didn't have all the pieces I needed, so I had to modify a lot of configs and fix a lot of compatibility bugs. Also running updates can be processor intensive. This almost used me to give up on virtual hosting, because Amazon did not like the high CPU loads and kept shutting me down.
Docker is not without it's problems, one big issue is that when you run lots of containers you will run into local network resource problems. Be prepared for a lot of Google searches and keep a close eye on your log files.
Conclusion of initial hosting considerations for self hosting a Multi site WordPress Server
This introduction covers 12 of the basic considerations that I went through when setting up my first multi-site WordPress server. I just touch upon the topics, and I feel I will need to expand upon these ideas more in future posts.
All in all, Docker on a cheap $20 4GB virtual host provides for an awesome set up to get you started with the ability to spin up multiple WordPress sites almost instantly. I am super happy with how Docker is working out. Docker is like having a virtual hosting setup, within a virtual hosting setup.
Stay tuned, as I work out how to blog, and share more details on how to manage the challenges of running your own server.