You really can get good web site hosting.
Good prices, good technical support, good site speed, excellent security against hackers and malware, clear instructions for doing the necessary configuration and administrative tasks.
If you just want My Recommendations for Hosting Providers skip ahead, and knowing what you’re getting is important.
Bad web site hosting companies provide:
- Terrible technical support, especially where they try to answer every question with the most obvious simplistic response instead of actually looking at what you say isn’t working;
- Poor protection against hackers and malware;
- Unclear or outdated instructions for doing basic tasks (e.g. set up email accounts, transfer files);
- Say they provide “unlimited disk space and bandwidth” and then gripe if you store a backup of your large site;
- Offer low prices, not telling you how many ways they are scrimping (they count on novices not knowing the difference);
- Have great marketing but overloaded servers, so a bad customer would affect your site’s performance;
- Have bad customers that could affect your site — hosting companies with poor protection from hackers, don’t know how to block other accounts from changing your files (and bad customers do go for cheap hosting, since they are less likely to be carefully monitored).
Some hosting companies have excellent hardware, but nobody but a hardware geek could understand what they offer and if it’s important for their needs, and they charge you a fortune for more than you need; I would rate this better than less expensive but inadequate. At least since they are charging you so much, you really can demand technical support make things work.
Some WordPress hosting resellers simply think “it’s not safe to host anywhere”. Well, I don’t think it’s that bad, though I do understand how they might feel that.
No matter how many horror stories you’ve heard, or how many monsters you’ve met out there, I am telling you there Are hosting companies that have good technical support, high security, good hardware, and good prices. (Your social networks are a good source for finding them.)
I’m going to give some criteria for selecting a hosting provider, and then let you know my recommended companies. (If you really want just my recommended companies, scroll down.)
What Almost All Web Hosting Companies Provide
If a host doesn’t provide any of these, find another host. (The best companies won’t mention these as “reasons to host with us”, since they offer many good things beyond these basics; these will be in the full list of features.)
“Unlimited” for bandwidth or disk space, means they aren’t monitoring or restricting, for personal or small business sites. They know what personal or small-business sites use, and provide far more than those needs. You won’t have restrictions or extra charges, unless your account starts using very high server resources. (“Unlimited” does not mean you can host email services for thousands of people, nor host thousands of videos as a video sharing service, nor resell web hosting to hundreds of high-use sites that should each be on a single account.) If you need more than that, simply ask your host what they charge for what you need. See my post on unlimited accounts.
What “unlimited” really means for email or FTP accounts or subdomains, is there is a simple way for you to create and manage those yourself, instead of making a technical support request to create one. It’s easy, as long as you have access to a good tool for it.
|Apache Server. There are only two types of web servers that are at all widely used, Apache (on Linux operating systems) or IIS (on Microsoft Windows Server operating systems). IIS is much harder, for anyone not having the training and tools. And IIS accounts cost more. See the “What to Avoid” section below.||Yes|
|Email Accounts (no reason for a web hosting company to limit these to under 100, except to charge you more money).||No Limit|
|Web Based Email Access, and both POP and IMAP email — this is how you check your email from any device with Internet access. You have to be able to check your mail when you aren’t at your main computer. POP email transfers the email from the server to your computer, so emails are only available on that computer. You will probably prefer to use IMAP instead, so emails are stored on the hosting server, you access the emails from as many devices as you want; then web-based email is only for when you are at someone else’s computer. With IMAP you don’t have to worry about synchronization problems (delete an email on one place, have the deletion still show on other places; reply to an email and not have the response you wrote available in other places). Every hosting provider should have multiple web email programs (so you pick the user interface you prefer), and both POP and IMAP emails.||Yes|
|Catch-All Email. Spammers try guessing email addresses. This says what to do with email sent to non-existent email accounts. If you use this, you’ll need someone to clean out the spam for the few actual emails. I just let it gather on the server and once a year delete thousands of emails at once. You could specify to immediately trash all email sent to any of your domain names for non-existent email addresses.||Yes|
|Email Forwarding. You’ll use this, for example, for forwarding firstname.lastname@example.org to the actual person answering support questions, and then when that person moves on you simply change the forwarding. Another use is to create a specific email address, that forwards to your main email, for signing up on some site you don’t really trust; if they spam you, just delete their email forwarding (and then the catch-all email will deal with it).||No Limit|
