HostGator review: Good performance, bad security web hosting | Website Hosting Plans

If you’re looking for a web hosting provider, you have a tremendous number of choices. In my Best web hosting providers for 2021, I looked at 15 providers who offer a wide range of plans.

To get a better feel for each individual provider, I set up the most basic account possible and performed a series of tests. In this article, we’re going to dive into HostGator’s offerings. Stay tuned for in-depth looks at other providers in future articles.


HostGator at a glance


HostGator was founded in 2002 by a student at Florida Atlantic University (hence the “gator” in HostGator). Today, HostGator is one of nearly 100 web hosting brands owned by Endurance International Group (EIG).

EIG was in the news in 2018, when the Times of India reported that its former CEO and CFO were charged by the US Securities and Exchange Commission for “overstating the company’s subscriber base.” The company agreed to pay an $8 million penalty without admitting fault.

UPDATE: HostGator reached out to us requesting changes to the Quick Security Checks section of this article. Their comments and our responses are included inline in that section.

image12.png

Because there’s such variability among plans and offerings among hosting providers, it’s hard to get a good comparison. I’ve found that one of the best ways to see how a provider performs is to look at the least expensive plan they offer. You can expect the least quality, the least attention to detail, and the least performance from such a plan.

If the vendor provides good service for the bottom-shelf plans, you can generally assume the better plans will also benefit from similar quality. In the case of HostGator, there were some bright spots, some annoyances, and some serious security concerns.

For the series of hosting reviews I’m doing now, I’m testing the most basic, most entry-level plan a vendor is offering. In the case of HostGator, that’s what they call their Hatchling plan. To get pricing, I simply went to the company’s main site at HostGator.com. If you want to save some money, though, read to the end of this section.

Like nearly every hosting provider in the business, their offering is somewhat misleading. There is no option to just get billed $2.75 per month. Notice the all-powerful asterisk next to the price.

While it looks like you can get the Hatchling plan for $2.75 per month, that’s only if you prepay for three full years, which means you’re actually paying $105.35. If you want only one year, you’re charging $76.11 to your card (which is $5.95 per month). If you want to buy the service on a month-by-month basis, you’re paying $10.95 per month.

When you hit the Buy Now button, the company pre-populates a one year subscription with optional add-ons for site monitoring and backup, adding $43.94 to the bill (but you can uncheck these options).

There’s a painful gotcha to these “starting at” prices. When you renew, you’re going to pay more. This, too, is not uncommon for hosting plans and is a practice I strongly wish the hosting industry would stop. Instead of paying $105.35 for three years, upon renewal you’ll be paying a whopping $250.20 on a single credit card charge, a price increase that’s more than double the original price.

What the base plan includes

As with most hosting vendors these days, HostGator claims unlimited disk space, unlimited bandwidth, and unlimited email. In practice, these unlimited values are limited in the terms of service. You can’t use your unlimited storage as a giant backup tank where you dump gigabytes of video, for example. They also state, “HostGator expressly reserves the right to review every shared account for excessive usage of CPU, disk space and other resources that may be caused by a violation of this Agreement or the Acceptable Use Policy.”

In other words, don’t abuse the resources you’re buying, and buy the level of plan reasonably commensurate with your expected usage. If you’re about to run a big, national promotion where you expect lots of traffic, you might not want to use the Hatchling plan. If you get too much traffic, HostGator might shut you down or bill you a lot more.

Their terms of service continue, “HostGator may, in our sole discretion, terminate access to the Services, apply additional fees, or remove or delete User Content for those accounts that are found to be in violation of HostGator’s terms and conditions.”

The base-level plan has some compelling features. First, and this is important as we move forward in a quest for a more secure web, is the availability of free SSL for your site. This adds that little lock icon to your browser’s address bar and makes sure traffic between your site and your visitors is encrypted.

The company also offers 24/7/365 support which not only includes ticket and chat but phone support as well. While you’re only able to use one domain, you can use as many subdomains as you wish. The company also provides a coupon for $100 in Google ads and another $100 in Bing ads. While you probably won’t get enough ad hits to cover your cost of hosting, it will help you get your feet wet in the world of Google and Bing advertising.

Dashboard access

The first thing I like to do when looking at a new hosting provider is explore their dashboard. Is it an old friend, like cPanel? Is it some sort of cobbled-together home-grown mess? Or is it a carefully crafted custom dashboard? These are often the ones that worry me the most because they almost always hide restrictions that I’m going to have to work around somehow.

When you first log into HostGator’s dashboard, you’re greeted with their customer portal. Here you can manage your credit card information, get support, and — most important, apparently — buy the upsell options they offer.

image1.png

This is not the only dashboard you’ll be using. The main dashboard is cPanel, which is common to many, many sites across the Web. While cPanel can be frustrating at times, it’s a very capable interface that lets you manage all aspects of your site.

