Looking to build a custom site on a flexible, developer-friendly CMS? Craft CMS 3 makes it simple to create premium digital experiences. But before unleashing its powerful features, you need to install and configure Craft properly. This guide covers everything from server requirements to optimizing security to get your Craft 3 site up and running smoothly. Follow these steps to launch a high-performance Craft site tailored to your needs.

Craft CMS 3 runs on PHP 7.0+, MySQL 5.5+ or PostgreSQL 9.2+. Follow 4 key steps: setup hosting, create database, upload Craft files, run web installer. Allocate 2GB+ RAM and quad core CPU. Set file permissions. Secure user accounts and plugins. Optimize with SSL, CSRF protection, and restricted template types.

Craft CMS 3

Overview of Craft CMS 3

What is Craft CMS? Craft CMS is a flexible, user-friendly content management system (CMS) built for developers, content creators, designers and digital marketers. Originally created by Pixel & Tonic in 2010, Craft provides an intuitive interface and robust framework for managing all website content.

As a modern PHP-based CMS, Craft 3 offers native SEO support, customizable content modelling and structures, frontend templating with Twig and integration with popular frameworks like Vue and React. It's fully extensible via plugins and gives developers complete control over the backend codebase.

Some of the standout features of Craft include:

Intuitive drag-and-drop interface for non-technical users
Flexible content sections and structures
Built-in localization and multi-site support
SEO-friendly URLs and metadata
Custom fields for different content types
User permissions and editorial workflow
Templating with Twig and integration with JavaScript frameworks
Hundreds of plugins to extend functionality

For content teams, Craft provides an easy way to manage everything from blog posts to complex matrices and related entries. The intuitive controls and flexible content modelling enables creators to quickly build robust content structures tailored to the project needs.

For developers and agencies, Craft gives full control over the codebase and environment for each project. The well-documented PHP codebase, templating with Twig and vast plugin ecosystem allows delivering custom digital experiences efficiently.

Overall, Craft CMS aims to balance user-friendliness for content editors with developer flexibility - making it a great choice for organizations wanting an extensible CMS that also enables editors/marketers to easily manage content.

Main Benefits of Craft CMS

As a modern, flexible and extensible CMS, Craft offers several advantages that make it a popular choice among developers, content creators and digital organizations.

Intuitive interface and editing experience - The drag-and-drop modular interface is designed for usability, enabling content editors and non-technical users to quickly build and manage content without coding skills. The editing experience is streamlined and user-friendly.

Flexible and customizable content modelling - Craft offers a flexible system for modelling content that can be customized for any project needs. Sections, fields, structures and relations between entries can all be tailored as required.

Developer-friendly codebase and extensibility - The well-organized PHP codebase is easy for developers to understand and extend. Craft is also highly extensible via hundreds of plugins and integrations with modern JS frameworks.

Native SEO support - Craft CMS bakes in SEO best practices including custom URLs, metadata fields, sitemaps and social media integration right out of the box. This ensures content is optimized for search from the start.

Multi-site and localization support - Craft provides robust support for managing international multi-site and multi-language content including right-to-left text formatting. Translation workflows are also supported.

Sophisticated editorial workflow - The permissions system enables controlling what content editors have access to. Workflows like draft/pending review status and versioning provide editorial control over publishing.

Frontend templating with Twig - Craft separates content from presentation by using Twig for templating. This provides flexibility for frontend developers to build on any framework.

By balancing ease-of-use for content editors with developer extensibility and customization, Craft CMS is able to support the full content lifecycle - from creation to presentation layer - better than other CMS options.

Installation and Setup Overview

Installing Craft CMS 3 is a straightforward process that involves making sure your server meets the system requirements, creating a database, uploading and configuring Craft's files and folders and setting up user accounts and permissions.

Some key steps when installing Craft include:

Ensuring your web server meets Craft's requirements like PHP 7.0+ and MySQL 5.5+
Creating a new database and user account for Craft to use
Uploading the Craft files to your web server
Running through the web-based installation process
Configuring settings like your site name, admin account and email settings
Setting up user permissions and editorial workflow
Creating content structures and sections
Building out page templates and theme

The entire process from install to launching a basic Craft site with content structure and templating can be done fairly quickly by an experienced developer. Complex sites with custom fields, relations and sections will take more planning and setup.

The Craft documentation provides very detailed installation steps and videos for various platforms like MAMP, WAMP, cPanel shared hosting and cloud servers like AWS. Their docs cover things like Nginx configuration, Solr search setup, database optimizations and more.

Overall, Craft CMS has done a great job simplifying and guiding users through the entire setup and launch process - making it one of the easiest full-featured CMS options to get running quickly. But it still provides the flexibility and tools for developers to customize Craft for complex projects.

Server Requirements for Craft CMS

Web Server Requirements

Craft CMS 3 has the ability to run on either Apache or Nginx web servers. The software recommends using the latest stable version of each for maximum compatibility and performance.