|Mailing Lists. Use AWeber instead). If you want your newsletter delivered and received, using a dedicated newsletter company gives much better results, and it will look better, and you’ll have a lot less administrative work, and possibly less legal hassle. So this is a worthless feature of your hosting account.||No Limit|
|Email Auto responders (again, you’ll probably use AWeber instead). This is only good for messages like “Out of Office Until Tuesday”.||Yes|
|SMTP and SendMail Support. SMTP is normal way to send messages from your email client through your hosting. SendMail is having a program (such as WordPress) send emails (for example, about site problems, or about people creating an account or other administrative notices). (For newsletters, use a dedicated newsletter service like AWeber, much less work and better delivery — if you are using shared hosting, and a spammer on the same server (same IP address) gets banned, your newsletter won’t be delivered.)||Yes|
|Spam Blocking. While no spam blocker is perfect, every web hosting account should have this.||Yes|
|24/7 Support Ticket System. Every hosting company should have this, it’s been standard for maybe 10 years. You should be able to email support questions, or enter questions into their online ticketing system. You also should have telephone support for emergencies, though you often have to pay extra for phone support. (Many hosts have a single-click installation for you to host your own customer support system.)||Yes|
|Online (or Live) Chat Support. Many hosting providers have an online chat system, make sure it’s secure (https://) since you’re likely to give technical details that hackers could use. I think these chat systems are easier than holding a phone to my ear for an hour, and it is much easier to accurately convey info by typing than by talking. If they mention AIM/ICQ/MSN/Y! they’re saying they will do technical support via these outdated chat programs; other than Yahoo Messenger, those are pretty much gone. What about Google Hangouts and Skype, which allow you to show them your screen or see theirs? Many companies host their own support chat program, with security built in.||Yes, for support via chat. Slight no for the ancient brands.|
|cPanel Control Panel. cPanel is the most common, or Plesk; maybe a different brand would be okay, but you need a control panel. Otherwise, you’d have to contact technical support for basic things like adding an email address or creating a sub-domain, or checking your site error log, or checking your site statistics. (WHM is also seen often, it’s more for resellers to manage the accounts for clients, and their clients would have cPanel.)||Yes|
|Softaculous. Or another collection of “single click installation” for popular programs, such as WordPress, Joomla, questionnaires, mailing lists, help desk, secure chatting with site users, etc. Saves you having to create a database, install the software, configure the software so it runs.||Yes|
|Customizable Error Pages. You should be able to make error pages that look good, report errors to you so you can fix them, and help build your business (suggest pages to go to, show ads for important products, ask them to sign up for your newsletter). Even your error pages should have your branding on them.||Yes|
|Access to Error Logs. This is essential for you being able to fix problems on your site. Even if you think you are “not technical”, you might see in an instant what to fix, looking at the error logs; or your technical friend might.||Yes|
|(Webalizer, Analog, etc) Statistics. The brand isn’t important (though Webalizer and Analog are popular ones) but you need to see informative statistics about your web site, including which pages are getting the most traffic, and where traffic is coming from, and if there are pages that are being asked for but don’t exist (maybe someone linking to you spelled the page name wrong).||Yes, and also Google Analytics|
|Add-On Domains. The ability to host several completely separate web sites, with different domain names pointing to them, on your single hosting account. You should have a management tool for add-on domains in your cPanel. (Related feature: Parked Domains means the ability to have multiple domain names point to the same location, e.g. yourdomain.com and yourdomain.net.) You should have WordPress in your hosting account root (domain mapping in WordPress Multi-Site requires WordPress is in the root of your account, or the root of an add-on domain), and have all your non-WordPress sites installed as add-on domains. This also keeps all your folder references the same, since all your non-WordPress sites are at the same level, and with symbolic links (I explain these in another post) you can literally share code across your sites (for example your style sheets, error pages, and most likely many other tools).||Yes|
|Cron Job Support. So you can have regularly scheduled actions done behind the scenes, without you needing to remember to start them.||Yes|
|File Manager. You will mostly use SFTP for transferring files, but you must also have this. Also look for a Disk Usage utility, so you can see which folders have huge files.||Yes|
|Password Protected Directories. Essential, and to block you from setting this up, they have to block you access to so many more needed security features. This is done using .htaccess, but the feature provides an easier interface.||No Limit|
|Daily Downloadable Backups. Of course you need this, and need to download the backups to some other place, such as DropBox or Amazon S3 or your computer or DVD. Keep just the most recent backup on your hosting account (most hosting accounts will complain if you have terabytes of backups). Make sure you back up your MySQL databases as well as your files. Figure out how often you need to back up (how much recent work could you lose without being upset?), and backup at least that frequently; but they should allow daily.||Yes|
