You can check your emails via a website, or in email software on your computer. You have to be able to check your mail when you aren't at your main computer. POP email transfers the email from the server to your computer, so emails are only available on that computer. You will probably prefer to use IMAP instead, so emails are stored on the hosting server, you access the emails from as many devices as you want, whether your email software or web-based. With IMAP you don't have to worry about synchronization problems (delete an email on one place, have the deletion still show on other places; reply to an email and not have the response you wrote available in other places). Every email hosting provider should have web email programs and both POP and IMAP to connect to any email software you use. Again, use a dedicated professional email hosting company, such as Google Workspace or Zoho, instead of your website hosting company.

Selecting a Web Hosting Company

You really can get good website hosting.

Good prices, good technical support, good site speed, excellent security against hackers and malware. Good hosting companies even have clear instructions for doing the necessary configuration and administrative tasks.

If you just want My Recommendations for Hosting Providers skip ahead, and knowing what you’re getting is important.

Bad web site hosting companies provide:

Terrible technical support, especially where they try to answer every question with the most obvious simplistic response instead of actually looking at what you say isn’t working;
Poor protection against hackers and malware;
Unclear or outdated instructions for doing basic tasks (e.g. set up email accounts, transfer files);
Say they provide “unlimited disk space and bandwidth” and then gripe if you store a backup of your large site;
Offer low prices, not telling you how many ways they are scrimping (they count on novices not knowing the difference);
Have great marketing but overloaded servers, so a bad customer would affect your site’s performance;
Have bad customers that could affect your site — hosting companies with poor protection from hackers, don’t know how to block other accounts from changing your files (and bad customers do go for cheap hosting, since they are less likely to be carefully monitored).

Some hosting companies have excellent hardware, but nobody but a hardware geek could understand what they offer and if it’s important for their needs, and they charge you a fortune for more than you need; I would rate this better than less expensive but inadequate. At least since they are charging you so much, you really can demand technical support make things work.

Some WordPress hosting resellers simply think “it’s not our job to make sure your website is safe from hackers” and “we can’t support your WordPress site”.

No matter how many horror stories you’ve heard, or how many monsters you’ve met out there, I am telling you there are hosting companies that have good technical support, high security, good hardware, and good prices.

Your social networks are a good source for finding them, if they are WordPress experts. Look for people in your WordPress community who host websites for clients. They have found companies that are good, including good technical support.

I’m going to give some criteria for selecting a hosting provider, and then let you know my recommended companies. (If you really want just my recommended companies, scroll down.)

What Almost All Web Hosting Companies Provide

If a host doesn’t provide any of these, find another host. (The best companies won’t mention these as “reasons to host with us”, since they offer many good things beyond these basics; these will be in the full list of features.)

“Unlimited” for bandwidth or disk space, means they aren’t monitoring or restricting, for personal or small business sites. They know what personal or small-business sites use, and provide far more than those needs. You won’t have restrictions or extra charges, unless your account starts using very high server resources. (“Unlimited” does not mean you can host email services for thousands of people, nor host thousands of videos as a video sharing service, nor resell web hosting to hundreds of high-use sites that should each be on a single account.) If you need more than that, simply ask your host what they charge for what you need. See my post on unlimited accounts.

What “unlimited” really means for email or FTP accounts or subdomains, is there is a simple way for you to create and manage those yourself, instead of making a technical support request to create one. It’s easy, as long as you have access to a good tool for it.

Apache Server or NGINX, not Microsoft IIS

There are only two broad types of web servers that are widely used.

Apache or NGINX (on Linux-based operating systems) are by far the most common; NGINX is designed to be faster for hosting many websites, but your hosting company desides which combination to use (often PHP is interpreted on Apache, then the results sent to NGINX). As far as you are concerned, and to WordPress, they are the same.

IIS (on Microsoft Windows Server operating systems) is much harder to use, for anyone not having the (expensive) training and tools. Even if your company does Microsoft software development, I’d recommend hosting your website with a company that only does WordPress websites. WordPress security is different than security for anything else on a Microsoft server, and the WordPress security tools such as WordFence or iThemes Security, don’t run on IIS. Your company would require a full-time WordPress security expert, far more expensive than having another company do it.

Email Accounts

There is no reason for a website hosting company to limit these to under 100, except to charge you more money. However, use a professional email hosting company, such as Google Workspace or Zoho. Email deliverability and security are different skills than website hosting, and few website hosting companies do it right.

