You really can get good website hosting.
Good prices, good technical support, good site speed, excellent security against hackers and malware. Good hosting companies even have clear instructions for doing the necessary configuration and administrative tasks.
If you just want My Recommendations for Hosting Providers skip ahead, and knowing what you’re getting is important.
Bad web site hosting companies provide:
- Terrible technical support, especially where they try to answer every question with the most obvious simplistic response instead of actually looking at what you say isn’t working;
- Poor protection against hackers and malware;
- Unclear or outdated instructions for doing basic tasks (e.g. set up email accounts, transfer files);
- Say they provide “unlimited disk space and bandwidth” and then gripe if you store a backup of your large site;
- Offer low prices, not telling you how many ways they are scrimping (they count on novices not knowing the difference);
- Have great marketing but overloaded servers, so a bad customer would affect your site’s performance;
- Have bad customers that could affect your site — hosting companies with poor protection from hackers, don’t know how to block other accounts from changing your files (and bad customers do go for cheap hosting, since they are less likely to be carefully monitored).
Some hosting companies have excellent hardware, but nobody but a hardware geek could understand what they offer and if it’s important for their needs, and they charge you a fortune for more than you need; I would rate this better than less expensive but inadequate. At least since they are charging you so much, you really can demand technical support make things work.
Some WordPress hosting resellers simply think “it’s not our job to make sure your website is safe from hackers” and “we can’t support your WordPress site”.
No matter how many horror stories you’ve heard, or how many monsters you’ve met out there, I am telling you there are hosting companies that have good technical support, high security, good hardware, and good prices.
Your social networks are a good source for finding them, if they are WordPress experts. Look for people in your WordPress community who host websites for clients. They have found companies that are good, including good technical support.
I’m going to give some criteria for selecting a hosting provider, and then let you know my recommended companies. (If you really want just my recommended companies, scroll down.)
What Almost All Web Hosting Companies Provide
If a host doesn’t provide any of these, find another host. (The best companies won’t mention these as “reasons to host with us”, since they offer many good things beyond these basics; these will be in the full list of features.)
“Unlimited” for bandwidth or disk space, means they aren’t monitoring or restricting, for personal or small business sites. They know what personal or small-business sites use, and provide far more than those needs. You won’t have restrictions or extra charges, unless your account starts using very high server resources. (“Unlimited” does not mean you can host email services for thousands of people, nor host thousands of videos as a video sharing service, nor resell web hosting to hundreds of high-use sites that should each be on a single account.) If you need more than that, simply ask your host what they charge for what you need. See my post on unlimited accounts.
What “unlimited” really means for email or FTP accounts or subdomains, is there is a simple way for you to create and manage those yourself, instead of making a technical support request to create one. It’s easy, as long as you have access to a good tool for it.
Use WordPress in Multi-Site mode with Domain Mapping
This requires mostly things that by far most web hosting companies provide: MySQL database, Apache server (or the harder-to-use IIS), ability to edit DNS settings (either yourself or have technical support do it) for “wildcard DNS”, ability to configure PHP to use extra (128MB) memory.
What Better Hosts Provide
Expansion to virtual private servers (VPS), cloud desktops, dedicated servers. This is a good indication they will do things well. Why? Corporate clients, paying more money, with higher requirements, will demand good service. If a company attracts corporate clients, and provide lousy service or lousy performance, they will suffer — and the clients will likely give many bad reviews. Also, these are newer offerings, the old companies that are not upgrading their offerings won’t even mention them. Virtual private servers allow you to dynamically increase server resources, for example if you occasionally have product launches or video training, where you have huge spikes in traffic and bandwidth.
Enhanced Web Security. Look for a host that mentions companies such as Sucuri or CloudFlare (even the free version) for security, mentioning active prevention of malware and hackers. Hosts that recommend these are likely to get customers paying attention to security, and if they aren’t doing their job well, they will have customers with evidence their servers are insecure. Whatever hosting company you use, I recommend you run at least the Sucuri Scan frequently. (CloudFlare might be a cPanel Softaculous option.)
At least FTP over TLS (encrypted), better to also have SFTP (SSH File Transfer Protocol, even the login process is secure). Hackers literally can read your password (with simple tools) if you log in via plain-FTP on an insecure network (such as your local coffee shop or airport). What can someone change on your site if they can log in As You? Dre Armeda, from Sucuri, says emphatically don’t use plain FTP, use secure FTP.