|URL Redirection Capability (might simply be stated as allowing .htaccess changes). You will need to be able to rename a page, or say a page has been deleted. WordPress relies on this for converting a yucky URL like http://computerhelp.glerner.com/?p=66 into http://computerhelp.glerner.com/selecting-a-web-hosting-company/ so if a company blocks this, they are disqualified as your hosting company. (A company mentioning this as a “benefit” is immediately suspected of being stingy.) If you are stuck with a company that doesn’t allow this, contact them twice daily for renaming or deleting junk pages, until they give in.||Yes|
|Search Engine Submissions. Many hosts offers this, it’s nice; and you can do it yourself just as well.||Yes, even if some small amount.|
|PHP 4 With Zend Optimizer. Don’t use old versions of PHP, unless you really need some custom software that won’t run on PHP 5, meaning it hasn’t been upgraded in years and probably has security holes. That’s the only reason to use PHP 4. (Zend Optimizer is good, but also use the latest version.)||No (PHP 5 = Essential)|
|MySQL 4. Great, they’re claiming an ancient version as a benefit… MySQL is essential, and standard, and powerful, and free. My “average” hosting provider in March 2014 has MySQL version 5.5.32, fairly current (the Latest Available is 5.6.16). MySQL 4 is ancient, as far as hackers are concerned.||MySQL 5 = Essential|
|Unlimited databases. This almost always refers to MySQL databases. (WordPress can use any existing database, has a “table prefix” you configure when installing, to make sure WordPress tables don’t trample another program’s tables, if your number of databases is limited.) “Unlimited” here means you create your own databases in a cPanel tool, and they aren’t monitored, unless your disk space usage becomes enormous.||Essential|
|phpMyAdmin. This is the most popular MySQL database administration program, and if you don’t have access to it the host is restricting you getting your site working. (It is free, open source, but if a host doesn’t have it they probably won’t let you install it.) Almost every script out there uses MySQL; if you don’t have phpMyAdmin you’ll have administration problems. March2014 latest version is 4.1.9 (my “average” hosting provider currently has 4.0.5 installed, a single sub-version difference isn’t too bad, 4.0.xx vs 4.1.xx)||Yes|
|Perl 5. I suppose there are good web software programs that are still written in Perl. Every web host provides Perl (Apache or IIS). PHP is newer, easier to program, often better security (there are many Perl programs written by programmers who had no attention on security).||Yes|
|Full Private CGI-Bin Access. That’s for Perl, you should have it but probably won’t use it.||Yes|
|Server Side Includes (SSI). Again, for Perl. (PHP can also include code from other files, just isn’t called SSI.)||Yes|
|Secure Server (SSL). If you are going to do anything with credit card processing (not passing it to PayPal or similar company to handle, but you’re integrating credit card processing onto pages on your site) then you need SSL. If you are displaying any information that is confidential, you need SSL. Pay attention to how much they charge for an “SSL certificate”, and whether they let you install one from some other source.||Yes|
|Knowledge Database/FAQ. Every hosting company should have this, one of the first things companies put onto the Internet was a FAQ. But check it includes things like how to connect via Secure FTP, how to change your password, how to create a MySQL database. If you have SSH with your account, the FAQ should have creating SSH keys and using Filezilla and PuTTY with SSH. The more detailed the instructions are, with screen shots, the better. If you ask technical support something, and you’re fairly sure others would have the same question (really rare if you’re asking something unique), they should be able to answer by giving you the URL of the Knowledge Base page.||Yes — quality indicates technical support quality|
|Community Forums. Every hosting company should have this, it’s been standard for maybe 10 years. Read through theirs, it should have problems, and solutions given clearly and promptly. Should have links to good training resources. Should have employees monitoring it and community members and employees answering questions.||Yes|
|UPS Power Backup. Diesel Generator Backup Power. 24/7 Network Monitoring. Multiple 10 Gigabit Ethernet Connections.||Yes|
|Streaming Video Support. Streaming Audio Support. These a) require “Add Custom MIME Types”, which is done in .htaccess and b) needing adequate storage space and bandwidth. Essential (but most of your videos you’ll host on YouTube, or Amazon S3, so streaming isn’t an issue for you).||Yes|
Use WordPress in Multi-Site mode with Domain Mapping
This requires mostly things that by far most web hosting companies provide: MySQL database, Apache server (or the harder-to-use IIS), ability to edit DNS settings (either yourself or have technical support do it) for “wildcard DNS”, ability to configure PHP to use extra (128MB) memory.
What Better Hosts Provide
Expansion to virtual private servers (VPS), cloud desktops, dedicated servers. This is a good indication they will do things well. Why? Corporate clients, paying more money, with higher requirements, will demand good service. If a company attracts corporate clients, and provide lousy service or lousy performance, they will suffer — and the clients will likely give many bad reviews. Also, these are newer offerings, the old companies that are not upgrading their offerings won’t even mention them. Virtual private servers allow you to dynamically increase server resources, for example if you occasionally have product launches or video training, where you have huge spikes in traffic and bandwidth.
