NGINX + WordPress: block debug.log and other sensitive files

If your WordPress site is being served by an NGINX web-server there are a couple of configuration directives you will want to add to your server configuration. If you are uncertain about how to do this, consult with your hosting provider and they can help you.

WordPress Core: debug.log

WordPress has a debug feature that logs PHP errors to ‘/wp-content/debug.log’. you don’t want anyone unauthorized to see this as it could provide them with information they can use to hack your website. So to prevent access to this file you want to add the following location directive in your NGINX configuration:

location ~ /wp-content/debug\.log { deny all; }

WordFence Security Plugin: .user.ini

Wordfence uses a configuration file called .user.ini which is placed in the root folder of your website. This file contains the full path of your website’s files which is semi-sensitive information. To block access to this file, add the following location directive in your NGINX configuration:

location = /.user.ini { deny all; }

Securing Your Site with WP-Bruiser

What is WP-Bruiser?

WP-Bruiser, formerly known as “Goodbye Captcha” is a free plugin for WordPress which blocks bot spam in your comment forms. It also has some non-free extensions which integrate with various popular contact forms and other addons to block bot spam in those as well. It does this using a clever token system which bots cannot defeat. This eliminates the need to annoy your users with a “Captcha” and presents a more professional web experience to your visitors. WP-Bruiser also includes some security features which is and what we are going to focus on today.

Installing WP-Bruiser

From your WordPress dashboard you can go to Plugins -> Add New and search for WP-Bruiser. You’ll find it in the standard WordPress plugin repository where you can install and activate it. The WP-Bruiser settings has several tabs at the top of the screen. The first tab, labeled simply “Settigns” is not strictly security related.

Security Tab

This tab offers a number of useful security features. At the top you can see Brute Force settings. For maximum security you should enable all of these. If you want your website to be accessible from anonymous TOR nodes then leave the Anonymoux Proxy IPs option unchecked, but be warned a lot of attacks use the TOR network.

Next you’ll see ‘White Listed IPs’, where you can provide some IP addresses which should never be blocked from the website. This section helpfully tells you your own IP in case you want to add it, but be aware that your IP might change and if it does you’ll want to update this section.

Following that is ‘Black Listed IPs’ which is where you can manually enter IP addresses you would like to ‘ban’ from accessing your site.

WordPress Tab

I recommend enabling all of the options in the WordPress Standard Forms Settings box, the first one you see. This will extend WP-Bruiser to prevent bots from registering accounts, as well as preventing certain kinds of scripted bot behaviors. Chances are you don’t want bots doing anything on your website.

The next section is ‘Tweaking WordPress’. You should enable Hide WordPress Version. Nobody needs to know what version of WordPress you’re using, and hackers will use that information to find vulnerabilities in your site. Next you should enable Remove RSD Header and Remove WLW Header if you don’t explicitly require them. If you aren’t making use of XML-RPC, and most people aren’t, then you should enable both of those options as well.

The next few tabs are specific to various extensions and outside the scope of this tutorial. If you are using any of those plugins I recommend paying for the license to integrate WP-Bruiser’s features with them. I personally use the Contact Form 7 extension on many websites and it has completely eliminated contact form spam.

Notifications Tab

This is a very handy feature. You should configure your E-mail address in the field provided and enable both checkboxes. This will notify you any time an administrator logs into your website, which can inform you if someone has compromised your website. If you operate a site with many people, have everyone use ‘Editor’ level accounts or lower for day to day tasks.

That’s it! WP-Bruiser is a very lightweight plugin and still provides a lot of additional security to a WordPress site, as well as eliminating 100% of bot submissions in your comment and contact forms.

Vendor Recommendations

We know it can be difficult for many people to navigate the technology marketplace, especially if technology is not your expertise. So we have compiled a list of vendors that we can personally vouch for. Some of these links will be “Affiliate” links which means we’ll get a little credit if you sign up using our link. Those links will be marked for the purpose of full disclosure.

You can rest assured that we would never recommend a service which we would be unwilling to use ourselves.

Domain Registration

For domain names we recommend Namesilo.com, they offer very low prices, free WHOIS privacy (you have to opt in during checkout, but it is free), and a pretty feature-packed and easy to use account control panel.

