It’s no secret that in business, we all want to minimise expenses as much as possible. But there are so many options out there? Why should you pay what might seem like a lot of money to keep your website online, when you could do it for just a few dollars? In this article, we’ll dig through some of the ins and outs of picking a web host, the pros and cons, and reveal a few carefully hidden truths.
Selecting your web host
Choosing the right website hosting provider can be daunting. With thousands of options, how do you decide? Is it price, features, or something else that should guide your choice? It’s crucial to know exactly what you’re buying.
Unlike standalone web hosting, a WordPress Care Plan involves professional management and hosting of your website. You don’t need to worry about sorting through various hosting providers or matching your site with the appropriate resources. A professional ensures your website has everything it needs to maintain reliable uptime and deliver a seamless experience to your visitors.
Cheap Hosting File Structure
Many budget web hosting services offer appealing features like email hosting and the capability to host multiple or even unlimited websites. However, there’s a significant risk involved: often, these emails and websites share the same file system without any form of isolation. This means if one website is compromised by malicious code, the infection can quickly spread across the entire file system. As a result, every website—and possibly every email account—on the same plan is at risk of being taken down by the contagion.
Now, not every website host does this, but you can certainly expect it from many of the budget web hosts. Isolating websites from one another is super important – as is email. Imagine putting 20 children in a room and one catches a cold. They all get sick!
Ideally, a developer offering WordPress Care Plans should ensure your website is properly isolated. However, it’s crucial to confirm this—ask directly about their isolation practices. Beware of inexperienced or unscrupulous freelancers who may place your website on a low-cost, unlimited hosting plan to increase their own profits. Such arrangements can jeopardize your site’s security. If your website becomes compromised, these suppliers might also pass the repair costs onto you, a scenario we’ve seen far too often. A true professional will use advanced techniques like Docker to fully containerise your application, ensuring robust isolation and enhanced security.
Power and Resources
Cheap hosting often means your website shares server space with thousands of others. Each site receives only a minimal allocation of server resources, which can quickly become overwhelmed. Especially during peak traffic periods, this limited capacity can cause noticeable slowdowns in your website’s loading times, or it can fail to load entirely.
However, the limitations of cheap hosting don’t stop there. Essential services such as website backups, malware scans, and image optimization are resource-intensive. As your website expands, the likelihood of these services failing increases. Furthermore, to manage CPU load, some budget hosts may restrict or even prohibit these critical operations, affecting the overall functionality and security of your website.
As I write this, I am working on migrating a website for a new client to our servers (yes, multitasking is fun). The website is huge and hasn’t had a successful backup in over a year due to a lack of resources on Bluehost hosting. Scary right?!
When you are on a managed WordPress Care Plan, your developer should be utilising an environment powerful enough to cope with the demands of your website, its functionality, and its traffic.
Website Hosting & Security
Most internet users have seen or heard of websites that have been hacked. As a business owner, you’d probably be thinking, “Why would a hacker target me?” That’s a fair thought, but the truth is hackers target everyone! Most vulnerability exploits are now automated by billions of bots that are constantly crawling the internet and scraping your website. These may or may not precede a human attack.
But what are hackers looking for? Often, they target your website’s resources. They can exploit your site for various malicious activities, including crypto mining and launching bots for Distributed Denial of Service (DDoS) attacks. These activities can lead to significant overage charges if your hosting plan includes bandwidth limits. Additionally, your website may become severely unresponsive, compromising user experience and functionality.
Other cases could be more complex. Hackers can break your site, hold you at ransom, redirect it to other malicious sites, and in serious cases, they can leak sensitive information or tamper with payment systems and API keys. Check out this article where a small business owner lost over $70k because an attacker managed to penetrate her website and extract her Stripe account API keys. If you haven’t heard of cyber liability insurance, it may be worth looking into to cover your ass in the event of a serious breach.
So, what’s this got to do with cheap web hosting vs a WordPress Care Plan?
Cheap website hosts are very good at utilising deceptive marketing tactics to make you feel safe. Most people see the word “security” and then feel like they are immune. The truth is, WordPress security is extremely complicated and expensive!
Budget web hosts like to throw around some buzzwords such as malware scanners and firewalls, but these don’t do anything against zero-day exploits and also have a very low detection rate.
A while back, we were looking at various providers and made some enquiries as to their security features. An Australian supplier, one of the biggest in the country, boasted a comprehensive security offering, throwing around the above-mentioned buzzwords. Fortunately, they didn’t try to BS us and were totally upfront when questioned. Here is what they had to say:
“Thanks for getting in touch today.
So cPanel servers utilises ConfigServer Firewall (CSF) as a software firewall, and we also use Fortinets as hardware firewalls to protect our network.