Technical support that can walk you through backup for WordPress, knows what “wildcard DNS is”, knows how to connect using FileZilla via SSH.
Help section of web site that gives clear instructions how to do things like configure your email program, create email accounts. Add an add-on domain and point a domain name to it. Create a MySQL database. Connect using FileZilla via SSH.
Staging. The ability to test your site fully, get everything working, in an area the public can not see; then, when it’s ready, very easily move what works into the public area. (For something like WordPress Multi-Site, that would usually not mean the ability to transfer a single site of the multi-site, but the Entire multi-site installation. Contact me for how to migrate a single site into your WordPress Multi-Site with everything intact.)
Symlinks. This is a technical feature, that commonly is only accessible through either a PHP program, or SSH command line. It lets you link a folder, for example sharing PHP code you use for multiple sites. I have /public_html/sharefiles linked from each of my non-WordPress sites, so /public_html/domain1/shared/403.php actually uses /public_html/sharefiles/403.php (one copy of my error files used for all my sites). I don’t have to remember to upload changes to any of my shared routines to every site I host, just upload it once.
Option for SSH (command line access). They have to have good security installed, so you can access command line programs but not access other customer’s areas or the server features. They have to have technical support able to at least point you to resources how to use the SSH commands.
Advanced DNS Zone Editor. If cPanel has this, you set up wildcard DNS for WordPress Multi-Site with a few clicks. Even if you never use it, this is an indicator the hosting company is set up for more technical users, who will have higher standards for support and performance.
Affiliate Program. To have an affiliate program, the company has to organize their accounting and marketing systems around it. They have to have satisfied customers, willing to promote the company (of course, they’ll also get some customers only looking for affiliate income). It’s another indicator they are paying attention to what customers need.
What to Avoid
Keep away from all “free” and “cheap” hosting providers.
The only exception to “no free hosting” is wordpress.com which has the latest version of WordPress, has selected the best WordPress plugins, has excellent server security. WordPress (or the company, Automattic) makes money hosting other company’s websites on wordpress.com. Free accounts are truly free, don’t even need to buy a domain name.
Your site will get malware (meaning you will get notified by a customer or Google that you’re displaying ads for drugs or porn sites, or that your site has scripts running that were installed by Someone Else). They won’t hire staff knowledgeable about security, adding security rules for blocking threats, updating all the server software.
The technical support team will be understaffed, poorly trained, hard to reach (or simply unresponsive). Technical support is seen as an expense (in all but the Very Best companies), and the cheap hosts will minimize that expense. One sign that a hosting provider is having financial problems is the technical support team will have higher turnover (they hate working there), or be laid off — if you are unfortunately with a company where technical support gets worse Move Now before they go out of business.
Avoid Windows or IIS Hosting
Never use a Windows IIS server for WordPress, yuck!
WordPress or probably anything else most personal or small business websites would need can be installed on Microsoft IIS servers. (I’ve set up WordPress Multi-Site with domain mapping on IIS, for example.) It’s just that everything for personal or small-business sites or huge store sites is harder on IIS than on Apache, since IIS is designed for large corporation needs, and Microsoft expects you to have taken the certification programs and know the high-power administration and design tools.
What’s harder on IIS, without those tools? Setup, administration, diagnosing problems, setting up site security, finding answers on the Internet to questions. Things like saying you’ve changed the name of a web page, saying a web page is deleted, adding email accounts, viewing site error logs, are all harder. Everything.
There are questions with hosting on Apache servers where I’ve asked on Google and the first page gave the right answer on all the top 8 sites; same question for IIS servers I had to search for days, and piece the answer together — you are expected to have taken expensive courses on how to set up web sites on IIS servers, with tools meant for very large corporate web sites.
Unless you have very strong business reasons to use IIS, such as your business provides Microsoft-language web site tools, keep away.
Oh, and IIS hosting accounts usually cost more, too, compared to Apache hosting accounts from the same hosting provider, since they take more technical support time!
If your business offers your clients custom software written in a Microsoft-only programming language like ASP, and you won’t be weaned off it for a few years, use secure shell transfers of data, in standard formats like JSON, to send it to your website on NGINX or Apache.
Avoid Web Hosting from your Credit Card Point-Of-Sale Provider
The absolute worst hosting provider I’ve ever used was for a client’s pre-WordPress site. They hosted with that company because their store used the company for their credit card terminal (http://cart32.com/pricing/hosted-plans).
I’m guessing the company started with card-swipe terminals, then added accepting credit cards on web sites, then added web site hosting.
