Installing Drupal 10 with Composer in Your cPanel public_html Folder

You might have heard this advice tossed around: “Just use Composer to install Drupal — it’s easy.”

Then you open cPanel, see the galaxy of icons, peek inside your file manager, and stare at something called public_html while your hosting company warns, “Don’t touch it unless you know what you’re doing.”

Relax. You’re about to not only install Drupal 10 the right way, but also understand why each step matters, so you can avoid common traps, keep your site secure, and never have to call a developer at 2am because the “white screen of death” ate your launch day.

Why You Should Care About Doing This Right

Drupal 10 is incredibly powerful, but installing it incorrectly on shared hosting is like building your shop in a busy mall without a front door — people might see your sign, but no one gets in. Worse, a poor setup can mean:

• Security risks from sensitive files being in public view

• Upgrade headaches that force a costly rebuild later

• Missed deadlines when Composer or PHP versions clash at the wrong time

Done right, you’ll have:

• A clean, upgradeable site

• Vendor files stored safely out of reach of public visitors

• The ability to update in minutes instead of hours

Minimum requirement: PHP 8.1+ for Drupal 10 (CLI and web PHP must both meet this).

Step 0 — Quick Pre-Flight Checklist

Before touching a single command, ask your hosting provider or developer:

1. SSH Access — Can you log into the server terminal?

2. Composer Installed — Is Composer available on the server, or will you build locally?

3. PHP CLI Version — CLI PHP must be 8.1+. (CLI PHP and web PHP can differ — check both.)

4. Composer Memory Limit — Enough memory to handle large package installs?

5. File Permissions — Can you create/modify files in public_html and set ownership after?

6. Root Access in Account — Can you run Composer from the account root, not just inside public_html? (We want vendor/ outside public_html for security.)

If any answer is no, you’ll use the local-build-and-upload method instead.

Step 1 — Understanding public_html

Think of your hosting account as a tall apartment building.

• public_html is the street-level shop window — everything here is visible to anyone who types your domain name.

• Vendor files, configuration data, and private scripts are like the stockroom in the basement — you don’t want customers wandering in there.

Modern Drupal keeps its vendor/ folder one level above the webroot for safety. By default, the recommended Drupal project uses a folder called web/ for the webroot. Since cPanel expects public_html/, we simply tell Composer: “Install Drupal’s web files here instead.”

Step 2 — Meet Composer, Your Code Concierge

Manually downloading Drupal and its dependencies is like stocking your shop by visiting 15 suppliers, each on different days, with different box sizes — messy and error-prone.

Composer is your personal logistics expert:

• Knows the exact compatible versions of Drupal core and contributed modules

• Fetches everything in one go

• Makes future upgrades a simple command instead of a week-long project

Step 3 — The Safe, Recommended Approach

Best for most people: Build locally, then deploy to cPanel

Why? Because Composer isn’t always available on shared hosting, and even when it is, local builds give you more control.

Local Build Steps (Plain English + Commands)

1. Create your Drupal project without installing yet
Open your terminal and run:

composer create-project drupal/recommended-project:^10 my-project

cd my-project

--no-install has been removed from samples in favor of keeping things current; this structure now handles dependencies properly. The ^10 ensures Drupal 10.

2. Create a public_html folder inside your project

mkdir public_html

Your structure now:

my-project/

composer.json

composer.lock

public_html/ <-- Drupal will live here

3. Edit composer.json to set webroot to public_html

In composer.json, change:

• "web/" → "public_html/" in "extra" → "drupal-scaffold" → "locations" → "web-root"

• Replace every web/ prefix in "installer-paths" with public_html/ (about 8–10 lines).

  Miss even one, and you’ll get broken paths or a white screen.

4. Install dependencies locally

composer install

This command now correctly downloads:

• vendor/ at project root (outside public_html)

• Drupal core inside public_html

5. Prepare deployment files
If deploying with Composer on the server, upload only:

• composer.json

• composer.lock

• public_html/ contents (themes, assets)

• sites/ folder (but not vendor/)

If no Composer on server, include vendor/ in the upload.

Step 4 — Deploy to cPanel

Option A — With Composer on the Server (Preferred)

• Upload composer.json and composer.lock to account root (same level as public_html)

• SSH into account root and run: composer install --no-dev

Make sure CLI PHP is 8.1+.

Option B — Without Composer on Server

• Run locally: composer install --no-dev

• Upload entire structure to cPanel, ensuring:

account_root/

vendor/

public_html/

Step 5 — Permissions & PHP Check

• Make public_html/sites/default/files writable:

chmod -R 755 public_html/sites/default/files

• Confirm both CLI PHP and web PHP are 8.1+.

Step 6 — Install Drupal in the Browser

Visit your domain and follow the installer:

• Choose language

• Enter database details (create DB + user in cPanel > MySQL Databases)

• Set site name, email, and admin credentials

If your structure matches local build, Drupal will autoload vendor/ from one directory up.

Step 7 — Optional but Powerful: Install Drush

composer require drush/drush

Run with: vendor/bin/drush

Drush speeds up updates, cache clears, and maintenance tasks.

Common Pitfalls and How to Dodge Them

1. Installing in wrong folder — Always confirm you’re in public_html before Composer commands.

2. PHP version mismatch — CLI PHP 8.1+ required; check php -v in SSH.

3. Wrong composer.json edits — Miss one web/ reference — broken paths.

4. Permissions issues — Sites folder unwritable = install failure.

5. Vendor folder in public_html — Increases attack risk; keep it outside.

Why This Method Wins

• Security — vendor/ stays outside webroot

• Upgradeability — future updates via: composer update

• Performance — leaner installs, fewer leftover files

• Control — consistent setup across local, staging, and production

What to Tell Your Host

“I want Drupal 10 installed so that vendor/ is at the account root and public_html/ is the webroot. Composer install should run from the account root using PHP 8.1 CLI. Can you confirm SSH and Composer are available, and CLI PHP is 8.1+?”

If they hesitate — congratulations, you just asked the right question.

Copy-Paste Command Cheat Sheet

# Local build

composer create-project drupal/recommended-project:^10 my-project

cd my-project

mkdir public_html

# edit composer.json: change web/ → public_html/

composer install

# On server with Composer

composer install --no-dev

Final Word:
Treat public_html as your premium storefront and Composer as your most reliable supplier. Follow these steps, and you’ll have a secure, upgrade-ready Drupal 10 site that’s as easy to maintain as it is to launch.