Bluehost gives every shared and managed WordPress account the same configuration toolkit: a cPanel-style file and email manager, a free SSL certificate, multiple PHP versions, and a 30-day refund window. The choices you make in that first session decide how much time you spend in support tickets later. This hub covers the configuration tasks new Bluehost owners actually run into (email, SSL, cPanel access, PHP, compatibility, cancellation) and links to step-by-step guides for each one.
What This Guide Covers
This is the configuration and features hub for Bluehost on Hoos Hosting. It explains how to access cPanel under both the new BlueRock dashboard and the legacy layout, how to set up free webmail or paid email hosting, how the free SSL works and when to upgrade, what PHP version to run, and how the cancellation and refund process really plays out. For the host overview (plans, pricing, WordPress.org recommendation), start with the parent Bluehost hosting guide. If you have not signed up yet, the Bluehost setup guide walks the checkout flow first. For DNS, nameservers, and domain transfers, the Bluehost Domain & DNS guide is the right starting point.
cPanel and BlueRock: The Two Bluehost Dashboards
Bluehost runs two control panels in parallel. New accounts land in BlueRock, the in-house dashboard that wraps email, domains, billing, and WordPress tools behind a single sidebar. A shrinking minority of older accounts still use Legacy cPanel, the classic blue-grid layout that has powered shared hosting for two decades. Both layouts expose the same underlying cPanel functions; the click paths differ.
- BlueRock hides cPanel inside the Hosting tab. Open the Bluehost portal, click Hosting in the left rail, then click the cPanel button on the right. Email accounts, file manager, MySQL, and PHP versions all open from there.
- Legacy cPanel shows the icon grid directly after login. Email accounts and file manager are under their named sections; there is no extra Hosting tab.
- Switching layouts is not user-controlled. Bluehost migrates accounts in batches, usually during plan renewals. If you need a feature your layout does not surface, contact support.
The most common cPanel task new owners run into is a password reset. The dashboard password and the cPanel password are separate by default, and the cPanel one is what your email client uses. The full reset walkthrough lives in how to change your Bluehost cPanel password.
Setting Up Email on Bluehost
Bluehost includes free webmail with every shared plan, but free webmail is a different product from professional email hosting. Mixing them up is the source of most "does Bluehost offer free email" support tickets. The short answer is yes for basic mailboxes attached to your hosted domain, and no if you want Google Workspace style mail with Drive, Calendar, and full mobile sync. The longer answer with deliverability and storage limits is in does Bluehost offer free email.
Creating a Free Mailbox
Open cPanel, find the Email Accounts section, and click Create. Pick the domain you own, choose a mailbox name (sales, hello, your-first-name), and set a strong password. The mailbox is live within a minute. You can read it inside Roundcube webmail at yourdomain.com/webmail, or connect it to Gmail, Outlook, or Apple Mail using POP or IMAP.
POP vs IMAP and the Right Server Settings
Bluehost supports both POP3 and IMAP, but IMAP is the right choice for anyone who reads mail on more than one device (laptop and phone, for example). IMAP keeps the mailbox in sync; POP downloads mail and deletes it from the server unless you change defaults. The standard settings work for both:
- Incoming mail server (IMAP):
mail.yourdomain.com, port 993, SSL/TLS. - Incoming mail server (POP3):
mail.yourdomain.com, port 995, SSL/TLS. - Outgoing mail server (SMTP):
mail.yourdomain.com, port 465 (SSL) or 587 (STARTTLS). - Username: your full email address, not just the prefix.
- Password: the mailbox password from cPanel, not your hosting account password.
Some clients reject the self-issued certificate Bluehost serves on mail.yourdomain.com. Swap the server hostname for the Bluehost shared hostname (the value in cPanel under Email Configuration, usually boxNNNN.bluehost.com) and the certificate validates cleanly. Gmail is the most common client for forwarded Bluehost mail; the full step-by-step is in how to add Bluehost email to Gmail.
When to Upgrade to Paid Email Hosting
Free Bluehost webmail tops out at five gigabytes per mailbox on most shared plans, and the deliverability is shared with thousands of other Bluehost domains, which is a problem if any of them get spam-reported. Move to paid email when you need any of the following: more than five gigabytes per inbox, a stable sender reputation for outbound marketing, Google Drive and Calendar integration, or compliance-grade retention. Bluehost resells Google Workspace and Microsoft 365 directly inside the dashboard at standard list prices, so the upgrade is one click and one bill.
SSL Certificates: Free vs Paid
Every Bluehost plan ships with a free SSL certificate from Let's Encrypt, auto-renewed every 90 days. It is the same certificate authority Cloudflare, WordPress.com, and most modern hosts use, and for a brochure site, a blog, or a small WooCommerce store it is sufficient. The free certificate provisions automatically when you point a domain at Bluehost and WordPress is installed; you should not have to touch it. If the padlock is missing after 24 hours, the SSL toggle in cPanel may have failed to flip; the fix is documented in how to setup SSL on Bluehost.
