Where You Should Keep Your Addon Domains

When you set up a web hosting account using cPanel, one domain must be the primary domain. Your primary domain will always go in a directory labeled public_html. If you host other sites on the same cPanel account, then they are addon domains. cPanel used to require that these addon domains go inside public_html. Now, you can have your addons anywhere in your user directory. This tutorial will show you how to place your addon domains in the best location.

In this article:

Knowing What to Look For

When you create an addon domain in cPanel, the files for it go inside their own directory. In the most recent versions of cPanel, that new directory is inside the user directory. It will look something like this:


On old accounts or accounts migrated from other hosts, this may not be the case. Your addon domains may still be inside of public_html. The old configuration looks like this:


What’s the Problem?

Keeping your addon domains inside of public_html causes unnecessary risks. In the worst-case scenario, this can turn a small problem into a big problem.

When a website is hacked, the hackers involved will often use the site to send out spam emails. Often, the site itself will be altered. The altered site can redirect visitors or attempt to spread malicious code. When our security systems detect this, the site is immediately quarantined. Think about this in the context of keeping your addon domains in public_html. If your primary domain is ever hacked, all your sites would be quarantined. You’ve just turned a problem with one website into a problem with all your websites.

What’s worse is that, by keeping your sites in public_html, you also put them at risk of the hack. Server security usually prevents malicious scripts from ‘jumping’ up a level. That is because running code in the user directory would require certain permissions. Site files in public directories like public_html, though, are fully accessible. With a properly arranged file structure, malicious scripts can only harm one site. If all sites are in the same folder, though, that protection is missing. Self-replicating code could harm every site in the directory!

Configuration Trouble

Keeping multiple sites inside of public_html needlessly complicates your site configurations. This is especially true of WordPress sites. Certain configurations will cause .htaccess and php.ini settings from one site to affect other sites stored in the same directory. If you keep your addon domains inside public_html, they are affected by the primary domain configuration files. Moving the addon domain outside of public_html lets you isolate that domain.

Should You Move?

Website security is a bit like the regulations for new buildings. Architects must design a building that is safe and will not put someone at risk in a disaster. No one wants their house to catch fire, so we build safe, flame resistant houses. If you want a safe, secure website, you must build a safe file structure.

Moving your addons to their own directory is simple. First, move or copy the site files to their own directory in your user folder. Then, use the cPanel addon domain tool to change the directory your domain ‘points’ to. You may need to adjust your php.ini or .htaccess after the move. Remember, always make backups before making a large change like this! If a website happens to respond unusually to the move, you want to be able to restore it as quickly and easily.

Once the move is complete, though, you will be safer. If something does go wrong, you will only need to solve one problem- not several!

When you’re ready to upgrade, take a look at the various VPS Hosting plans available!

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

One thought on “Where You Should Keep Your Addon Domains

  1. Very informative!! Thank you! Now I know why my friend’s sites are all being shut down when one of them gets hacked. She always thought it was a DDOS attack, but it probably is not. I will be sure to pass this along and recommend Inmotion for her hosting!

Was this article helpful? Join the conversation!

Leap into Savings
Leap Ahead with Limited Time Deals