Enhanced Web Security. Look for a host that mentions companies such as Sucuri or CloudFlare (even the free version) for security, mentioning active prevention of malware and hackers. Hosts that recommend these are likely to get customers paying attention to security, and if they aren’t doing their job well, they will have customers with evidence their servers are insecure. Whatever hosting company you use, I recommend you run at least the Sucuri Scan frequently. (CloudFlare might be a cPanel Softaculous option.)
At least FTP over TLS (encrypted), better to also have SFTP (SSH File Transfer Protocol, even the login process is secure). Hackers literally can read your password (with simple tools) if you log in via plain-FTP on an insecure network (such as your local coffee shop or airport). What can someone change on your site if they can log in As You? Dre Armeda, from Sucuri, says emphatically don’t use plain FTP, use secure FTP.
Technical support that can walk you through backup for WordPress, knows what “wildcard DNS is”, knows how to connect using FileZilla via SSH.
Help section of web site that gives clear instructions how to do things like configure your email program, create email accounts. Add an add-on domain and point a domain name to it. Create a MySQL database. Connect using FileZilla via SSH.
Staging. The ability to test your site fully, get everything working, in an area the public can not see; then, when it’s ready, very easily move what works into the public area. (For something like WordPress Multi-Site, that would usually not mean the ability to transfer a single site of the multi-site, but the Entire multi-site installation. Contact me for how to migrate a single site into your WordPress Multi-Site with everything intact.)
Symlinks. This is a technical feature, that commonly is only accessible through either a PHP program, or SSH command line. It lets you link a folder, for example sharing PHP code you use for multiple sites. I have /public_html/sharefiles linked from each of my non-WordPress sites, so /public_html/domain1/shared/403.php actually uses /public_html/sharefiles/403.php (one copy of my error files used for all my sites). I don’t have to remember to upload changes to any of my shared routines to every site I host, just upload it once.
Option for SSH (command line access). They have to have good security installed, so you can access command line programs but not access other customer’s areas or the server features. They have to have technical support able to at least point you to resources how to use the SSH commands.
Advanced DNS Zone Editor. If cPanel has this, you set up wildcard DNS for WordPress Multi-Site with a few clicks. Even if you never use it, this is an indicator the hosting company is set up for more technical users, who will have higher standards for support and performance.
Affiliate Program. To have an affiliate program, the company has to organize their accounting and marketing systems around it. They have to have satisfied customers, willing to promote the company (of course, they’ll also get some customers only looking for affiliate income). It’s another indicator they are paying attention to what customers need.
What to Avoid
Keep away from all “free” and “cheap” hosting providers.
Your site will get malware (meaning you will get notified by a customer or Google that you’re displaying ads for drugs or porn sites, or that your site has scripts running that were installed by Someone Else). They won’t hire staff knowledgeable about security, adding security rules for blocking threats, updating all the server software.
The technical support team will be understaffed, poorly trained, hard to reach (or simply unresponsive). Technical support is seen as an expense (in all but the Very Best companies), and the cheap hosts will minimize that expense. One sign that a hosting provider is having financial problems is the technical support team will have higher turnover (they hate working there), or be laid off — if you are unfortunately with a company where technical support gets worse Move Now before they go out of business.
Avoid Windows or IIS Hosting
Never use a Windows IIS server, yuck!
WordPress or probably anything else most personal or small business websites would need can be installed on Microsoft IIS servers. (I’ve set up WordPress Multi-Site with domain mapping on IIS, for example.) It’s just everything for personal or small-business sites is harder on IIS than on Apache, since IIS is designed for large business needs, and Microsoft expects you to have taken the certification programs and know the high-power administration and design tools.
What’s harder on IIS, without those tools? Setup, administration, diagnosing problems, setting up site security, finding answers on the Internet to questions. Things like saying you’ve changed the name of a web page, saying a web page is deleted, adding email accounts, viewing site error logs, are all harder. Everything.
There are questions with hosting on Apache servers where I’ve asked on Google and the first page gave the right answer on all the top 8 sites; same question for IIS servers I had to search for days, and piece the answer together — you are expected to have taken expensive courses on how to set up web sites on IIS servers, with tools meant for very large corporate web sites.
Unless you have very strong business reasons to use IIS, such as your business provides Microsoft-language web site tools, keep away.
Oh, and IIS hosting accounts usually cost more, too, compared to Apache hosting accounts from the same hosting provider, since they take more technical support time! (And Apache is Free, but IIS is expensive.)