Bluehost also sells paid SSL upgrades through Comodo, branded as PositiveSSL and PositiveSSL Wildcard. The case for paying is narrow:
- You need a wildcard certificate covering unlimited subdomains under one buy (
*.yourdomain.com). Let's Encrypt offers wildcards too, but Bluehost shared hosting does not expose the API that automates them, so the paid path is simpler. - You want a warranty from the issuer covering data-breach liability up to a stated dollar amount. Free Let's Encrypt comes with no such warranty.
- Enterprise IT mandates a commercial CA for compliance reasons. Some banking and healthcare clients still flag Let's Encrypt as community-issued.
For everyone else, the free certificate is the right call. One caveat: paid SSL upgrades on Bluehost are nonrefundable. They are excluded from the 30-day money-back guarantee, so do not buy one in week one "just to test."
PHP Version, Cron Jobs, and Server Side Tweaks
Bluehost defaults new accounts to a current PHP version (8.x at time of writing), but accounts that have been on the platform for years may still run 7.4 or earlier. WordPress 6.x requires PHP 7.4 minimum and runs noticeably faster on 8.1+; plugins like WooCommerce and Yoast SEO have moved their floor to 7.4 as well. If a plugin update warns about your PHP version, the fix is a one-click change in the MultiPHP Manager. The walkthrough is in how to change PHP version in Bluehost.
Cron jobs (scheduled tasks for backups, cache warming, abandoned-cart emails) live under Advanced > Cron Jobs in cPanel. WordPress runs its own pseudo-cron on every page load by default, which is fine for low-traffic sites but unreliable for scheduled posts and cache flushing on sites with steady traffic. Setting a real cron entry every five minutes and disabling WP_CRON in wp-config.php is the standard fix.
Compatibility: What Runs on Bluehost
Bluehost is a LAMP stack with the standard PHP, MySQL, and Apache setup, which means most WordPress-era software runs without modification. A few specific questions come up often enough to deserve direct answers.
WordPress Multisite
Yes, Bluehost supports WordPress multisite on every shared plan except Basic. You enable it manually by editing wp-config.php and adding the multisite constants; Bluehost does not have a one-click toggle. Subdomain installs work out of the box. Subdirectory installs need .htaccess tweaks. The compatibility breakdown and the plan tier requirements are in does Bluehost support WordPress multisite.
Wix Sites
No, Wix sites do not run on Bluehost in the way most people mean by the question. Wix is a closed hosting platform; you cannot export a Wix site and run it on Bluehost or any other host. You can point a domain registered at Bluehost to a Wix-hosted site (DNS only), but the site itself stays on Wix infrastructure. The full distinction between domain hosting and site hosting is covered in does Wix work with Bluehost.
Migrations From Other Hosts
Bluehost offers one free guided migration per account, handled by their support team rather than a self-serve tool. You submit a ticket, hand over the source-host login, and Bluehost moves the files and database. Turnaround is one to three business days. Self-serve migration plugins (Duplicator, All-in-One WP Migration) also work and are usually faster if you already have backup files. Eligibility and what the free migration covers vs what it excludes are in does Bluehost offer free migration.
Bluehost and WooCommerce
Bluehost is one of WordPress.org's three officially recommended WooCommerce hosts, which means the shared and managed WordPress plans have been tested to run WooCommerce reliably. Basic WooCommerce stores with under 500 products and moderate traffic work fine on shared plans. The friction starts at scale: shared plans cap the number of simultaneous PHP processes, so a flash sale sending 50 checkout requests at once will slow or time out on an entry-level plan. For stores with more than 1,000 products, frequent email campaigns, or a product launch expecting over 1,000 concurrent visitors, Bluehost's cloud plans or a managed host like Kinsta are a better fit.
Two WooCommerce-specific configuration steps are worth doing on day one. First, set PHP to 8.1 or higher in MultiPHP Manager; WooCommerce 8.x runs measurably faster on modern PHP and several extensions now require it. Second, replace WordPress pseudo-cron with a real server cron: in cPanel, create a cron job that runs every five minutes pointing to wp-cron.php, then add define('DISABLE_WP_CRON', true); to wp-config.php. WooCommerce uses scheduled tasks for order processing, abandoned-cart recovery emails, and stock resets; these tasks only fire when a visitor loads a page if you leave pseudo-cron on, which is unreliable at low traffic and fails silently.
Cancelling Bluehost: Policy, Process, and What Comes Out of Your Refund
Bluehost honours a 30-day money-back guarantee on hosting fees, which is one of the most generous in shared hosting. The catches are real and they are where most negative reviews come from. Before you click cancel, read this section.
- 30 days starts from the original signup date, not from the date you decide you want out. Day 31 is full term; no partial refund.
- Free domain is not free if you cancel. Bluehost deducts a $15.99 non-refundable domain fee from your refund to cover the registration they bought on your behalf. You keep the domain and can transfer it to another registrar.
- Add-ons are nonrefundable. SSL upgrades, CodeGuard backups, SiteLock, domain privacy, and Yoast Premium are all excluded. If you tacked any of these on at checkout, that money is gone.
