Skip to content
A Brand New Company

Shared cPanel clients: the four kinds and what they need

A friend forwards you a hosting renewal invoice from 2014. The site still loads. The team still emails attachments to it. Nobody has the FTP password.

Jacob Molkenboer
Jacob Molkenboer
Founder · A Brand New Company
Published
27 May 2026
Reading time
6 min read
Category
Legacy sites
Leather logbook half-open on ivory desk, brass key on cream card, folded invoice, green ribbon, red wax fragment.

A Tuesday morning email lands in our inbox. Someone forwards a hosting renewal invoice from a company they have not thought about since 2018. The site still loads. The contact form still emails the owner. Nobody knows the FTP password. They want to know whether to renew, migrate, or quietly let the domain expire.

That email arrives almost every week. The site is always on shared cPanel. And the right answer is never the same, because the client behind the cPanel is never the same. After more than a decade of cleaning these up, we see four versions of the same person.

The "it just works" lifer

Five-page brochure site. WordPress 4.something, or more often, hand-built HTML by someone's nephew in 2012. PHP 7.2, because the host stopped sending upgrade nags after the third one bounced. Eighty visits a day, mostly people who already know the brand. Two leads a week, all by phone. Annual hosting bill: roughly €120.

This client does not need a redesign. They do not need a CMS. They certainly do not need a "growth audit". What they need is for the site to keep doing what it does for the next ten years without sitting on PHP 7.2.

The migration is boring and quick. Pull the static files, freeze the PHP version locally if there is any dynamic code, drop it behind Cloudflare, and put the backups on a schedule. PHP itself only supports the last three minor releases for security fixes, so the only real risk on shared hosting is the silent moment where the host upgrades PHP under them and a contact form stops sending. That risk is solved with a flat HTML deploy and a synthetic check that runs against the form once a day.

The accidental WooCommerce

Started as a blog in 2015. Somebody installed WooCommerce in 2018 to sell one product. Now there are 240 SKUs, thirty orders a day, and a checkout that takes nine seconds because the shared box has one shared CPU and the cache plugin and the security plugin are fighting each other.

This client thinks they need a faster host. They almost always say "we just need to move to a VPS". A VPS will buy them six months, then they will be in exactly the same place, paying €40 a month instead of €8.

What they actually need is a stack change. Either the catalogue is small enough that Shopify swallows it whole and the blog moves to a static generator, or the catalogue is too custom for Shopify and the answer is a thin storefront on Next.js with the product data in Postgres and the checkout on Stripe. The blog content survives. The Woo database does not. Nobody misses it.

Warning

Do not let a "we just need a faster host" client buy a VPS without first measuring where the nine seconds go. Nine times out of ten the bottleneck is not the host. It is forty plugins fighting for the same render pass.

The orphan

Built in 2016 by a Rotterdam agency that does not exist anymore. WordPress 5.2. Twelve plugins. Three of those have not had a release in four years. One of them, if you check the CVE record, has an unpatched authenticated RCE.

Nobody at the client has the FTP password. The agency's old project manager is now in HR at a bank. The cPanel login is in a 1Password vault belonging to someone who left two jobs ago. Half the time the original developer's email is still the technical contact on the domain registrar, which means renewal notices go to a dead mailbox.

You cannot migrate this client until you do the boring archaeology first. Recover cPanel access through the registrar (sometimes via a notarised letter, sometimes via a phone call to the host's billing department), pull a full database dump and a tarball of public_html, then run the site locally with the network unplugged so the abandoned plugins cannot phone home. From there, the rebuild is a question of how much of the existing content is worth keeping. Usually: the writing yes, the structure no.

The compliance-anxious

Law firm, accountant, or small medical clinic. The site is fine, in the sense that it works. They got an email from their cyber insurer or their largest client's procurement team asking for TLS 1.3, an SBOM, quarterly vulnerability scans, two-person change control, and a 90-day log retention policy.

Shared cPanel can technically serve TLS 1.3. It cannot show an auditor that the production binary which served a page on April 12th has not been tampered with since. The host has root. The host's contractors have root. Nobody can prove who did what.