Computer Hardware

We recommend Newegg.com for purchasing computers and computer parts. We have been using them for more than 10 years and they often have the best prices, their shipping and checkout process is consistent and high quality, and their customer reviews and “Editor’s Choice” programs are excellent guides to making the best choices.

Unmanaged Hosting

For managed hosting, nobody offers better service or value than Pride Tech Design, but if you prefer to handle your own system administration you can save some money by choosing Unamanged Hosting. The best choice for Unmanaged Hosting is Digital Ocean. They offer low prices, high quality service and expertly maintained infrastructure. Just be warned, they do not offer any OS level support at all, so if you are not experienced in Linux System Administration you should use our Managed Hosting instead.

Search Engine Optimization (SEO)

Your Austin SEO Company understands that when your business phone rings more, your business will make more money. That’s what they do. Their campaigns create increased visibility for your business through Google Maps rankings throughout your city and they convert that visibility into phone calls and leads through a well-honed review management and reputation marketing system. Call them today if you want to be the go-to for what you do – (512) 853-9484 today, tell them that Pride Tech Design sent you.

Curious about a vendor?

If you’re considering hiring a vendor and you are uncertain if you can trust them, send us an E-mail at info@pridetechdesign.com. One of our expert staff will be happy to perform a brief investigation of that provider and let you know if they should be avoided. We’ll perform this service free of charge.

Securing WordPress

Preface

WordPress is the most popular and possibly best software for operating a modern website. The built in tools that it provides for free are extremely valuable for any web project. WordPress is built on top of PHP which is a “Server Side” programming language. That means when WordPress performs computational tasks it is performing them on the server, rather than in the visitor’s browser. This presents significant security risks, because hackers can exploit vulnerabilities in WordPress to take over the server, which they can then add to their botnets to perform DDoS for Hire attacks, or to act as Crypto-Miners, or to grow their BotNet by infecting the machines of your visitors.

Many people have the mistaken belief that if they are a small organization such as a new business or a non-profit, that they don’t have to worry about hackers. In fact, most hackers don’t care who you are. Every website is a target, and every website connected to the internet is being scanned and attacked on a daily basis by dozens of hackers. Hacking computers has become a global organized crime racket, and your website is a target.

Essentials

Backups

The most important part of this process, while not necessarily directly related to security, is backups. Backups will not protect your website from attacks, and if your backup system is insecure they may actually increase your risk of compromise. What backups will do is significantly reduce your cost of recovery from an attack. Even the strongest and most comprehensive security policies sometimes fail to prevent attacks, and so backups are the most important piece of the puzzle.

Updates

The second most critical aspect of improving WordPress security is to keep your core WordPress software and all of your plugins updated every day. This might seem like a hassle, but malware programmers move quickly when they learn of new exploits. In very rare cases you might have issues due to upgrading your plugins but that is easy to recover from because you have backups, right?

We published a short guide on Updates and Backups that you can refer to for more detailed instructions. Click Here to Read More.

Responsible Plugin Management

Because the majority of attacks happen through vulnerable plugins you need to ensure that you are only using plugins which are being actively developed. They should be listed as compatible with the most recent version of WordPress, and if they require a license to keep them updated then you should have an active license. Deactivate or delete old plugins that you aren’t using anymore, or that you can’t update anymore.

Strong Passwords

Odds are your passwords are not good enough. In my 20 year career I’ve worked with a lot of people and most of you have weak passwords. For your WordPress administrator account your password should be a minimum of 64 random characters. Some mathematicians will tell you that is overkill, and they would be right, but in a few years it won’t be, so unless you want to frequently change your password as computers get more powerful, start at overkill.

Your Password needs to be completely unique. You should not re-use the same password anywhere.

In this day and age a password manager is an essential tool for managing passwords. You should be using a password Manager, we recommend KeePass or one of it’s cross-platform variations. We discourage the use of “Online” password managers because they are honey pots for hackers and there have been a quarter dozen compromises in recent years alone. I published a comprehensive guide on strong password habits which you can read at https://strongpass.us.

Custom Administrator Username

As long as you are using only very strong passwords, this tip is a minor one. In order to reduce the success chance of brute force attacks, your administrator accounts should never be named “Administrator” or “Webmaster” or “Admin” or anything similarly obvious. We want to emphasize that Strong passwords are more important than custom usernames, and must come first.