POP or IMAP Email?

You can check your emails via a website, or in email software on your computer.
You have to be able to check your mail when you aren’t at your main computer.
POP email transfers the email from the server to your computer, so emails are only available on that computer.
You will probably prefer to use IMAP instead, so emails are stored on the hosting server, you access the emails from as many devices as you want, whether your email software or web-based.
With IMAP you don’t have to worry about synchronization problems (delete an email on one place, have the deletion still show on other places; reply to an email and not have the response you wrote available in other places).
Every email hosting provider should have web email programs and both POP and IMAP to connect to any email software you use.
Again, use a dedicated professional email hosting company, such as Google Workspace or Zoho, instead of your website hosting company.

Catch-All Email. Spammers try guessing email addresses. This says what to do with email sent to non-existent email accounts. If you use this, you’ll need someone to clean out the spam for the few actual emails. I just let it gather on the server and once a year delete thousands of emails at once. You could specify to immediately trash all email sent to any of your domain names for non-existent email addresses.

Yes

Email Forwarding. You’ll use this, for example, for forwarding support@yourdomain.com to the actual person answering support questions, and then when that person moves on you simply change the forwarding. Another use is to create a specific email address, that forwards to your main email, for signing up on some site you don’t really trust; if they spam you, just delete their email forwarding (and then the catch-all email will deal with it).

Yes

Mailing Lists. Use Brevo or MailChimp or AWeber instead of a website hosting company. If you want your newsletter delivered and received, using a dedicated newsletter company gives much better results, and it will look better, and you’ll have a lot less administrative work, and possibly less legal hassle. So this is a worthless feature of your hosting account.

No Limit, but don’t use it

Email Auto responders (again, you’ll probably use Brevo instead). This is only good for messages like “Out of Office Until Tuesday”.

Yes

SMTP and SendMail Support. SMTP is normal way to send messages from your email client through your hosting. SendMail is having a program (such as WordPress) send emails (for example, about site problems, or about people creating an account or other administrative notices).

For newsletters, use a dedicated newsletter service like Brevo or MailChimp or AWeber, since these are much less work for you and better delivery. If you are using shared hosting, then if a spammer on the same server, meaning it has the same IP address, gets banned, your newsletter won’t be delivered.

Yes

Spam Blocking. While no spam blocker is perfect, every web hosting account should have this.

Yes

24/7 Support Ticket System. Every hosting company should have this, it’s been standard for maybe 500 years. You should be able to email support questions, or enter questions into their online ticketing system. You also should have telephone support for emergencies, though you often have to pay extra for phone support. (Many hosts have a single-click installation for you to host your own customer support system, but it’s better to use a dedicated service.)

Yes

Online (or Live) Chat Support. Many hosting providers have an online chat system, make sure it’s secure (https://) since you’re likely to give technical details that hackers could use. I think these chat systems are easier than holding a phone to my ear for an hour, and it is much easier to accurately convey info by typing than by talking. If they mention AIM/ICQ/MSN/Y! they’re saying they will do technical support via these outdated chat programs; those are pretty much gone. What about Zoom and Skype, which allow you to show them your screen or see theirs? Many companies host their own support chat program, with security built in.

Yes, for support via chat. Definite no for ancient brands.

cPanel Control Panel. cPanel is the most common, or Plesk; maybe a different brand would be okay, but you need a control panel. Otherwise, you’d have to contact technical support for basic things like adding an email address or creating a sub-domain, or checking your site error log, or checking your site statistics. (WHM is also seen often, it’s more for resellers to manage the accounts for clients, and their clients would have cPanel.)

Yes

Softaculous, or another collection of “single click installation” for popular programs, such as WordPress, Joomla, questionnaires, mailing lists, help desk, secure chatting with site users, etc. Saves you having to create a database, install the software, configure the software so it runs. However, there are free or inexpensive services available to do all those things, so make sure this software is the best option. Don’t clutter up your hosting account with software you don’t need. The only tool from Softaculous I use is the basic WordPress installation.

Yes

Customizable Error Pages. You should be able to make error pages that look good, report errors to you so you can fix them, and help build your business (suggest pages to go to, show ads for important products, ask them to sign up for your newsletter). Even your error pages should have your branding on them.

