Hosting your website on a safe and trustworthy hosting company is essential.
You need a hosting provider that offers excellent reliability, security and support.
But who can you trust with your self-hosted WordPress blog?
There's been a lot of discussion regarding recent hacker attacks and hosting providers. And many people ask me what I look for in a hosting company, so I thought I would share a few tips with you.
When searching for a safe web host, the first 10 things I look for are:
- 24/7 Technical Telephone Support – In a crisis I don't want to wait for a response from an email or wait until their open tomorrow to call. And I want them to be friendly and helpful, don't give me the ol' “We don't provide that type of support here” or “You need to go search our help section” for simple questions.
- Daily (or weekly) Backups – If my database or website gets corrupted I need a reliable backup if mine fails.
- Website Restoration – God forbid my website gets hacked, I want to know that my hosting company has my back and will restore my site.
- 24/7 Security Monitoring – Someone better be monitoring my site's server for any attacks or issues.
- Updated Applications – I want all the latest secure versions of Apache, PHP, MySQL, etc. on the server. And I want them to provide proof. Show me!
- Timely Security Updates – My host needs to keep up with application/software security updates. So I ask how often they update. Just like it's my job is to keep my WordPress site updated and my computer safe with Windows updates, virus scans, firewalls, etc.
- SFTP (SSH File Transfer Protocol) and SSH (Secure Shell) – I will not use a host that does not allow me to encrypt my file uploads.
- SUPHP Installed – If a host says no, I run the other direction. I will NOT set any server permission to CHMOD 0777.
- Positive Customer Reviews – I search the Internet, ask on Twitter and Facebook, and read customer reviews/testimonials.
- No Hidden Files – When I use my file manager in the cPanel or look via SFTP, I want to be able to see all my files, including .htaccess and php.ini.
Oh, and one last tip… Call the technical support line and see how long their “hold time” is. When the auto-attendant says, “You are caller #64 and your hold time is 32 minutes,” run the other direction. (Hmmm, does that mean they estimate 30 seconds to answer everyone's question?)
Another question I get a lot is “Who do you host with?” The answer is: HostGator (my affiliate link). They cover all the tips I mentioned above.
Recommended WordPress Plugin for checking server vulnerabilities:
ServerBuddy tests the server's configuration and checks for some vulnerabilities and compatibility issues with your WordPress, WordPress themes, plugins and more.
We'd love your feedback
Who do you trust with your website content? What do you look for in a host provider? Share your tips, hosting company reviews and ideas by leaving a comment below.
Securely yours,
Regina Smola
WordPress Security Specialist
Follow on Twitter @WPSecurityLock
Become a Facebook Fan
Hi Regina. Quick question.
How is using SUPHP with WordPress in regards to upgrades, plugin upgrades, installing new plugins, etc.?
Seems like that would take quite a bit of effort managing. Or is there an easy way to rename files that you’re using?
Thanks
Also, it would be nice if I could subscribe to the comments of this post. The “Subscribe to Comments” plugin works really well.
Hi John,
Thanks for your question.
Regarding SUPHP, I happened upon it while moving a client’s website to a host that did not have it installed. Right away, I noticed his theme and plugins were not loading properly. I contacted the host and they stated they do not have SUPHP installed and all directories needed to be set to 777. Their server did not allow scripts to be executed with the permission of the site owner. And suPHP allows PHP processes to run under the file owner.
There was no need to manage anything extra or rename files. We just ran the other direction and moved him elsewhere.
For shared hosting, I recommend that NO directory or file be set to 777. With dedicated hosting, I’ve heard that 777 is okay since you’re the only one using it. But I wouldn’t recommend CHMOD 777 for any hosting.
Here’s some others that have had problems with shared hosting with no suPHP installed – http://wordpress.org/tags/suphp.
P.S. I looked into the “Subscribe to Comments” plugin. It hasn’t been updated since 12/14/2007. Makes me a leery. What do you think about the http://wordpress.org/extend/plugins/subscribe-to-double-opt-in-comments/?
For dedicated hosts I would NOT recommend 777 unless you have to run 777. There may be no way around it for upload folders, but for the most part you should be ok with 755.
Carmelo,
I agree! I don’t use 777 for any type of hosting, shared or dedicated. If 777 is my only option, I would switch hosts immediately.