Filesystem Security

This subject is a bit advanced for most users but it remains an essential piece of a comprehensive security plan. You have to ensure your Website files have the appropriate security settings. Your wp-config.php file should not be readable by anyone. It only needs to be accessed by your webserver, and that is the only ‘user’ who should have access to it. If you create backups of this file, ensure that they are also equally secure.

An especially strong permission guideline for other files in your website directory tree is to set ‘660’ for files and ‘770’ for directories. This allows the owner and group-members to access them, but nobody else. You may need to add your user account to the group to access files with these permissions. If setting file permissions is too advanced for you, please E-mail us at support@pridetechdesign.com and we would love to help you.

Optional Advanced Techniques

These techniques are more advanced but they will help you to keep your website secure. If you would like help to implement these techniques please E-mail us at support@pridetechdesign.com.

Password Hashing

Passwords stored in the WordPress database are hashed so even if someone gains access to your database, they will have a difficult time cracking the passwords stored within. There is a free plugin available which can significantly increase the strength of the hashing technique. You can download the bCrypt Hashing plugin at This Github Page.

WP-Fail2Ban

Fail2Ban is a popular security program which runs on your server and monitors server logs for suspicious activity. When it sees evidence of hackers, it automatically bans their IP address. There is a free plugin that allows Fail2Ban to monitor WordPress activity. You can find the plugin By Clicking Here. This method requires that your server have Fail2Ban installed, and if you’re using a low-quality host they might not offer Fail2Ban support. If that’s the case you should consider switching hosting providers. Pride Tech Design offers high quality hosting with an emphasis on security, including Fail2Ban support.

WP-Bruiser

This free plugin WP-Bruiser offers a number of ways to improve the security of your WordPress website. It’s primary task is to block bots from submitting account registrations, logins, and comments. It does this without using any “Captchas”, which improves the user experience for your real visitors. WP-Bruiser has a 100% success rate blocking bots, so it’s actually more reliable than any existing Captcha system. When you are configuring the plugin you’ll notice it includes a number of basic security features as well, making it a great lightweight choice to improve the security of your website.

Directory Indexing

Directory Indexing is what allows a visitor to see a list of files contained in a directory when there is no index.html or index.php file in that directory. Generally this is considered a security risk as you do not want to allow random visitors to browse the file structure of your website.

This is an item that only effects misconfigured Apache based servers. Unfortunately many low quality hosting providers, some of whom are often listed as “Top 10” brand names, operate misconfigured Apache servers with Directory Indexing enabled by default. In these situations you can use .htaccess files to disable indexing.

Security Suites

There’s a number of well known security plugins for WordPress. They include a ton of features, however we recommend that these are the least important method to improve your security. Many of these plugins only support Apache based websites, their firewall features simply won’t work on Nginx based websites. That will hopefully change in time, but for now it’s an important fact. Many of their features are extreme and won’t really improve your website security, such as changing the login URL, and they can sometimes break your website. If you want to use one of these plugins, you should consult with a professional to configure them for your specific needs. You can E-mail us at support@pridetechdesign.com to help you with configuring a security suite on your website.

Conclusion

You can see there are a lot of steps you can take to improve the security of your website. A well-secured WordPress site is extremely difficult to break into and can reliably serve as the main customer portal for your business, non-profit organization, or global enterprise. If you need any further guidance on this subject, please E-mail me at support@pridetechdesign.com and I will be happy to provide you with personal support for your business. You may also want to sign up for one of my WordPress Maintenance Plans.

Updating and Backing Up WordPress

Creating Backups

The most important maintenance task for any website is keeping regular backups. You should be backing up your website at least every week. That might seem like a lot if your content remains static, but a well-maintained website is also going to be receiving regular updates to the WordPress core software as well as plugins, and if something breaks you will be thankful that your backup strategy was thorough.

BackWPUp

The easiest way to create backups of your WordPress website is using plugins. There are a lot of plugins to choose from, but the one that we recommend here at Pride Tech Design is called BackWPUp. This plugin is free, it creates backups of both your website files and your database, it allows you to schedule your backups so you can set it and forget it, and it allows you to save your backups to various cloud storage platforms, which you want to do.

Configuration

BackWPUp has a lot of configuration options, many of which you can safely ignore. If you’re really uncertain of how to configure your backups, you should consult with a professional, but we will show you a standard configuration that works for most websites.