- Renewals are nonrefundable past 30 days. If your three-year term auto-renewed and you noticed two months later, support will not refund the renewal. Turning off auto-renew before the term ends is the fix; the toggle is in the Renewal Center.
- Refund timing is five to seven business days back to the card. PayPal refunds are usually faster.
The cancel path itself is a chat or phone ticket. There is no self-serve cancel button in BlueRock or Legacy cPanel. The full step-by-step (what to say to the retention team, what to keep for tax records, how to download your site backup first) is in how do I cancel Bluehost.
Bluehost Security Features: What Is Free and What Costs Extra
Bluehost includes several security tools at no extra charge, but the checkout flow aggressively promotes paid add-ons that can be replaced by free alternatives. Understanding the difference saves money and avoids surprises at renewal.
What Bluehost Includes for Free
- SpamAssassin: Server-level email spam filtering enabled per mailbox in cPanel. Catches most spam before it reaches your inbox without any plugin or paid subscription.
- IP address blocking: The cPanel IP Blocker lets you block specific IPs or CIDR ranges from accessing your site. Useful for stopping scrapers, brute-force login attempts, or a specific abusive visitor.
- Password-protected directories: cPanel's Directory Privacy tool lets you require a username and password before any visitor reaches a folder. Handy for protecting a development subdirectory or a staging copy you are not ready to show publicly.
- Hotlink protection: Prevents other sites from embedding your images directly, which would consume your bandwidth without any benefit to you. Enabled in cPanel under Hotlink Protection.
- Free SSL from Let's Encrypt: Covered earlier in this guide. Provides encrypted HTTPS at no extra cost, auto-renewed every 90 days.
What Costs Extra (and Whether It Is Worth It)
- SiteLock Malware Scanner ($2-$10/month): Bluehost sells SiteLock add-ons that scan files for malware daily and can automatically remove detected threats. For WordPress sites, Wordfence (free plugin) provides comparable WordPress-specific scanning and login protection without a monthly fee. SiteLock is more useful for non-WordPress PHP files that Wordfence cannot scan. If your site is WordPress-only, Wordfence covers the important bases at no cost.
- CodeGuard Backups ($3-$4/month): Bluehost's paid backup add-on runs daily automated backups with 30-day history. The free cPanel backup tool (Files > Backups) lets you generate manual backups any time, but it is not automated. UpdraftPlus (free WordPress plugin) automates daily backups to Google Drive, Dropbox, or Amazon S3 without a monthly fee and is the better value for most WordPress sites.
- Domain Privacy ($0.99-$1.99/month): WHOIS records expose your name, address, and email publicly by default. Privacy protection is worth paying for to avoid spam, data broker scraping, and cold sales calls. This is the one paid add-on where the Bluehost price is fair and the alternative (managing WHOIS exposure yourself) is more trouble than it is worth.
Bluehost Resource Limits: Understanding CPU Throttling on Shared Plans
Bluehost shared plans run multiple accounts on the same physical server. To prevent one customer's traffic spike from starving the rest, Bluehost enforces per-account CPU and process limits. These limits are not published as exact numbers, but their effects appear in predictable ways.
- “Resource limit reached” error (503): A Service Unavailable page with this message means your account hit its CPU or concurrent process cap. The limit typically lifts within 30 to 60 seconds as load drops. If it recurs daily or during normal traffic, the shared plan is undersized for your site.
- Slow wp-admin under load: If your front end is served from cache (via WP Super Cache, W3 Total Cache, or LiteSpeed) but the WordPress dashboard feels sluggish during busy periods, you are approaching CPU limits. The dashboard bypasses page cache and generates real PHP and database load on every admin page view.
- Silent cron failures: WordPress scheduled tasks (automated backups, newsletter sends, WooCommerce inventory resets, abandoned-cart emails) share the same CPU budget as front-end traffic. A cron job that runs during a traffic peak may fail silently if it loses the CPU contest. Replacing WordPress pseudo-cron with a real server cron (configured in cPanel under Advanced > Cron Jobs) gives scheduled tasks their own execution slot, partially working around this issue.
The fix for chronic throttling is a plan upgrade. Bluehost's Choice Plus plan allocates a larger shared resource pool than Basic. The step above that is a cloud plan or VPS, which gives you dedicated CPU and RAM not shared with other accounts. If you are hitting CPU limits more than once per week on a WordPress site with working page caching, the shared plan has become a bottleneck and the time cost of managing workarounds outweighs the price difference between plans. For what the upgrade path looks like and when managed hosting becomes the right call, the Bluehost hosting guide covers plan tiers and the alternatives at each traffic stage.
Where to Go Next
If you are still in the configuration phase and have a specific task in mind, jump straight to the relevant how-to: SSL setup, PHP version change, Bluehost email in Gmail, or cPanel password reset. If you have not signed up yet and want to compare Bluehost against managed alternatives before committing, the main Bluehost hosting guide covers plan pricing and the WordPress.org track record. For adding an externally registered domain to Bluehost (including the nameserver update, email safety checks, and what to do if the domain shows the default Bluehost page), see our guide on how to add a domain to Bluehost. Ready to sign up? Get started on Bluehost.