Yes

Access to Error Logs. This is essential for you being able to fix problems on your site. Even if you think you are “not technical”, you might see in an instant what to fix, looking at the error logs; or your technical friend might.

Yes

(Webalizer, Analog, etc) Statistics. The brand isn’t important (though Webalizer and Analog are popular ones). You need to see informative statistics about your web site, including which pages are getting the most traffic, and where traffic is coming from, and if there are pages that are being asked for but don’t exist (maybe someone linking to you spelled the page name wrong).

Don’t use these, use Google Analytics and Google Search Console instead. Much better data, much better reports, and minimal impact on your hosting server. Just have your WordPress site running the Google Site Kit plugin.

No, use Google

Add-On Domains. The ability to host several completely separate web sites, with different domain names pointing to them, on your single hosting account. You should have a management tool for add-on domains in your cPanel. (Related feature: Parked Domains means the ability to have multiple domain names point to the same location, e.g. yourdomain.com and yourdomain.net.) You should have WordPress in your hosting account root (domain mapping in WordPress Multi-Site requires WordPress is in the root of your account, or the root of an add-on domain), and have all your non-WordPress sites installed as add-on domains. This also keeps all your folder references the same, since all your non-WordPress sites are at the same level, and with symbolic links (I explain these in another post) you can literally share code across your sites (for example your style sheets, error pages, and most likely many other tools).

Yes

Cron Job Support. So you can have regularly scheduled actions done behind the scenes, without you needing to remember to start them.

Yes

File Manager. You will mostly use SFTP for transferring files, but you should also have this.

Also look for a Disk Usage utility, so you can see which folders have huge files. Sometimes a backup plugin or other tool makes unexpected huge files. (Tip: only have one backup tool, since if you have two they might backup each other’s backup files, doubling the size every day or week…)

Yes

Password Protected Directories. Essential, and to block you from setting this up, they have to block you access to so many more needed security features. This is done using .htaccess, but the feature provides an easier interface.

Yes

Daily Downloadable Backups. Of course you need this, and need to schedule downloading the backups to some other place, such as DropBox or Amazon S3 or your computer or DVD. Keep just the most recent backup on your hosting account (most hosting accounts will complain if you have terabytes of backups). Make sure you back up your MySQL databases as well as your files. Figure out how often you need to back up and save the backup (how much recent work could you lose without being upset?), and save the backup at least that frequently; but they should automatically backup your account daily.

Yes

URL Redirection Capability (might simply be stated as allowing .htaccess changes). You will need to be able to rename a page, or say a page has been moved or deleted.

But the WordPress Redirection plugin does this for you, so you do not need this from the hosting account.

Search Engine Submissions. Many hosts offers this, it’s nice; and you can do it yourself better, easily, free.

“The SEO Framework” plugin, or Yoast plugin, make a site map for you. You specify the location of the site map in your Google Analytics settings.

PHP 4 With Zend Optimizer. Don’t use old versions of PHP, unless you really need some custom software that won’t run on PHP 4 or 5 or 7, meaning it hasn’t been upgraded in years and probably has security holes. (Zend Optimizer is good, but again, use the latest version; and I haven’t heard of Zend Optimizer lately.)

As of November 2023 the earliest version of PHP you should use is version 8.1, which has “Active Support” until 25 Nov 2023 at midnight, but “Security Support” until 25 Nov 2024.

If a hosting company mentions ancient software, it’s a sign they have outdated server software and don’t do software updates reliably. Run away from that hosting company!

If you think you “need” ancient PHP software, at least run it in a separate hosting account, to protect your WordPress site from old PHP programs getting hacked.