Add New Job

The first step is to give your new backup job a name. Something like “Weekly Backup” is adequate. Beneath the name field you’ll see “Job Tasks”. You can safely check all of these items however the essential ones you want are Database Backup and File Backup. You may also want to enable the Installed Plugin List.

Add New Job: Backup File Creation

In the next section you’ll see “Archive Name”, which allows you to configure the filename of your backups, using a number of variables which you’ll see on the screen. Unless you know what you’re doing here you should probably leave the default in place. After the Archive Name you will see “Archive Format”. If you work primarily in Windows, choose .Zip if it is available. .zip, .tar.gzip, and .tar.bzip2 are all fine, but you should not use .Tar because it does not compress the data, which results in a lot of wasted storage space.

Add New Job: Destination

This section allows you to choose one or more destinations for your backup file. These are mostly self-explanatory and the most important thing to consider is the security of the location. You need to be certain that wherever your backups are stored, only authorized users will have access to them. Your database backup will contain full details of your website’s administrator accounts so this is important.

The remaining options on this page can be left as default. You may want to configure an E-mail address for error reports. The next step is to switch to the “Schedule” tab at the top of the screen.

Schedule Job

Now that you’ve created your backup job, we need to schedule it. By default it will only run when manually activated. You should select “WordPress Cron”, which will display a new section of options below, where you can schedule the time the job will run. This is the easiest method to schedule your backups.

Destination Options

Depending on what destinations you chose when creating the job, you will see additional tabs at the top. There are too many options to cover all of them in this article, but one important option is Number of Files to Keep. The best number for you is going to vary depending on the frequency of your backups. You should keep your backups for at least 90 days, so if you’re making weekly backups then you should keep at least ~15. If you’re taking daily backups then you would want ~90.

Updating WordPress

Once you have a good backup system in place, the next thing to cover is updating your website. By default your WordPress software should update itself automatically when new minor versions are released. Major versions are not updated automatically and this is for the best, so when a new major version is released you should log in to update it manually.

What are Major and Minor versions?

WordPress uses a versioning scheme like #.#.#, where the first digit is the “Major” version, the second and third digits are “Minor” updates. Major updates, that is, the first digit, will include significant changes to the software’s code, and the introduction of new features. Minor updates are usually bug fixes, or security patches. Some minor updates will include new features which were not ready in time for the Major update.

Plugin Updates, Automatic vs Manual

Updating the core WordPress software is important but equally important is updating your plugins. By default, WordPress plugins do not automatically update at all. There are a couple of ways that you can change this, the most easy being a free plugin Automatic Plugin Updates. It is important that you have a backup system in place before setting up automatic updates, so if you haven’t done that yet please scroll up and do that first.

If you prefer to update your plugins manually that is fine, but you need to ensure that you are doing it at least every week. New vulnerabilities are found in plugins every day, and hackers use these vulnerabilities to attack sites like yours, without concern for the content of your site or your global visibility. You can deploy manual plugin updates from the Plugins screen of your WordPress dashboard, or from the Updates screen.

Let Pride Tech Design help you

We understand some people do not have the time or confidence to perform these tasks. Your website is important and you need to have the peace of mind that it is being protected. We offer very low cost maintenance plans which will provide you with daily backups and updates of your WordPress website and plugins, with free restorations in case of problems. You can read more about these programs and sign up at our Maintenance Page.

Reasons to Choose WordPress

So Many Choices

WordPress Logo

In the early days of the web there were not many considerations when planning a new site. You would simply write your content in HTML, style your site in CSS, and publish. These days we want more from a website. Complex capabilities such as secure logins, rotating graphics, shopping carts and database handling. To handle all of these requirements, we’ve created a new class of software called “Content Management Systems” or CMS for short. When you’re planning a new website there’s many different CMS available and it can be challenging to know which one you should use for your project. Developer opinions on this subject vary, however I am going to tell you that for most web projects, especially hobby blogs, business and non-profit websites, WordPress is the best choice. Here are the top 5 reasons.

User Friendly

Compared to other popular and free Content Management Systems available, WordPress is by far the simplest to use. The dashboard is uncluttered and smartly organized. Content is divided into Pages and Posts, which is simple to understand. Changing your theme is extremely simple. Installing, removing, or updating plugins is just a few clicks. It’s so easy that even people with zero experience operating a website can grasp the essential controls within a few hours of practice and tutorials.

