How to Self-Host a CMS
Self-hosting is the right choice when you need full control over your infrastructure, want to avoid recurring platform fees, have specific compliance requirements for data residency, or simply prefer to own every layer of your technology stack. The trade-off is that you take on the operational responsibility that managed hosting providers normally handle.
Step 1: Choose Your CMS and Hosting Provider
Before provisioning a server, decide which CMS you will run and what infrastructure it requires. PHP-based CMS platforms like WordPress, Drupal, and Joomla need a web server (Apache or Nginx), PHP, and a database (MySQL, MariaDB, or PostgreSQL). Node.js-based platforms like Strapi, Payload CMS, and Ghost need Node.js, a process manager like PM2, and a database.
For hosting, choose a VPS (Virtual Private Server) provider that offers reliable uptime, good network performance, and data center locations close to your audience. Popular options include DigitalOcean, Linode (Akamai), Vultr, Hetzner, and AWS Lightsail. A basic VPS with 1-2 GB of RAM, 1-2 CPU cores, and 25-50 GB of SSD storage is sufficient for most single-site CMS installations.
If you expect higher traffic or run a resource-intensive CMS like Drupal with many modules, start with 4 GB of RAM and scale up as needed. Most VPS providers let you resize instances without data loss.
Step 2: Set Up Your Server Environment
Start with a fresh installation of Ubuntu LTS or Debian, which are the most commonly supported Linux distributions for CMS hosting. Connect to your server via SSH and update the system packages before installing anything else.
For PHP-based CMS platforms, install Nginx or Apache as the web server, PHP with the extensions your CMS requires (typically php-mysql, php-xml, php-mbstring, php-curl, php-gd, and php-zip), and MySQL or MariaDB as the database server. For Node.js platforms, install Node.js through the official NodeSource repository or using nvm, then install the database your CMS requires.
Configure the web server with a virtual host (Nginx) or virtual host file (Apache) that points to the directory where your CMS files will live. Set the document root, configure PHP processing, and enable gzip compression for better performance.
Step 3: Configure DNS and Domain
Log into your domain registrar's control panel and create an A record pointing your domain (e.g., example.com) to your server's public IP address. If you want the www subdomain to work as well, create a second A record for www.example.com or a CNAME record pointing www to the root domain.
DNS changes can take up to 48 hours to propagate globally, though most updates take effect within minutes to a few hours. You can verify propagation using online DNS lookup tools or by running dig or nslookup commands from your local machine.
Step 4: Install and Configure the CMS
Create a database and database user for the CMS. Use a strong, random password for the database user and restrict its permissions to only the database it needs. Do not use the root database account for CMS connections.
Download the CMS files from the official source. For WordPress, use the wp-cli tool or download the archive from wordpress.org. For Drupal, use Composer. For Strapi, use npx create-strapi-app or npm. For Ghost, use the official Ghost CLI tool. Extract or generate the files into your web server's document root directory.
Run the CMS installation process, which typically involves visiting your domain in a browser and completing a setup wizard. Provide the database connection details, create an administrator account with a strong password, and configure the basic site settings like site title and timezone.
After installation, configure the CMS for production use. This includes setting correct file permissions (the web server user should own the files), disabling debugging output, enabling caching, and configuring any mail sending settings for password resets and notifications.
Step 5: Secure Your Installation
Install a free SSL certificate from Let's Encrypt using Certbot. Certbot can automatically configure Nginx or Apache to serve your site over HTTPS and set up automatic certificate renewal. After installing the certificate, verify that HTTP requests redirect to HTTPS and that the certificate is valid.
Configure the server firewall to allow only the ports your services need: SSH (port 22), HTTP (port 80), and HTTPS (port 443). Block all other incoming traffic. On Ubuntu, use ufw (Uncomplicated Firewall) to manage these rules.
Harden SSH access by disabling password authentication (use SSH keys instead), changing the default SSH port if desired, and disabling root login over SSH. Install fail2ban to automatically block IP addresses that make repeated failed login attempts.
On the CMS level, remove the default admin username if possible, install security plugins or modules recommended for your CMS (like Wordfence for WordPress or the Security Kit module for Drupal), and disable any features or endpoints you do not use, such as XML-RPC on WordPress.
Step 6: Set Up Backups and Monitoring
Automated backups are essential for any self-hosted CMS. A complete backup includes both the CMS files (themes, plugins, uploads, configuration) and the database. Use a backup tool like restic, borgbackup, or a CMS-specific plugin to create compressed, encrypted backups on a schedule.
Store backups in a location separate from your server. Object storage services like AWS S3, Backblaze B2, or Wasabi provide inexpensive, durable storage for backup files. Keep at least 7 daily backups and 4 weekly backups, and test your restoration process periodically to verify that backups are actually usable.
Set up uptime monitoring using a service like Uptime Robot, Better Stack, or Hetrix Tools. These services check your website at regular intervals and send alerts via email, SMS, or Slack when your site goes down. Also monitor server resources (CPU, RAM, disk usage) to catch capacity issues before they cause outages.
Step 7: Establish a Maintenance Routine
Self-hosted CMS installations require regular maintenance to remain secure and performant. Create a weekly schedule that includes checking for and applying CMS core updates, updating plugins, modules, and themes, reviewing server security logs for suspicious activity, and verifying that backups completed successfully.
Subscribe to the security mailing list or advisory feed for your CMS so you are notified immediately when critical vulnerabilities are disclosed. Apply security patches as soon as they are released, not on your regular weekly schedule.
Monitor your server's disk usage, as CMS installations can accumulate database bloat, log files, and cached data over time. Set up log rotation for web server and application logs, and periodically clean up old revisions, spam comments, and unused media files in the CMS.
Self-Hosting with Docker
Docker containers provide a standardized way to package and deploy CMS applications with all their dependencies. Most popular CMS platforms publish official Docker images that include the application pre-configured with the correct runtime environment. Docker Compose files can define the complete stack, including the web server, application, database, and reverse proxy, in a single configuration file.
The advantage of Docker-based deployment is reproducibility. You can run the exact same environment locally for development and on the server for production. Upgrades become simpler because you update the image version rather than managing packages on the host system. The trade-off is additional complexity in managing Docker volumes for persistent data, networking between containers, and monitoring containerized services.
When Managed Hosting Makes More Sense
Self-hosting is not the right choice for every project. If your team lacks system administration experience, if the project does not justify the operational overhead, or if you need guaranteed uptime SLAs with vendor support, managed hosting providers like Kinsta (WordPress), Platform.sh (Drupal), Strapi Cloud, or Ghost(Pro) handle the infrastructure so you can focus on content and development. The extra monthly cost often pays for itself in reduced operational burden and faster issue resolution.
Self-hosting a CMS gives you complete control over your data and infrastructure, but requires ongoing commitment to security updates, backups, and server maintenance. Start with a reliable VPS provider, automate everything you can, and establish a regular maintenance routine from day one.