Definite No

Currently supported PHP versions only

MySQL 4. Great, they’re claiming an ancient version as a benefit… MySQL is essential, and standard, and powerful, and free. My “average” hosting provider in March 2014 has MySQL version 5.5.32, fairly current (the Latest Available [when I wrote this years ago] is 5.6.16). MySQL 4 is ancient, as far as hackers are concerned.	MySQL 5 = Essential
Unlimited databases. This almost always refers to MySQL databases. (WordPress can use any existing database, has a “table prefix” you configure when installing, to make sure WordPress tables don’t trample another program’s tables, if your number of databases is limited.) “Unlimited” here means you create your own databases in a cPanel tool, and they aren’t monitored, unless your disk space usage becomes enormous.	Essential
phpMyAdmin. This is the most popular MySQL database administration program, and if you don’t have access to it the host is restricting you getting your site working. (It is free, open source, but if a host doesn’t have it they probably won’t let you install it.) Almost every script out there uses MySQL; if you don’t have phpMyAdmin you’ll have administration problems. March2014 latest version is 4.1.9 (my “average” hosting provider currently has 4.0.5 installed, a single sub-version difference isn’t too bad, 4.0.xx vs 4.1.xx)	Yes
Perl 5. I suppose there are good web software programs that are still written in Perl. Every web host provides Perl (Apache or IIS). PHP is newer, easier to program, often better security (there are many Perl programs written by programmers who had no attention on security).	Yes
Full Private CGI-Bin Access. That’s for Perl, you should have it but probably won’t use it.	Yes
Server Side Includes (SSI). Again, for Perl. (PHP can also include code from other files, just isn’t called SSI.)	Yes
Secure Server (SSL). If you are going to do anything with credit card processing (not passing it to PayPal or similar company to handle, but you’re integrating credit card processing onto pages on your site) then you need SSL. If you are displaying any information that is confidential, you need SSL. Pay attention to how much they charge for an “SSL certificate”, and whether they let you install one from some other source.	Yes
Knowledge Database/FAQ. Every hosting company should have this, one of the first things companies put onto the Internet was a FAQ. But check it includes things like how to connect via Secure FTP, how to change your password, how to create a MySQL database. If you have SSH with your account, the FAQ should have creating SSH keys and using Filezilla and PuTTY with SSH. The more detailed the instructions are, with screen shots, the better. If you ask technical support something, and you’re fairly sure others would have the same question (really rare if you’re asking something unique), they should be able to answer by giving you the URL of the Knowledge Base page.	Yes — quality indicates technical support quality
Community Forums. Every hosting company should have this, it’s been standard for maybe 10 years. Read through theirs, it should have problems, and solutions given clearly and promptly. Should have links to good training resources. Should have employees monitoring it and community members and employees answering questions.	Yes
UPS Power Backup. Diesel Generator Backup Power. 24/7 Network Monitoring. Multiple 10 Gigabit Ethernet Connections.	Yes
Streaming Video Support. Streaming Audio Support. These a) require “Add Custom MIME Types”, which is done in .htaccess and b) needing adequate storage space and bandwidth. Essential (but most of your videos you’ll host on YouTube, or Amazon S3, so streaming isn’t an issue for you).	Yes

Use WordPress in Multi-Site mode with Domain Mapping

This requires mostly things that by far most web hosting companies provide: MySQL database, Apache server (or the harder-to-use IIS), ability to edit DNS settings (either yourself or have technical support do it) for “wildcard DNS”, ability to configure PHP to use extra (128MB) memory.

What Better Hosts Provide

Expansion to virtual private servers (VPS), cloud desktops, dedicated servers. This is a good indication they will do things well. Why? Corporate clients, paying more money, with higher requirements, will demand good service. If a company attracts corporate clients, and provide lousy service or lousy performance, they will suffer — and the clients will likely give many bad reviews. Also, these are newer offerings, the old companies that are not upgrading their offerings won’t even mention them. Virtual private servers allow you to dynamically increase server resources, for example if you occasionally have product launches or video training, where you have huge spikes in traffic and bandwidth.

Enhanced Web Security. Look for a host that mentions companies such as Sucuri or CloudFlare (even the free version) for security, mentioning active prevention of malware and hackers. Hosts that recommend these are likely to get customers paying attention to security, and if they aren’t doing their job well, they will have customers with evidence their servers are insecure. Whatever hosting company you use, I recommend you run at least the Sucuri Scan frequently. (CloudFlare might be a cPanel Softaculous option.)

At least FTP over TLS (encrypted), better to also have SFTP (SSH File Transfer Protocol, even the login process is secure). Hackers literally can read your password (with simple tools) if you log in via plain-FTP on an insecure network (such as your local coffee shop or airport). What can someone change on your site if they can log in As You? Dre Armeda, from Sucuri, says emphatically don’t use plain FTP, use secure FTP.

Technical support that can walk you through backup for WordPress, knows what “wildcard DNS is”, knows how to connect using FileZilla via SSH.

Help section of web site that gives clear instructions how to do things like configure your email program, create email accounts. Add an add-on domain and point a domain name to it. Create a MySQL database. Connect using FileZilla via SSH.