They modified the PHP language thinking that they were increasing “security”, making programming a basic site hard, not knowing that the changes they made produced error messages displaying the very information they were claiming they had to keep secure. They said they had to do that to “pass the credit card security requirements”. Idiots!
Of course, they also didn’t know answers to any technical support questions I had — I had to find ways around their problems.
I refused to convert that website into WordPress until they changed hosting companies. There was no chance WordPress would run without errors, and they were certainly incapable of hosting-level security against hackers infecting a WordPress site.
Because they primarily offer their shopping cart software, they charge $50/month, instead of $10-$20/month, and provide inferior hosting.
There are many excellent credit card processing companies, that work with you hosting your website anywhere. Get your web site credit card processing with software provided by your bank, or with a major shopping cart software such as Square or PayPal, and host your site with a dedicated WordPress website hosting company.
No WordPress-Specific Security
Watch out, if they say security is “underground data center”, “video surveillance” and “24/7 security guard”. Yes, those are important (every host should have these). But, if that is what they mention as “security”, they are not mentioning protection against malware or hackers.
Today, every major software is being probed every day. WordPress is no different. While you can protect your website in many ways, at the account level and the WordPress plugin level, only host with a company that is actively protecting their servers, and all their other infrastructure, from hackers.
Avoid Worthless “Features” like FrontPage
MS FrontPage® Extensions. FrontPage was the best website software of 1998, but now is completely useless/obsolete/unavailable. Many hosting companies still mention it. I would not be surprised if it has several well-known security holes, since mainstream support for FrontPage was dropped by Microsoft on 4/14/2009.
If a hosting company think this is a “benefit”, that is a huge warning sign they haven’t updated their systems in years, don’t have competent security staff, and are keeping expenses low at your expense.
My Recommendations for Hosting Providers
Free — WordPress.com without any hesitation. They will place an ad on your site, but it is completely free, and you know they have industry-standard site security and of course your WordPress is installed exactly right. Think of what a hosting provider has to cut to give free hosting — technical support, enough servers to give adequate speed for all their accounts, actively blocking new security threats, updating software to latest versions. Some free hosting sites just suddenly disappear, after months of not responding to support requests. WordPress.com is making money from paid hosting accounts, and the quality of their free accounts directly affects their business.
SiteGround. They provide tools that developers need, pre-installed, including SSH and GIT (for their high-end accounts they have a graphical GIT interface), and staging. They have staff devoting time every week to researching the latest hacker attacks discovered, and installing blocks for them — fix global WordPress security issues on server level, before WordPress updates come out. Their technical support can answer questions about WordPress plugin issues, and WordPress command line tools. (I’m urging them to add to their FAQ and Knowledge Base, so what I ask them doesn’t require technical support time.) They have separate servers optimized for MySQL, and optimized caching, so your WordPress site (or any other site that uses MySQL) is fast. Their prices are barely above the “standard hosting” prices, yet they offer a lot more. They offer shared, cloud or dedicated hosting. I found out about them as co-sponsors of WordPress WordCamp trainings.
WPEngine — Managed WordPress Hosting. Optimized your page load times, reliability and security. Fast, Secure and Scalable. Excellent for people less experienced with WordPress, who want someone to manage the updates and security for them. Strong attention on security, has simple staging, has GIT version control for all accounts. They focus on WordPress only. They support WordPress Multi-Site, or multiple WordPress installations, in their Professional plan or higher. Many WordPress developers and consultants host dozens of sites with them — managed hosting saves a lot of time.
LunarPages I hosted with them for years. The technical support was always responsive, and even though the beginners weren’t able to answer some of my most technical questions the more experienced ones always could. I never had any malware, even before I started learning about site security (remember, you can block attacks via URLs, and you can install things like WordPress plugins from trusted sources, but the hosting provider has to have security at the server and account level). They offer virtual desktop (for example an iPad or ChromeBook connects to your web hosting and has a full Windows setup including Microsoft Office), as well as virtual servers or dedicated hosting.
BlueHost is another host that looks good, and is a WordCamp co-sponsor so you will have no problems with WordPress.
Flywheel is another managed WordPress hosting company, looks like might be good.
Whatever hosting account you use, also get Sucuri to help prevent malware, and to clean it if you get any. They are the top-recommended security company at WordPress meetups and trainings. Sucuri offers a free scan for any site, but if you install their software they can do a Comprehensive Scan of everything on your site, frequently and automatically.