I haven’t heard of any issues with that plugin. I’ve been using it since 2007 as well as many other bloggers I know. I know what you’re saying though, it’s not too comforting seeing that, is it?
Thanks for the links…
Hi Regina,
I’m dumbfounded why anyone would ever host with GoDaddy?? Way before all their hacking problems, I was strongly advised never to host with them. Wouldn’t everyone get a clue after the last horrific security breach they had? And now another one. Or is this the third one in a year? I can’t keep track. Get out, get out, get out!
Great tips. I am also one customer of Hostgator and happy with them. Their technical support team is really great. Well, I need to check SurverBudy plugin once. Thank you for sharing these tips. Looking forward for more tips.
Great topic Regina. My thoughts. Some the same as yours.
1. I HATE IT when the Tech Support line is picked up in India or some other country. Enough with the global economy stuff. When India answers the telephone I know I will not be helped until regular business hours. 24×7 support does NOT mean someone answers the phone so the company call me tomorrow! It also does not mean that I have to wait over the weekend for help.
2. When I ever move from my current provider I want to move to a host that is WordPress savvy. It is hard to believe, but some of the BIG hosts are clueless about the various blogging and BBS platforms. A company had better have some product specific gurus.
3. When I report a WordPress issue I know is a host issue I do not want to take hours of my time convincing people that should know better.
4. I reported an issue to a host and apparently the problem is so ethereal fixing it may take days, weeks, or months because the host either can’t or won’t get to it. They acknowledge the issue but won’t set my expectations and insist I use a time consuming around. The happy factor is just not there when the host essentially gives up. They are loaded with excuses, none of which mean much. Just FIX it. If the host cannot fix a problem in a timely fashion, leave the host.
I agree with your other points.
My blog was hosted elsewhere and was hacked. I moved it to Hostgator, and they helped me clean it up – above and beyond the call of duty, I think.
This has nothing to do with blog security, but another great thing about HostGator is that their support team doesn’t leave you feeling like an idiot.
(And neither do you, Regina! Still grateful for your help, too!)
1) Niche hosting providers can’t offer 24/7 support, simple as that. A niche host will be much smaller in size, and offer a very specialized service.
3) I believe web hosts should step it up when it comes to “rolling back” web sites, but its also the web site owners responsibility to perform necessary backups. If there site is compromised due to a weak password that is the site owners responsibility.
4) I’m sure no one is monitoring servers 24/7. It is an automated task performed by software. When the software finds an issue – it’ll alert someone.
10) Viewing hidden files is sometimes an option or filter found in most FTP clients.
If website owners don’t feel comfortable with securing their WP properly, performing their own necessary backups, or willing to accept ANY responsibility, maybe they should look into some sort of managed hosting solution. Obviously self hosting will not work.
Web hosting is slowly changing, with the advancements in cloud computing niche web hosting are beginning to spawn up. The cloud will allow smaller companies to provide smaller services tailored for their specific clientèle.
This was a good read for the average web user. However your passing on what should be the site owners responsibilities in some cases to the web host.
I second that, I once used a host that was almost completely unreliable. Anyone who is very careful about keeping their information backed up and safe will at least make daily backups of their own and not rely on the host to have a “just in case” backup. This also applies to many other aspects of website management.
It is your responsibility as a site owner to know what you need to backup, configure, and take notes of. If a site owner can’t handle that, they should definitely outsource that job to people who specialize in that area.
I have been a fan of hostgator for a long time. Their service and support has been nothing short of excellent. And I agree with the person who said hostgator’s support team doesn’t make you feel like an idiot — even when you’ve done something idiotic they are helpful and respectful. And yes, it’s true as Sanatana writes that we have to be responsible for our sites as well and not just dump it all on the hosting company.
I LOVE HostGator. Kudos to them for sure – I’m very happy to see other people who know a good hosting company when they see it! 🙂
Don`t get much love from hostgator here, all of my 50+ wp sites are hacked by some kiddie gaza hacker team and i`m waiting for hours now for a reply from the security team from hostgator ..fff yeah great service huh
I am using godaddy, but now I am thinking of changing to hostgator if there are security issues with godaddy
Hi Regina… I agree with your experience in hosting , but may I know… which is better hostgator or inmotionhosting sir?
We would recommend inmotion over Host Gator but highly recommend Liquid Web https://wpsecuritylock.com/liquidweb you should check them out.