Staging. The ability to test your site fully, get everything working, in an area the public can not see; then, when it’s ready, very easily move what works into the public area. (For something like WordPress Multi-Site, that would usually not mean the ability to transfer a single site of the multi-site, but the Entire multi-site installation. Contact me for how to migrate a single site into your WordPress Multi-Site with everything intact.)

Symlinks. This is a technical feature, that commonly is only accessible through either a PHP program, or SSH command line. It lets you link a folder, for example sharing PHP code you use for multiple sites. I have /public_html/sharefiles linked from each of my non-WordPress sites, so /public_html/domain1/shared/403.php actually uses /public_html/sharefiles/403.php (one copy of my error files used for all my sites). I don’t have to remember to upload changes to any of my shared routines to every site I host, just upload it once.

Option for SSH (command line access). They have to have good security installed, so you can access command line programs but not access other customer’s areas or the server features. They have to have technical support able to at least point you to resources how to use the SSH commands.

Advanced DNS Zone Editor. If cPanel has this, you set up wildcard DNS for WordPress Multi-Site with a few clicks. Even if you never use it, this is an indicator the hosting company is set up for more technical users, who will have higher standards for support and performance.

Affiliate Program. To have an affiliate program, the company has to organize their accounting and marketing systems around it. They have to have satisfied customers, willing to promote the company (of course, they’ll also get some customers only looking for affiliate income). It’s another indicator they are paying attention to what customers need.

What to Avoid

Keep away from all “free” and “cheap” hosting providers.

The only exception to “no free hosting” is wordpress.com which has the latest version of WordPress, has selected the best WordPress plugins, has excellent server security. WordPress (or the company, Automattic) makes money hosting other company’s websites on wordpress.com. Free accounts are truly free, don’t even need to buy a domain name.

Your site will get malware (meaning you will get notified by a customer or Google that you’re displaying ads for drugs or porn sites, or that your site has scripts running that were installed by Someone Else). They won’t hire staff knowledgeable about security, adding security rules for blocking threats, updating all the server software.

The technical support team will be understaffed, poorly trained, hard to reach (or simply unresponsive). Technical support is seen as an expense (in all but the Very Best companies), and the cheap hosts will minimize that expense. One sign that a hosting provider is having financial problems is the technical support team will have higher turnover (they hate working there), or be laid off — if you are unfortunately with a company where technical support gets worse Move Now before they go out of business.

Avoid Windows or IIS Hosting

Never use a Windows IIS server for WordPress, yuck!

WordPress or probably anything else most personal or small business websites would need can be installed on Microsoft IIS servers. (I’ve set up WordPress Multi-Site with domain mapping on IIS, for example.) It’s just that everything for personal or small-business sites or huge store sites is harder on IIS than on Apache, since IIS is designed for large corporation needs, and Microsoft expects you to have taken the certification programs and know the high-power administration and design tools.

What’s harder on IIS, without those tools? Setup, administration, diagnosing problems, setting up site security, finding answers on the Internet to questions. Things like saying you’ve changed the name of a web page, saying a web page is deleted, adding email accounts, viewing site error logs, are all harder. Everything.

There are questions with hosting on Apache servers where I’ve asked on Google and the first page gave the right answer on all the top 8 sites; same question for IIS servers I had to search for days, and piece the answer together — you are expected to have taken expensive courses on how to set up web sites on IIS servers, with tools meant for very large corporate web sites.

Unless you have very strong business reasons to use IIS, such as your business provides Microsoft-language web site tools, keep away.

Oh, and IIS hosting accounts usually cost more, too, compared to Apache hosting accounts from the same hosting provider, since they take more technical support time!

If your business offers your clients custom software written in a Microsoft-only programming language like ASP, and you won’t be weaned off it for a few years, use secure shell transfers of data, in standard formats like JSON, to send it to your website on NGINX or Apache.

Avoid Web Hosting from your Credit Card Point-Of-Sale Provider

The absolute worst hosting provider I’ve ever used was for a client’s pre-WordPress site. They hosted with that company because their store used the company for their credit card terminal (http://cart32.com/pricing/hosted-plans).

I’m guessing the company started with card-swipe terminals, then added accepting credit cards on web sites, then added web site hosting.