For Apache, Craft supports 2.4+ but ideally Apache 2.4.37 or higher should be used. Apache needs to be configured to allow the use of .htaccess files and mod_rewrite needs to be enabled.

On Nginx, version 1.1.19+ is recommended but using the latest mainline release is optimal. Nginx will need to be configured to support clean URLs and rewriting rules.

In terms of resources, Craft CMS suggests a minimum of 2 GB RAM allocated to the web server but 4-8 GB or more is ideal for good performance. Multi-site installs and complex projects may need even higher RAM allotments.

For CPU, a quad-core or higher modern processor is recommended. Additional CPU cores will help with serving requests faster.

A minimum of 2 GB disk space is suggested for the web root where Craft will reside. More

space will be needed for larger sites with extensive media libraries and cached elements.

An optimal LAMP or LEMP stack for Craft CMS would be:

Apache 2.4.37+ or Nginx 1.1.19+
PHP 7.1+
MySQL 5.5+
4-8GB+ RAM
Quad-core modern CPU
2GB+ web root disk space

This provides enough resources for solid performance serving multiple requests while providing headroom for growth.

PHP Requirements

Craft CMS 3 requires PHP 7.0.0 or higher to run optimally. Craft should function on any modern PHP version above 7.0 but ideally PHP 7.1 or 7.2 is recommended for best compatibility and performance.

Some required PHP extensions and settings include:

PDO PHP extension
cURL PHP extension
Multibyte String support
GD library for image manipulation
Minimum of 128MB memory limit (256MB+ recommended)
OPcache enabled

Additionally, some specific PHP configuration tuning is advised for optimal Craft performance:

Set max_execution_time to 120 or higher
Increase upload_max_filesize and post_max_size
Set max_input_vars to a high limit

If using MySQL, the PDO MySQL driver is required. The Intl and Mbstring extensions are also recommended for full Unicode support.

In the php.ini configuration file, opcache, apc or xcache should be enabled for maximum PHP caching and performance.

Craft CMS works best with PHP 7.1-7.2+ using typical required extensions like PDO, cURL, GD library, Multibyte String with additional tuning for limits and timeouts. This provides optimal PHP execution for serving Craft CMS requests and traffic.

Database Requirements

For the database, Craft CMS 3 supports both MySQL and PostgreSQL.

MySQL

Craft requires MySQL 5.5+ or the equivalent MariaDB 10.0+. Using MySQL 5.6+ or MariaDB 10.1+ is recommended.

The MySQL configuration should have the following set:

Default character set of utf8mb4
Default collation of utf8mb4_general_ci

File per table tablespaces are recommended for InnoDB.

MySQL should also be tuned for maximum performance. Ideal tuning includes:

Set innodb_large_prefix option
Allocate sufficient RAM to InnoDB buffer pool
Adjust innodb_io_capacity setting

Adequate RAM (4-8GB+), fast CPUs, and fast SSD storage will ensure MySQL can handle Craft

CMS traffic and requests efficiently.

PostgreSQL

For PostgreSQL, Craft CMS requires version 9.2+. Using PostgreSQL 9.5+ is recommended for best performance.

PostgreSQL also benefits from proper configuration and resource allocation. Tuning and optimizing PostgreSQL can include:

Increasing shared_buffers
Tuning work_mem and maintenance_work_mem
Adjusting checkpoint_segments
Allocating sufficient RAM and fast storage

Craft CMS works well with MySQL 5.6+ or PostgreSQL 9.5+ properly configured and optimized. Resources like RAM, fast storage, CPU cores and tuning provides fast database performance.

Installing Craft CMS 3

Hosting Options and Recommendations

When choosing hosting for Craft CMS, managed VPS (Virtual Private Server), dedicated servers and cloud hosting tend to provide the best performance and compatibility.

Managed VPS

A managed VPS offers guaranteed resources like CPU cores, RAM and storage allocation. This ensures consistently fast performance. Managed VPS plans also provide technical support. Prices start around £20/month.

VPS hosting is great for small to mid-sized Craft sites getting up to 50k visits per month. Look for plans with at least 2 CPU cores, 4GB RAM, 80GB SSD storage.

Dedicated Servers

Dedicated physical servers provide maximum control and resources for larger Craft installs. You have control over the whole server stack. Prices range from £70-£150+ per month.

Dedicated servers are ideal for high-traffic Craft sites getting hundreds of thousands of monthly visits. Aim for 4+ core Xeon CPUs, 16-32GB+ RAM, RAID SSD storage.

Cloud Hosting

With cloud hosting like DigitalOcean, Linode or AWS Lightsail, you can deploy Craft CMS servers on fast scalable infrastructure. Prices start around £5/month for small instances.

Cloud hosting is great for Craft installs that need to scale easily. Look for plans with at least 2 vCPUs, 4GB RAM and 80GB+ SSD disks to start.

For small personal Craft blogs, shared hosting can work but lacks resources for bigger sites. Reseller hosting plans are also not ideal for production Craft installs.

