Launching your Website with Pantheon.

Now that you’ve decided to host with Pantheon, the first step is to create an account. Please watch the video below which will walk you through signing up with Pantheon. If you’ve already been using Pantheon to build your website then you should already have an account and staging site setup properly and can skip to the “Creating Test and Live Environment” section.

Part of this video mentions specific actions to take if you’re viewing tutorials via the LattePress App – you can ignore this bit as it doesn’t apply to you.

• Click the button below to open the Pantheon for Agencies page.
• Fill out the form for a free agency account.
• Login to your Pantheon Dashboard.

Don’t worry about setting up a site within Pantheon, we’ll do that next.

Creating a Staging site with Pantheon

Now that your account has been created, we want to setup our initital staging site we’ll use to build our site. Watch the video below to review creating a staging site with Pantheon.

• Login to your Pantheon Dashboard
• Click on the “Create New Site” button.
• Enter in a site for your site. This is for internal reference within Pantheon, and also dictates your staging URL. Once entered, click continue.
• Click “Deploy” next to the WordPress option on the “Choose your CMS” page.
• Wait for Pantheon to finish creating your site then click on “Visit your Pantheon Site Dashboard.
• Click “Visit Development Site”.
• On the new tab, you should see the WordPress installer. First, select your site language and click continue.
• Enter in a site title, this is the title of your website. Keep in mind you can change this later.
• Enter in your preferred admin username and password. This should be complex and unique to this specific site. Consider using Lastpass or another password storage system to keep track of your usernames and passwords.
• Enter in your e-mail address.
• Check the box to “Discourage Search Engines from Indexing this site”.
• Click “Install WordPress”.
• Click the “Log In” button and login with the username and password you just created.

If you need help generating and keeping track of usernames and passwords for your websites, consider using a password management tool. We recommend LastPass as a great way to store, generate and track usernames and passwords for every site you use online.

Migrating Your Site and Data

For migrating data from your staging environment to your host we recommend the all-in-one migration plugin. This is a free plugin which makes it very easy to migrate a complete site from one WordPress install to another.

This works when moving our site to our live host – it also works for moving from one host to another if you decide to change your host later.

In the section above we setup a fresh WordPress install on Pantheon. Simply install the all-in-one migration plugin on the staging site you’ve been working on as well as the fresh install on the new location.

Next, using all-in-one, run an export on the site you want to take the data from, then run the import on the fresh installation.

Once the import is complete, follow the instructions, making sure after you log back in (when the import is complete you’ll be logged out, log back in with the admin credentials from the site you migrated from, as the default username/password you used when creating your default WP install will be overwritten), finally save your permalinks twice. The video below will show you how easy it is.

Creating Test and Live Environment

Add Primary Domain to Pantheon

Integrating our Domain with Cloudflare

Our next step is to integrate our domain with Cloudflare. Cloudflare is an amazing tool which can be utilized for free (although they do have premium plans, your average user will not have need of anything other than the free service). It is used for quick DNS changes and management, increases performance for our site, increases security and reduces the amount of bandwidth used by our site’s traffic to reduce costs. This step can take up to 24 hours to complete, which is another handy thing about Cloudflare, once we’ve integrated our DNS management with Cloudflare, changes to our DNS will happen almost instantly.

Use the guide below to integrate your domain purchased from Gandi (or another domain registrar) with Cloudflare. This guide is from Flywheel but the process is the same for Pantheon. When you add your domain it should automatically pick up the DNS settings pointing to your Pantheon hosting.

Add an SSL certificate to your site.

Once this has been completed, and your SSL certificate is working on your live site, you may or may not have the green padlock and may get an SSL warning. This is because some content/elements/media may be loaded through http:// instead of https:// – so we’ll want to set our site to force all content from our site via https. We’ll do this using a plugin called SSL Insecure Content Fixer, which can be found a the link below. This is a free plugin which can be downloaded or installed through the content repository.