They modified the PHP language thinking that they were increasing “security”, making programming a basic site hard, not knowing that the changes they made produced error messages displaying the very information they were claiming they had to keep secure. They said they had to do that to “pass the credit card security requirements”. Idiots!

Of course, they also didn’t know answers to any technical support questions I had — I had to find ways around their problems.

I refused to convert that website into WordPress until they changed hosting companies. There was no chance WordPress would run without errors, and they were certainly incapable of hosting-level security against hackers infecting a WordPress site.

Because they primarily offer their shopping cart software, they charge $50/month, instead of $10-$20/month, and provide inferior hosting.

There are many excellent credit card processing companies, that work with you hosting your website anywhere. Get your web site credit card processing with software provided by your bank, or with a major shopping cart software such as Square or PayPal, and host your site with a dedicated WordPress website hosting company.

No WordPress-Specific Security

Watch out, if they say security is “underground data center”, “video surveillance” and “24/7 security guard”. Yes, those are important (every host should have these). But, if that is what they mention as “security”, they are not mentioning protection against malware or hackers.

Today, every major software is being probed every day. WordPress is no different. While you can protect your website in many ways, at the account level and the WordPress plugin level, only host with a company that is actively protecting their servers, and all their other infrastructure, from hackers.

Avoid Worthless “Features” like FrontPage

MS FrontPage® Extensions. FrontPage was the best website software of 1998, but now is completely useless/obsolete/unavailable. Many hosting companies still mention it. I would not be surprised if it has several well-known security holes, since mainstream support for FrontPage was dropped by Microsoft on 4/14/2009.

If a hosting company think this is a “benefit”, that is a huge warning sign they haven’t updated their systems in years, don’t have competent security staff, and are keeping expenses low at your expense.

Free — WordPress.com without any hesitation. They will place an ad on your site, but it is completely free, and you know they have industry-standard site security and of course your WordPress is installed exactly right. Think of what a hosting provider has to cut to give free hosting — technical support, enough servers to give adequate speed for all their accounts, actively blocking new security threats, updating software to latest versions. Some free hosting sites just suddenly disappear, after months of not responding to support requests. WordPress.com is making money from paid hosting accounts, and the quality of their free accounts directly affects their business.

SiteGround. They provide tools that developers need, pre-installed, including SSH and GIT (for their high-end accounts they have a graphical GIT interface), and staging. They have staff devoting time every week to researching the latest hacker attacks discovered, and installing blocks for them — fix global WordPress security issues on server level, before WordPress updates come out. Their technical support can answer questions about WordPress plugin issues, and WordPress command line tools. (I’m urging them to add to their FAQ and Knowledge Base, so what I ask them doesn’t require technical support time.) They have separate servers optimized for MySQL, and optimized caching, so your WordPress site (or any other site that uses MySQL) is fast. Their prices are barely above the “standard hosting” prices, yet they offer a lot more. They offer shared, cloud or dedicated hosting. I found out about them as co-sponsors of WordPress WordCamp trainings.

WPEngine — Managed WordPress Hosting. Optimized your page load times, reliability and security. Fast, Secure and Scalable. Excellent for people less experienced with WordPress, who want someone to manage the updates and security for them. Strong attention on security, has simple staging, has GIT version control for all accounts. They focus on WordPress only. They support WordPress Multi-Site, or multiple WordPress installations, in their Professional plan or higher. Many WordPress developers and consultants host dozens of sites with them — managed hosting saves a lot of time.

LunarPages I hosted with them for years. The technical support was always responsive, and even though the beginners weren’t able to answer some of my most technical questions the more experienced ones always could. I never had any malware, even before I started learning about site security (remember, you can block attacks via URLs, and you can install things like WordPress plugins from trusted sources, but the hosting provider has to have security at the server and account level). They offer virtual desktop (for example an iPad or ChromeBook connects to your web hosting and has a full Windows setup including Microsoft Office), as well as virtual servers or dedicated hosting.

BlueHost is another host that looks good, and is a WordCamp co-sponsor so you will have no problems with WordPress.

Flywheel is another managed WordPress hosting company, looks like might be good.

Whatever hosting account you use, also get Sucuri to help prevent malware, and to clean it if you get any. They are the top-recommended security company at WordPress meetups and trainings. Sucuri offers a free scan for any site, but if you install their software they can do a Comprehensive Scan of everything on your site, frequently and automatically.