Managed VPS, dedicated servers and cloud hosting tend to provide the best blend of resources, performance and support for running Craft CMS installs in production from small to large scale.

Installation on Shared Hosting

Here are the steps to install Craft CMS 3 on shared cPanel hosting:

Login to your cPanel account and create a new MySQL database and user account. Set a strong password.
Open the MySQL Database Wizard and create a new database named craftcms for example. Set it to use your new MySQL user account.
Download the latest Craft CMS zip file from https://craftcms.com and unzip it. Upload the craft folder to your hosting account's public web directory via FTP.
Browse to your domain and open the Craft web installer. Complete the installer steps:
- Set your database credentials
- Set your desired site name
- Create your admin account
- Configure email settings
The installer will build the database tables and connect to Craft. Finish up the installation.
Set proper permissions on the craft/storage and craft/config folders to be writable. You may need to set 755 or 775 permissions depending on the server.
Delete the craft/install folder from your server for security.
Log into your new Craft CMS install and build out your site design and content structure.

That covers the basics of getting Craft CMS installed on a typical cPanel shared hosting account. Always ensure you create a development site first before installing on production.

Installation on VPS and Dedicated Servers

Here are the steps to install Craft CMS on a VPS or dedicated server running Ubuntu, Nginx and MySQL:

Setup a LEMP stack with Nginx, PHP-FPM, MySQL and other required components on your server. Many Craft hosts offer optimized LEMP images.
Create a new MySQL database and user account specifically for Craft. Grant it privileges.
Download and unzip the Craft CMS files on your server under the /var/www/html or /var/www/craft directories for example.
Open the domain in your web browser to launch the installer. Complete the steps:
- Set database credentials
- Choose your site name
- Create admin user account
- Configure email settings
The installer will populate the database tables and connect Craft to the database.
Set ownership and permissions on storage/ and config/ folders to be writable by the web user.
Delete the install/ folder for security once done.
Configure virtual host in Nginx, point DocumentRoot to Craft folder.
Build out templates, create content sections and entries. Craft is now installed!

For other server environments like Debian, CentOS, cPanel, Plesk or Cloudways the steps are very similar - create DB and user, install Craft files, run installer, set permissions, configure web server config.

Just ensure your server meets Craft's minimum requirements for optimal performance. Test initially on a staging server before moving your Craft site to production.

Securing Craft CMS 3

User Security and Permissions

To lock down user security in Craft CMS, always create custom user groups with granular permissions versus relying on the default Admin and Editor roles.

When it comes to login security, require strong passwords with a minimum length, mixed case, numbers and special chars.

Enable password expiration policies.

Limit control panel access only to IP addresses that need it. Use the Users section to restrict user accounts to only be able to access certain sections, entries, fields, plugins, etc.

Craft's permissions model allows creating highly custom roles like "Blog Editor" with permissions to only edit blog posts and nothing else. Or an "Image Editor" limited to uploading and managing images.

User groups should be organized based on common roles and permissions needed. Avoid having users in multiple groups if possible.

Regularly audit the Users section to deactivate any stale accounts. Limit the number of active admin accounts.

Enable elevated permission restrictions so admins must manually permit destructive actions.

Overall, make use of Craft's robust user permissions system to follow the principle of least privilege. Limit all users and authors to only what they absolutely need access to.

General Security Settings

Some other useful security settings and practices for Craft CMS sites include:

Enforce site-wide SSL - Redirect all traffic to HTTPS and enable HSTS for security.
Require email verification - This adds an extra layer before new accounts are activated.
Enable CSRF protection - Adding CSRF tokens protects against cross-site request forgery.
Restrict allowed template file types - Only allow .twig and .html to prevent execution of PHP files.
Require Scout for admin changes - Enabling Scout provides an audit trail of all changes.
Use security focused headers - Set HTTP headers like X-Frame-Options, X-XSS-Protection, etc.
Follow password storage best practices - Use bcrypt with long, unique salts for hashing.
Sanitize and validate any frontend form submissions - Prevent XSS attacks from forms.

Taking the time to configure these types of general hardening and security hygiene steps goes a long way in protecting a Craft CMS site from common threats and vulnerabilities.

Plugin and Module Security

Plugins and modules extend Craft's functionality but also introduce potential security risks if not managed properly.

Only install first or third party plugins from trusted sources. Thoroughly evaluate each one before adding and activating on a production site.

Make sure plugins are supported and maintained actively by their developers. Watch for any reported vulnerabilities.

Limit plugins to only what's essential for your site to minimize your attack surface area. Remove any abandoned or unnecessary plugins.

Use Composer to maintain plugins so they can be easily updated to the latest secure versions.

Automate updates.

Review permissions required for each plugin and limit accordingly. Disable as many plugins as possible for non-admin user groups.

For any custom modules, follow coding best practices and perform extensive security testing before deploying to production.

While plugins provide useful features and extensibility to Craft, they can also pose risks much like WordPress plugins. Following security best practices for vetting, limiting, and maintaining plugins is important for any Craft site.