Don’t Repeat Yourself

An old fashioned wagon wheel

A key rule of programming is known as ‘DRY’ or “Don’t Repeat Yourself”. Another way to say that is Don’t Reinvent the Wheel. WordPress has been in development for several years and includes many common features that you want in a modern website, such as login capability, user role control, many built in PHP functions to handle database interaction and other important capabilities, and plugin support which brings us to the next item on the list:

Extensibility

Possibly the most powerful feature of WordPress is the ability to expand it’s capabilities through the use of plugins. There are plugins to do every popular thing you might want to do with a website, and even many of the odds and ends you may imagine. Best of all, many of those plugins are completely free. Through the use of plugins you can build a WordPress site for practically any purpose.

Mature Security

An important consideration of any PHP based website is security. WordPress receives security updates swiftly when new vulnerabilities are discovered, and updates for the core software are deployed automatically by default. There are built in PHP functions to handle things like database interaction which have already been written in a secure manner, making it easier for new developers to Do It Right.

A Large Community

People holding hands

Because WordPress is the most popular software for powering modern websites, it has an extremely large community of supportive developers and users. Many of the questions you might have are answered already and solutions can be found with a simple web search. Developers can be found very affordably to fix just about any problem you might experience on your website, and hiring a developer to build a simple website can be done for hundreds of dollars. Compare that to 10 years ago when you would have to pay thousands of dollars to have the same level of capabilities.

Conclusion

When you’re planning your next web project, whether it’s a development for a customer, a website for your business or non-profit organization, or just a personal blog, use WordPress. In the long run you will save money, effort and frustration.

If you would like help with website hosting or maintenance, we can help you. We offer the best managed VPS hosting service in the world, with more built in features, the best support and quality of service, and the lowest prices. Visit our hosting page to read more and sign up. For website maintenance we offer several packages to keep your website updated and backed up, with prices to fit any budget. Visit our maintenance page to see what options are available. We will craft affordable solutions for any person or organization. If you have questions we haven’t already answered, simply E-mail us at info@pridetechdesign.com.

Redirect all HTTP traffic to HTTPS

There are lots of “plugins” and “applications” being sold to people these days which perform this step but they are not necessary. All you need is a small configuration edit. This works for both Apache and Nginx.

Apache

Place this inside your virtual-host configuration

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

Nginx

Here is a block of code that goes into your per-server configuration for Nginx

server {
        listen 80;
        server_name example.com;
        rewrite ^ https://$server_name$request_uri? permanent;
}

That’s it! If you have any questions please send us an E-mail and we’ll be happy to help you!

Preventing WordPress Setup Attacks

What is a WordPress Setup Attack?

Screenshot of the WordPress install screen
A WordPress setup attack is when a hacker locates a WordPress site that has not yet been configured, and quickly takes it over using a remote database and his own credentials. Then the hacker can inject any hostile code that he chooses, followed by returning the website to it’s “setup” configuration so that the user is none the wiser.

Hackers can find fresh WordPress installs within 30 minutes

At a recent security conference, a presentation was made demonstrating how a hacker can use publically available information regarding the issuance of SSL certificates to locate new hosting services. A majority of those services include WordPress websites, and in many cases the hosting provider is leaving the doors wide open for hackers to attack their customer websites. Hackers can locate these fresh installs of WordPress within 30 minutes and compromise them extremely quickly.

Hosting Providers need to protect against this attack

WP-CLI Logo
If a customer signs up for a “Managed WordPress” service they are expecing that everything will be taken care of for them. They aren’t being told if they don’t set up their website immediately that it could be compromised by hackers. Furthermore many of these hosting providers charge a hefty fee to restore websites after they have been compromised. Because of these things, it is the responsibility of a hosting provider to ensure that this hack is prevented.

Using WP-CLI to prevent WordPress Setup Attacks

There is a very convenient and easy to use tool to prevent this kind of situation, called WP-CLI. It is a command line tool to perform certain actions on WordPress installations. Using WP-CLI, a hosting provider can add a small script to their 1-Click Installs which provisions the WordPress site to use the appropriate database, sets up the administrator account using a strong password and username, and configures the domain name on the installation. If this is performed as part of the installation procedure it will secure the site from Setup Attacks too quickly for hackers to take advantage of. The settings can later be changed by the user in a variety of ways using back-end controls. Pride Tech Design has been using this method for several months to secure our customer websites against this vulnerability.