We also utilise ConfigServer Exploit Scanner (CXS) which is a commercial malware scanner that searches for server exploits and not website exploits. This will scan for anything that will harm the server, however if your clients have vulnerable websites/plugins that allow for them to be compromised this scanner will not detect that.
Files that are detected are moved into a quarantined folder on the service.”
What this means is that their firewall and malware scanner is designated to protect their servers, but websites are left out in the open. Yet their marketing gives the impression that your website is 100% safe.
I decided to continue the conversation with them out of curiosity and a further, disturbing response:
“When it comes to how you configure your customers websites (WordPress, Joomla, something custom completely) we have no recommendations as we’re not developers.“
So, do you want to trust a team of non-developers to host your website?!
You can never be totally immune from an attack, even on a WordPress Care Plan. There are services available such as Patchstack or WordFence who are market leaders at blocking the latest threats, but, what if your site is compromised another way? Maybe it’s brute forced? Maybe a hacker steals a session cookie from a compromised network or computer. Malware can even get past application-level security and whitelist itself to avoid being picked up in scans. There are plenty of ways in.
WordPress security should be handled at server-level and CDN level where possible, which you just don’t get with budget website hosting. If you are having your website handled by a professional, you can expect that they will be monitoring for malware, hardening your website, managing access, checking log files and false positives, monitoring cyber communities for the latest threats, and have a solid disaster recovery plan in place.
Backups, backups, backups!
Sometimes, the unavoidable happens, and sh** can hit the fan. When it does, do you have a disaster recovery plan? You might think, well yes! My website has a backup plugin installed, I am fine. But are you really?
We’ve seen many, many websites on cheap hosting and from questionable developers (and even large agencies – not naming any). Many of them rely on backup “plugins” such as Updraft Plus. Now, I’m not putting down Updraft; it’s been around for many years and certainly has its uses. But, as a primary backup?
Let me paint you a picture. A hacker gets into your website and does some damage, but not to worry, you have a backup right? Not if the hacker deletes it. When using almost all of these plugins, they can delete all backups stored both locally and remotely from the WordPress dashboard directly.
Remember earlier in this article how we talked about power and resources, and some hosts blocking these tasks? This is a disaster for backup plugins, as the backups will often fail, leaving you with a false sense of security. But what about cPanel backups? The cheap hosting offers built-in backups, so surely that will solve it? Again, wrong. Remember how we talked about the shared file structure? These backups will share the same file structure as your website, meaning the backups are also susceptible to infection, and in most cases, the hacker can also access them. Plus, kind of useless if the server goes down.
The answer is to have a multi-layered backup schedule performed at server level. On a WordPress Care Plan, we take daily backups from outside of the application, and store these in a remote server. There is no way they can be accessed or tampered with from within the website. In the unforeseen event that the server goes down, we can easily reinstate the backup to another server, from any provider, globally.
We recommend you speak with your developer…
Have you ever been on cheap hosting and had a problem with your website? Maybe you updated a plugin and the website broke. Maybe it’s gone offline, or worse. Ever raised a ticket with cheap web hosting support? You’ll probably find the same answers again and again. Website management and fixes aren’t within their service level agreement.
I’d expect the conversation to start with “Let us check with our concerned team” (with a Philippino or Indian accent). Next, you might get a response like, “We can see there is a problem with the website, we recommend you speak with your developer”.
Quite simply, if your website breaks, it’s on you! It is not within the scope of service for a budget web host to provide support or advice in any further capacity other than keeping the server online.
WordPress Management
I’ll be brief on this one, as management isn’t offered with cheap hosting. Some premium hosts will offer automatic updates, and even visual regression testing. But, we’d recommend updates are performed manually.
Plugin updates can break a site due to incompatibilities. On occasions, CSS files need to be regenerated afterwards, and caches need to be cleared. This is just not possible to automate reliably at the moment. If something goes wrong during updates, if you are on a WordPress Care Plan, your developer will revert to the last backup to quickly reinstate the damage. For major updates, they may also put your website into a staging environment and test it before pushing the website live.
Summary
If you’re still reading, thank you! I thought I would have lost you by now. Hopefully, this article has demonstrated why the cost of a WordPress Care Plan is well justified to protect your website investment. If you care about your website and your business’s reputation, get on to a care plan!
At No Bull Websites, we offer WordPress Care Plans for websites of all sizes. Our monitors will alert us within 5 minutes of a website going offline so that we can promptly respond (not that this happens). We have comprehensive systems in place to cover all angles and not allow a single point of failure. Other benefits also include website speed, email deliverability (no more form submissions going to spam), and even premium plugin licences.
If you would like us to take care of your website while you focus on running your business, please feel free to contact us for a quote.