Additional Security Steps

Mandatory Security Practices

Always use strong passwords – This seems obvious but it was one of the most widely seen issue when there is a security issue with a site. You can use LastPass or a similar service to help memorize usernames and passwords for your website. If you have multiple admins, also consider installing the Force Strong Passwords Plugin to ensure all of your admins use a strong password. With LastPass, it’s easy to generate strong passwords, you can also look at How to create a strong Password or use a tool like The Strong Password Generator.

Avoid Default Admin Username – If you followed our tutorials when creating your site, you should have picked a complex admin username, something other than the default admin username, “admin”. If this user account exists you should consider creating a new admin account under the users section of your WordPress website, and once created and confirmed that it’s working and you can access your dashboard with your new admin account, delete the user with the username “Admin” and use the new account going forward. This is only if you created your site and made the admin username, “admin”. Additionally, we want to create an editor account separate from our admin account to create content on the front-end, and use our admin account only for back-end administration purposes.

Keep Themes and Plugins updated – We’ve talked about this already quite a bit, and it’s pretty simple to do. Always keep your plugins and themes up to date at all times, as well as WordPress core. Check your site often (every day or two) for available updates and make sure to run this process (first on your staging site to check for issues), then on your live site. Additionally, always uninstall and delete plugins and themes on your site that you’re not using. This is both for performance and security benefits.

Optional but Recommended Security Practices

Form Captchas – If you followed our forms tutorials, you should already be using CAPTCHAs, specifically, ReCaptcha from google, to protect your forms from spammers. This is more annoyance than security issues, but adding Captchas to your forms does slightly increase overall protection.

Lock Down Your WordPress Admin – There are two ways we can protect our WordPress admin. The first, is to hide the URL all together. By default, the WordPress admin login URL is www.domain.com/wp-admin, this makes it easy for scripts and bots to find out admin and attempt to brute for our login screen. You can change the URL of your admin login using the WPS Hide Loginplugin. Once installed, you can change the URL of your admin login under Settings -> General.

Secondly, we can limit login attempts made when people make it to our Login screen by using the Login Lockdown plugin which limits login attempts and will blacklist and ban users who use incorrect information repeatedly. These plugins are also completely compatible with eachother.

Two Factor Authentication –By utilizing two factor authentication, even if someone does get access to your username and password, they still won’t be able to access your website admin without also having access to either your cell phone or your e-mail (depending on which method you use). We recommend you setup two factor authentication on your website which can be done using the Google Authenticator plugin which allows two factor authentication via your e-mail address or a mobile app on your phone, available for android, windows and apple phones.

If you weren’t hosting with Pantheon, there would be several other things we would recommend, however they would be redundant and a waste of time on a Pantheon hosted site, follow the steps above and you’ll be ready to launch knowing your website is safe and secure.

Post Launch Checklist

Now that we’re fully launched, there’s a few steps we want to take before moving forward.

• On our staging site, make sure that under “Settings – > Reading” the option is enabled (checked) to discourage search engines.
• On our live site, make sure that under “Settings -> Reading” the option is disabled (unchecked) to discourage search engines.
• If you’re using WooCommerce, make sure to enable the setting to force SSL – Read more here.
• Enable password on the staging site through Pantheon. Under your “Dev” tab, click the “Public” button and switch this to locked. You can then create a username and password required to view your staging site. This blocks traffic from bots and search engines as well as unexpected guests.

Purpose of the Staging Site

The main purpose of your staging site is to test WordPress, plugin and theme updates on your website for conflicts before updating them on your live site. You can also use your staging site to update content and change settings, and once completed, push them to your live site. Pantheon has a process for this all in place which you can read about here:Pantheon Workflow

The reason behind this is that you may have live data being updated on your live site, but not your staging, and we don’t want to overwrite those database tables. Since we’re not custom developing (custom-coding) changes to our site, we really just need our staging to test new features and test updates. And we suggest doing this, then if all is well, running those updates on our live site instead of pushing from staging to live which can overwrite important information.

You can copy your live to staging before doing tests in order to get the most up to date version, we just don’t recommend pushing from staging to live, and that you use your staging as more of a sandbox to test updates before you run those updates on your live site.