How to choose a web host

I think it would be best to begin this article with a “buyer beware” section. I am going to describe the various dishonest and unscrupulous business practices which are all too common among website hosting providers. Afterward, I will try to summarize a few positive things to look for in a good hosting provider.

Unlimited Resources

This is the latest popular fraud perpetrated by the hosting marketplace. There is no such thing as “unlimited”. Hosting services are in business to make money, so their profit has to outpace their overhead costs. All hosting incurs overhead costs. The two key factors in determining cost are hardware resources and internet connectivity.

Hardware Resources

Webhosts are computers, just like your personal computer. They have 1 or more CPUs (Central Processing Unit), they have some amount of volatile memory, also known as RAM, usually several gigabytes worth. They have some amount of non-volatile storage, either a Hard Disk Drive or a Solid State Drive. All of these things are limited. Computer motherboards have a maximum number of CPUs, a maximum memory capacity, and any particular server can only handle a certain number of disk drives, each of which has a maximum capacity. There is no such thing as unlimited.

Internet Connectivity

High capacity business internet connections are different from your residential internet connection. They are either billed on the bandwidth they use, or they have a quota that they are given with their monthly payments. This means that they are calculating their bandwidth costs into the prices and their service. They do not ever offer unlimited service. You’ve probably seen some cellular operators have data usage quotas, this is very similar. Unless their service states otherwise, your data bandwidth is tracked. If your website uses more bandwidth than the quota for your hosting plan, they will shut you down or they will bill you extra. Some providers do offer “unmetered” internet service, but you will pay extra for that. You will not get unmetered service on a shared hosting plan, but they might lie to you and say otherwise.

Review: The Unlimited Lie

We’ve learned that a number of factors in server operation include overhead costs and inescapable limitations. Let’s review the resources which can never truly be unlimited. Any time you rent a hosting package, the provider should be willing to clearly define your quotas for these resources. If the provider is unwilling to clearly define your quotas you should rent from a different provider:

  • CPUs (Central Processing Unit)
  • Memory (RAM)
  • Storage (HDD or SDD)
  • Bandwidth or Transfer

Arbitrary Restrictions

The second most popular dishonest behavior of webhosting companies is to limit things that should be unlimited. While the physical limitations of a server are real, there are certain software features which do not incur any overhead costs, and should not be limited by the hosting provider. For example, the number of E-mail accounts. There is no overhead difference between 1 E-mail account and 1,000 E-mail accounts. Many hosting companies introduce arbitrary limitations on these and other features so they can get you in the door with “cheap” plans and then sell you on upgrades later on. There are a lot of free softwares available to server operators which are easily installed via automatic scripts, and so should be offered as standard features with their service. Anti-Virus is one example.

What features should be unrestricted?

I will list for you the features which do not incur any overhead costs, and should be included as standard features with every hosting package. Keep in mind, there are still physical hardware limitations such as maximum storage capacity, but those limitations should be the only limits placed on these features. If a hosting provider you’re considering wants to charge extra for any of these features you should steer clear.

  • E-Mail. It should be unlimited and free.
  • Anti-Virus & Spam Filtering should be free.
  • Root access should be free and available on all hosting plans except shared hosting.
  • “Domain Validated” SSL Encryption certificates should be free.
  • Monitoring. If the provider has the infrastructure to offer it, it should be free.
  • Database service should be free. On private servers, it should be private and free.
  • Domain names. Adding additional domains to a host does not incur any overhead costs.

Confusing Websites

Show me the money! Why do some hosting providers have 20-page websites with most of the pages not listed on their main menu? They are hiding the details of their service so you’ll make an impulse purchase. I’ve looked at a lot of hosting websites and I’ve seen many great examples of good web design which clearly defines all the quotas and features of each package on a single page, so there’s no legitimate reason why they can’t all do that. They know that’s the information you want. They have obfuscated the information on their websites intentionally, because they know if you could easily compare their service with their competitors, you would choose the competition.

Honest Practices

The Hosting marketplace is very ugly, but it’s not hopeless. There are practices you can look for which are evidence of an honest provider. For example, your hosting provider should clearly define for you any quotas on server resources. If they claim that your memory, storage, or CPU usage are unlimited, then they are lying to you. Every large host who offers those things has been caught lying, when they shut down their customer websites for using too much of their “unlimited” service.