If your business offers your clients custom software written in a Microsoft-only programming language like ASP, and you won’t be weaned off it for a few years, that’s the only legitimate business reason I accept.
If you need to get WordPress Multi-Site working with Domain Mapping on IIS, it can work, I’ve helped a company do it (of course, they had a competent server administrator).
Avoid Web Hosting from your Credit Card Point-Of-Sale Provider
The absolute worst hosting provider I’ve written for was a client’s credit card terminal company (http://cart32.com/pricing/hosted-plans). I’m guessing they started with the card-swipe cash register, then added accepting credit cards on web sites, then added web site hosting. They modified the PHP language thinking that they were increasing “security”, making programming a basic site hard, not knowing the changes they made produced error messages displaying the very information they were wanting to keep secure. Had to do that to “pass the credit card security requirements”. Idiots! Of course, they also didn’t know answers to any technical support questions I had — I had to find ways around their problems.
Because they primarily offer their shopping cart software, they charge $50/month, instead of $10-$20/month.
Their security is “underground data center”, “video surveillance” and “24/7 security guard” (every host should have these). They don’t even mention protection against malware or hackers.
They even offer “Compatible with FrontPage” (software so old Microsoft stopped offering any updates or support for it maybe 10 years ago).
Every credit card processing company, including this one, can take credit card information from your web site hosted Anywhere, or don’t use them. Get your web site credit card processing with software provided by your bank, or with a major shopping cart software such as WooCommerce, and host your site with a dedicated web hosting company.
Avoid Worthless “Features” like FrontPage
MS FrontPage® Extensions. FrontPage was the best software of 1998 for web sites, but now completely useless/obsolete/unavailable. Every hosting company still mentions it. I would not be surprised if it is a well-known security hole, since Microsoft stopped providing updates for it a very long time ago. If they think this is a “big benefit”, that is a huge warning sign they haven’t updated their systems in years, don’t have competent staff, and are keeping expenses low at your expense.
My Recommendations for Hosting Providers
Free — WordPress.com without any hesitation. They will place an ad on your site, but it is completely free, and you know they have industry-standard site security and of course your WordPress is installed exactly right. Think of what a hosting provider has to cut to give free hosting — technical support, enough servers to give adequate speed for all their accounts, actively blocking new security threats, updating software to latest versions. Some free hosting sites just suddenly disappear, after months of not responding to support requests. WordPress.com is making money from paid hosting accounts, and the quality of their free accounts directly affects their business.
SiteGround. They provide tools that developers need, pre-installed, including SSH and GIT (for their high-end accounts they have a graphical GIT interface), and staging. They have staff devoting time every week to researching the latest hacker attacks discovered, and installing blocks for them — fix global WordPress security issues on server level, before WordPress updates come out. Their technical support can answer questions about WordPress plugin issues, and WordPress command line tools. (I’m urging them to add to their FAQ and Knowledge Base, so what I ask them doesn’t require technical support time.) They have separate servers optimized for MySQL, and optimized caching, so your WordPress site (or any other site that uses MySQL) is fast. Their prices are barely above the “standard hosting” prices, yet they offer a lot more. They offer shared, cloud or dedicated hosting. I found out about them as co-sponsors of WordPress WordCamp trainings.
WPEngine — Managed WordPress Hosting. Optimized your page load times, reliability and security. Fast, Secure and Scalable. Excellent for people less experienced with WordPress, who want someone to manage the updates and security for them. Strong attention on security, has simple staging, has GIT version control for all accounts. They focus on WordPress only. They support WordPress Multi-Site, or multiple WordPress installations, in their Professional plan or higher. Many WordPress developers and consultants host dozens of sites with them — managed hosting saves a lot of time.
LunarPages I hosted with them for years. The technical support was always responsive, and even though the beginners weren’t able to answer some of my most technical questions the more experienced ones always could. I never had any malware, even before I started learning about site security (remember, you can block attacks via URLs, and you can install things like WordPress plugins from trusted sources, but the hosting provider has to have security at the server and account level). They offer virtual desktop (for example an iPad or ChromeBook connects to your web hosting and has a full Windows setup including Microsoft Office), as well as virtual servers or dedicated hosting.
BlueHost is another host that looks good, and is a WordCamp co-sponsor so you will have no problems with WordPress.
Flywheel is another managed WordPress hosting company, looks like might be good.
Whatever hosting account you use, also get Sucuri to help prevent malware, and to clean it if you get any. They are the top-recommended security company at WordPress meetups and trainings. Sucuri offers a free scan for any site, but if you install their software they can do a Comprehensive Scan of everything on your site, frequently and automatically.