This client does not need a faster site or a prettier one. They need a stack where every change goes through a pull request, every deploy leaves a signed artifact, and the logs go to a place the developer cannot rewrite. A managed Vercel or Cloudflare Pages deploy from a private git repo, an off-host database with point-in-time recovery, and structured logs to a separate provider gets them most of the way. The hard part is not the technology. It is convincing them that this is cheaper than the cPanel renewal once the insurance discount kicks in.

What the four have in common

None of these clients are technically wrong about their current setup. cPanel is not a moral failing. For the lifer it is actually right-sized. The problem is that all four arrive at our inbox with the same question ("should I migrate?") and the same default assumption ("probably to another shared host, just newer"). The answer is the same in form and different in substance every time: figure out which of the four you are, and the migration writes itself.

The temptation, especially for an agency on the receiving end of that email, is to upsell. Don't. The lifer gets a flat HTML deploy and a yearly check-in. The Woo client gets a stack change and an honest conversation about whether their margins survive a real platform. The orphan gets a clean rebuild on writing they already own. The compliance client gets an auditable pipeline.

When we migrated a Rotterdam logistics broker off a 2014 cPanel install last spring, the thing we ran into was the orphan problem stacked with the compliance one: no FTP credentials, and an insurer demanding 90-day log retention by the end of Q3. We solved it by reconstructing the site from the live HTML, pushing the rebuild through a git pipeline, and routing the access logs to a third-party sink the host could not touch. Most legacy site rescues end up looking like one of these four shapes. The work is the same. The story you tell the client is what changes.

If you only have five minutes today, open the hosting account, find the PHP version, and check it against the PHP support matrix. If it is older than the current stable minus two, you are already on borrowed time. That one number tells you which of the four conversations you are about to have.

Frequently asked

How do I figure out which of the four kinds I am?+
Open the hosting panel, check the PHP version, count the active plugins, and ask whether anyone still has FTP access. Five minutes of digging tells you which conversation you are about to have.
Is shared cPanel itself the problem?+
No. cPanel is a tool. For a five-page brochure site it is fine. The problem starts when the site outgrows the assumptions cPanel was built around: low traffic, low complexity, single tenant.
Will moving from shared hosting to a VPS fix a slow WooCommerce store?+
Usually not. A VPS buys you about six months. The bottleneck is almost always plugin sprawl and a missing edge cache, not raw CPU. Measure where the seconds go before you spend.
What do compliance auditors want that shared hosting cannot give them?+
Proof. A signed deploy artifact, immutable access logs, and a change history they can trace to a named person. Shared hosting cannot produce any of those, no matter how new the TLS version is.

Keep reading

Share:XLinkedInEmail
Iron padlock clasped shut over a closed leather logbook on ivory paper, a thin green ribbon and cracked red wax seal beside it
Security
18 May 2026·7 min read

Legacy WordPress reinfection: the .htaccess wall that stops it

A client called on Friday: the site we cleaned on Tuesday was serving pharma spam again. Three days, same infection. Here is why that loop runs until you wall off the writable directories.

wordpresssecurityphp
Read
Leather logbook with brass clasp, brass key on index card, rubber stamp, ink pad, green ribbon, red wax seal on ivory desk.
Migration
15 May 2026·9 min read

Drupal 7 to Next.js: a 9-day migration, SEO intact

The site was on Drupal 7 with three years past official EOL, 1,200 pages, and the marketing lead's board review nine working days out. We migrated to Next.js without losing rankings.

drupalmigrationseo
Read
Brass bell, linen-tied parcel with green wax seal, brass shipping tag, red stamp on forest linen runner.
E-commerce
25 May 2026·8 min read

Magento 1 to Shopify: a weekend port without losing SEO

A 14-year-old Magento 1 shop, two days, three people, one rule: no URL changes. Here is the actual migration plan we ran, plus the part that nearly broke us.

magentoe-commercemigration
Read

Want to build something similar?

Send us one paragraph about the process that eats the most of your week. We'll reply with an honest plan — within 4h on weekdays.

Book a 20-min scoping callSee our work