Your hosting provider should provide a Service Level Agreement or SLA. One of the key parts of any legitimate SLA is the guaranteed uptime. This is usually defined like “99.9%”, or “99.99%”. What this means is, if you have a 99.99% SLA your provider guarantees that your server will be operational for 99.99% of the time. That means you will experience no more than 8.6 seconds of downtime per day, or 4 minutes and 23 seconds per month, and so on. These are industry standard terms, and every legitimate provider will offer you an SLA, usually with some sort of compensation for downtime which exceeds the SLA. Compensation may take the form of service credits, discounts, or refunds.

Review: What to look for

It’s time to put what we’ve learned to practical use and select a hosting provider. Here are a list of things to look for in a hosting provider:

  • No reliance on impossible promises of “unlimited” resources.
  • Clear definition of your quotas for CPU, Memory, Storage, and Bandwidth.
  • No restrictions on “Root” access to private servers.
  • Free and unrestricted E-Mail, limited only by your storage quota.
  • Free Anti-Virus & Spam filtering for E-Mail.
  • Free “Domain Validated” SSL Encryption from Let’s Encrypt.
  • Free access to a SQL database, usually MySQL, MariaDB, or Postgres.
  • Unlimited domains. This should be free.
  • Permission to use DNS and Domains provided by other companies.
  • Free monitoring, if monitoring is available at all.

Want to save some time?

There are thousands of web hosting companies. It is a very competitive marketplace, and a disturbing number of those companies will resort to any unscrupulous methods to make more money. If you don’t have the time to navigate websites for dozens of companies to compare their services, have a look at my service. I am in this business to provide an honest product at an affordable price. I regularly perform my own market research to ensure my product is equivalent or superior to my competitors, both in features and price. I only offer the highest quality servers, which is important for the needs of a small or medium business. I am not interested in making money by ripping off those ignorant of technology’s finer nuances. You can read more about my services at https://pridetechdesign.com/hosting.

Especially Bad Providers To Avoid

I know some of you are overwhelmed by this process and you’d really like some tips on who the worst providers are so you can avoid them. I’ve compiled a list which should help you. All of these providers have many thousands or millions of customers, so you will hear people say they had positive experiences, but do not be swayed by anecdotal evidence. These providers all have far more negative customer reports than any others in the industry, or they are in some other way very unsuitable choices.

  • Endurance International Group: The worst. Includes BlueHost, HostGator, many others. Click Here (Wiki Article) for a complete list.
  • GoDaddy: Also one of the worst. Their website is a mess of upsells which must be navigated to reach the checkout, this is to confuse people into spending more than they should. Their service quality is at the bottom of the marketplace, and their support is incompetent. On many occasions, they’ve deleted customers’ entire websites, to which they respond “Oh well”.
  • DreamHost: They practice Bait-And-Switch with their VPS product. They suffer massive outages every week. During these outages, they encourage their customers to pay extra for “premium” support, which doesn’t improve their recovery time. They perform disruptive planned system maintenance during business hours, taking customer sites offline for the entire business day for upgrades that could have been performed overnight.
  • 1and1 Hosting (Sometimes displayed as 1&1 Hosting): Many disgruntled customer reports. Plagued by typical shared hosting problems.
  • InMotion Hosting: Many disgruntled customer reports. Plagued by typical shared hosting problems.
  • ServerPilot.io & RunCloud.io: Presently these providers only allow you to use Ubuntu, which is a commercial (not free) Linux distribution aimed specifically at the desktop market. It is not a suitable server distribution. Most servers are built using Debian, RedHat, CentOS or Fedora. ServerPilot does not support any of those, which calls their competency into question. ServerPilot and RunCloud are supposedly different companies, but their offering is identical.
  • Cloudways: They are similar to Server Pilot, but with a lot of negative customer reviews.
  • SiteGround: These guys are constantly bragging about high customer satisfaction but they only look at percentages and they disregard many thousands of unsatisfied customers. Most of their positive word-of-mouth reviews are spam generated by their website rather than genuine user reports.

Shared Hosting is Bad for Business

Pride Tech Design does not offer shared hosting. We serve primarily business customers, and for any business it is important that your website is accessible 24 hours a day. It should load fast and it should load every time. I’ve written this guide to help you understand why shared hosting is a bad idea for business.

Why does shared hosting exist?

