A long, long time ago, I used to run a webhosting company as part of an online business I was helping to get started. It crumbled. But, I learned a lot of valuable lessons in the process, most notably, the lesson that it doesn’t take much to take on webhosting clients. All it takes is a $24.95 a month reseller plan and then you can start charging customers for your service. When we set up shop, we used a template from template monster and just filled in the details to make us sound like a reputable, long standing company complete with all those fancy badges to show we were legitimate. We had no idea what we were doing, only that we wanted to set things up and charge customers for hosting. On the side, we offered Ventrillo and Teamspeak server hosting which was much simpler than webhosting. The point I’m making here is that the barrier to entry is so low that the webhosting market is saturated with fly by night companies. Some are trying to make a go at being big while others are just summertime jobs for people. The last thing you want to do is transfer your established site to one of those ‘here today, gone tomorrow‘ resellers. The following guide is aimed at helping you pick not only a good webhost, but one that has security in mind. This year, we’ve seen a number of large, established webhosting companies fall victim to attacks mostly due to incompetence by the webhosting company. Here are some things to keep in mind before plunking down $100.00 on a webhosting plan.
Keep in mind that this guide is entirely focused on Shared Webhosting where one server hosts many websites.
Google Research – Always type into Google “Name Of Webhosting Company Sucks” to get a grasp on the issues that have been reported with that particular webhost. When webhosting companies screw up, people are very vocal about it and will stop at nothing to complain to all who will listen. Unfortunately, the side effect to this research is that you’ll find out every webhosting company in existence, sucks.
Human Recommendation – If you start a forum thread on the WPTavern Forum asking for advice on which webhosting company to go with, chances are you’ll get 3-5 different company names as recommendations. If one of these companies interest you, be sure to ask around to get personal experiences from folks, especially as they relate to customer service and uptime. However, similar to the Google Research conundrum, it could turn out that all of your friends have had success with a particular company and you turn out to be the bad apple with a bad experience.
BBB – A tried and true source of information regarding specific companies is the Better Business Bureau. According to the BBB, HostGator which is who I currently host WPTavern with has an A+ rating which is pretty darn good. Take a look at the complaints record as well as this will give you an indication on whether the company resolves or ignores complaints filed against them. This could be used as a measure of customer service.
Support – Probably one of the most important aspects of choosing a webhost is their support system. Look for companies that offer a variety of support solutions such as forums, ticket system, email, and a phone number. I’d choose a webhost that has 24/7 support versus week days only. Extra points to those webhosting companies that don’t outsource their support to countries/companies that don’t speak English very well.
Redundancy – If the companies website and services go down, do they have a fail-over system in place? Is your data mirrored to that fail-over system? Does it have the same security precautions as their first system.?
Communication – This is one area in which I see webhosting companies screwing up the most. You’d figure that by now, they would understand that communication with their customers is paramount but most of them still don’t get it. Ask the webhost you’re interested in whether or not you’ll be contacted if maintenance is required on the box your site resides on. Also ask where all such service interruptions and other announcements will be published. Nothing like publishing a post in WordPress only to hit the button and see a site not found error. When you run to support screaming WTF in a support ticket, they tell you it’s regularly scheduled maintenance leaving you sitting in your chair thinking O’ RLY?
Payment Options – Make sure you understand any money back guarantee that is offered. I recommend staying away from purchasing webhosting for more than one year at a time unless the money back guarantee specifically states that refunds can be pro-rated. Preferably at 1, 3, or 6 month periods at the most. This way, you’re not locked into a specific host. You’ll regret it when you’re halfway through your contract and the webhost experiences severe technical difficulties that last a week or more but you can’t move to a new webhost because you’ll lose money from not fulfilling the other half of the contract. It may seem like you’ll save tons of money by purchasing 3-5 years worth of hosting, but realize this is a very high risk you’d be taking.
Security On The Brain:
Up To Date Technologies – Ask the webhost you’re interested in whether their servers are running the latest versions of software such as PHP, MySql, phpMyAdmin, etc. Any one of these pieces of software on the server that are old and outdated with a known security flaw can seriously damage not only your website, but others hosted on the same box, depending on the security flaw.
Internal Firewalls – What does the hosting company use to keep naughty people out? Also inquire about what circumstances would need to be met for your own IP address to trigger the firewall thus locking you out of your site.
DDoS Prevention/Resolution – This one strikes close to home. It’s important to figure out what the policy is regarding denial of service attacks. Since we’re talking about a shared hosting environment, a DDoS attack on one site can end up taking down a large number of sites. In most cases, the webhost will suspend the targeted site until the attack subsides but in my case, the attack subsided and then happened again. My previous webhost then told me that if it happened again, my website would be suspended indefinitely. At this point, I really wanted to flick them off considering I was a loyal customer for 2 years with them but I ended up switching companies. So make sure you know what the webhost has in place to protect against DDoS and if it occurs, their policy for dealing with it.
Backups – Does the webhost you’re interested in backup websites automatically? If so, how often and how long are those backups stored? While you should always backup your sites manually, it would be reassuring to know that the webhost is also creating backups just as another fail safe.
SSH And SFTP – SSH stands for Secure Shell. It’s a Unix-based command interface and protocol for securely getting access to a remote computer. It is widely used by network administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three utilities – slogin, ssh, and scp – that are secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp. SSH commands are encrypted and secure in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted.
SFTP on the other hand is the secure version of the FTP protocol. SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can’t use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.
Physical Security – I’m not sure how in-depth companies will be in giving you this information but it’s worth knowing what procedures are in place for physical security of your data. Almost all of the security precautions in the world won’t matter if Joe Public can walk into the server room and download your data onto a thumbdrive.
Sandboxing – Ask how they secure/sandbox the user account space, whether your account space can be browsed by other users. By default *nix systems don’t protect user home directories. Also, how do they secure/sandbox the php processes. By default, php has to run with apache privileges and any code that runs on the server, regardless of user, runs in the same security context. Sandboxing the PHP code to a specific user account is important on a shared host so that user1 can’t write some code that hijacks user2’s site.
While this isn’t the all encompassing guide to choosing a great webhost to put your WordPress powered website on, it does provide food for thought. This is just a short list of things to consider but in reality, having a great experience with a webhosting company is almost like winning the lottery because it’s so rare. In my experience with WPTavern.com, I experienced 2 great years with my previous host and then it turned into a nightmare in just a matter of two weeks forcing me to move. In fact, I moved twice in one week due to the problems I was having with migrating my site. Ultimately, it comes down to gathering as much information as possible in order to make an informed decision as to whether a particular webhost is right for you. Price should not be the only determining factor for hosting your site, especially if you plan on taking things seriously.
Thanks to those who contributed to the following forum thread which is ongoing in case you have any more things people should look out for when choosing a webhost, especially as it relates to security.