In the 1990s, websites were built using static HTML files. Eventually this model was upgraded to include Cascading Style Sheets (CSS). All rendering and processing is done on the client-side in the visitors web browser. What this means is you could serve many dozens of websites from a single low-powered server without any issues. This was the birth of the shared hosting service model.

Why shared hosting doesn’t work anymore

Memory and CPU

The vast majority of websites are no longer static HTML. Most of them are running WordPress which is built using PHP, a server-side programming language designed for the web. What that means is every time you load a page on a modern website, the server does a lot of work in the background. A single page load on WordPress will require around 5mb to 15mb of RAM. So 100 simultaneous visits to the server are going to require an average of 1GB of ram. 1000 visits would require 10GB of RAM. With dozens of customers on a single machine system RAM and CPU become exhausted quite regularly.

SQL Database Queries

The other piece of the WordPress equation is the database. Modern websites store their content within a relational database such as MySQL or MariaDB. Unless your server is specially configured to use a RAMDISK, databases are stored on either HDD or SSD storage devices. In a properly configured server SQL queries are fast. But in most shared hosting environments, the database cannot handle the load placed upon it. This is a common issue with all of the major hosting providers. A slow SQL query can easily add whole seconds to every page load. 10 second lag times are common. And sometimes the database crashes because it is being overloaded, and when that happens every website on that server goes offline until the database is restored.

Shared hosting is dishonest

Because of the physical resource bottlenecks I’ve described above, the shared hosting model is only functional when the majority of customers renting have extremely low-traffic websites. Low traffic on a business website is often synonymous with low performance, which means these hosting providers are banking on the failure of their customers’ businesses. For many business owners, that alone is enough reason to avoid shared hosting.

Do It Yourself, advertised as managed service

The majority of shared hosting services advertise their product as “managed hosting”, but it is not managed. You are given a Do It Yourself tool called cPanel and some instruction pages. Real managed service does not require the customer to do anything at all. A real managed hosting provider will install your website, configure your server, monitor for problems and ensure system updates are deployed and the server is kept safe from hackers. None of the major shared hosting providers offer real managed hosting.

Quality of support channels

Long delays and low quality

Web servers and websites are complicated systems of technologies working together. Sometimes things break, and when that happens you need fast, expert support so that your business is not harmed by the outage. Companies that sell their hosting for $10/mo and have millions of customers cannot afford to hire real experts to answer support calls and E-mails, so they farm that labor out to third world countries. This means you can’t ever get real answers for tough questions when you contact support. The best you can hope for is to have a ticket submitted, and then you wait hours or days for a real expert to address your concern. If you are using your website for business, that is wholly inadequate.

Support channels which are time-wasting and difficult to use

All of the major shared hosting providers will make you sit on the phone for hours just to talk to someone who is only going to create a ticket based on your description. Many of these providers refuse to offer a simple E-mail contact for creating tickets, which would significantly reduce your headaches. They want their labor-farm call centers to act as a filter, preventing the creation of tickets for “simple” issues. That is not the kind of tech support you want for your business website. A real business-class provider will offer you a direct phone number with zero wait times, and a simple E-mail address you can send support requests to.

Shared hosting costs more than a managed VPS

High quality fully managed VPS hosting can be had for as low as $7/mo. A comparable package on most shared hosting services will cost more than $10/mo, so you see there is no real cost savings to shared hosting. Furthermore, the long-term costs of shared hosting are potentially much higher, when you consider the wasted time on support calls and frequent service outages.

Conclusion: Shared Hosting is Bad for Business.

The majority of slow websites can see dramatic improvements simply by switching to a better hosting provider. Shared hosts will tell you to use CDNs and caching to compensate for their terrible service quality, but if you were to utilize those same techniques on a high quality managed VPS you would see even further improvements. Shared hosting is unreliable and a waste of your money. Your business website needs to be operational 24/7. It needs to load fast and consistently, no matter how much traffic it’s receiving.

Where to find Business Class hosting?

Pride Tech Design offers the highest quality of business class hosting in the world. Our hosting plans are packed with more features than anyone else. Our technical support model is personal and caring, which is to say we are interested in seeing our customers succeed. We’re not the only business class provider, but our closest competitor charges more than twice our rates. I invite you to E-mail us at info@pridetechdesign.com for a free consultation on the most appropriate hosting service for your needs.