It took a surprisingly long time for cPanel to launch, almost a full minute. What’s a little more bothersome, though, is the range of additional upsells in the middle of cPanel. cPanel is usually pretty predictable and seeing almost as many ads and upsells as management options were tedious.

image3.png

Installing WordPress

There are certainly other content management and blogging applications you can use besides WordPress. That said, since 32 percent of the entire Web uses WordPress, it’s a good place to start. WordPress sites can be moved from hosting provider to hosting provider, so there’s no lock-in. And by testing a site built with WordPress, we can get some consistency in our testing between hosting providers.

I went ahead and clicked the Build a New WordPress Site button on the main cPanel page… and got hit with another page of upsell promotions:

image11.png

At $399, prices were really starting to climb from that tasty little $2.75 offer the company promoted. The promos on this setup page didn’t say what theme they’d be installing. WordPress does come with a nice set of free themes, and most themes are relatively inexpensive. I tried to figure out what the $399 program was for, but as far as I can tell, it’s simply setting up WordPress, which is usually about a five-minute process.

The difference between the $199 and $399 program was the addition of SEO and WordPress site security. To be fair, most WordPress security plugins and add-ons cost about a hundred bucks a year, and there are premium SEO plugins that can cost a similar amount. But without going all the way through the checkout, it wasn’t clear what tools HostGator was providing in return for its almost $400 of upsell.

My advice is to skip these upsells. Simply install WordPress, get to know your site, and then start with a tool like Wordfence or Sucuri to keep your site protected.

Once I entered my user name and domain, I was… wait for it… presented with another upsell:

image8.png

I went ahead and hit the login button, and… it failed:

image5.png

I took a quick look at the File Manager and determined that the WordPress install appeared to be in place. So, instead of using HostGator’s login button, I just used the standard WordPress admin URL, which is domain.com/wp-admin. This worked.

I was, however, no longer surprised to find more upsells. In this case, the entire main dashboard page — going well below the scroll of the page — had upsells.

image2.png

There seems to be a big push for using a number of plugins that are either freemium or affiliate-based. Jetpack is produced by Automattic, the company behind WordPress. It also has an affiliate program.

My guess is that HostGator is pre-installing plugins where they get some affiliate revenue. There’s nothing particularly wrong with that, but plastering these upsells in the middle of configuration screens is getting old.

HostGator also dropped in a plugin for something called Mojo Marketplace. This, too, had pages and pages of upsells, this time for themes.

image9.png

With all the added plugins, junk, and upsell, it’s no wonder that the site initially failed when I hit the site login button from the HostGator dashboard.

Let me be clear. There is nothing wrong with using lots of plugins on a WordPress site. That’s one of WordPress’s biggest strengths. But filling a site with crapware before it’s even live is nothing but a distraction, can add a considerable amount of confusion to new users, and may cause potential problems in terms of functionality. Plus, it’s just rude.

Quick security checks

Security is one of the biggest issues when it comes to operating a website. You want to make sure your site is safe from hackers, doesn’t flag Google, and can connect securely to payment engines if you’re running an e-commerce site of any kind. You also don’t want to distribute malware to your visitors. That’s bad.

While the scope of this article doesn’t allow for exhaustive security testing, there are a few quick checks that can help indicate whether HostGator’s most inexpensive platform is starting with a secure foundation. Here’s the tl;dr: it’s not. This thing is dangerously insecure.

The first of these quick checks is multifactor authentication. It’s way too easy for hackers to just bang away at a website’s login screen and brute-force a password. One of my sites has been pounded on for weeks by some hacker or another, but because I have some relatively strong protections in place, the bad actor hasn’t been able to get in.

Unfortunately, I have to ding HostGator for what I consider a pretty serious security flaw. When you log into their customer portal, all you need to provide is a username and password. However, if you want to ask support questions and get answers, you do need to set up a support PIN. This is a partial step forward. The problem is that if you’re able to log into the main management account, you can change the email address associated with it, and then have a new support PIN sent out. The bottom line is without a second factor for login authentication, the PIN is essentially worthless.

Secondly, according to the support person I reached out to on chat, HostGator’s cPanel implementation also does not support multi-factor authentication, at least in the lower-end accounts.

image4.png

Multi-factor authentication should never be an upsell option or provided only for premium accounts. It takes very little effort for a hosting provider to enable it. Not only does it protect the individual customers using the feature, but it also protects all the customers of the hosting provider. That’s because most shared hosting servers share IP addresses. If a spammer or scammer hijacks a shared hosting account and that account is blocked, it’s entirely possible that all the accounts sharing that IP or that IP’s larger block of numbers will be blocked as well.

I strongly recommend that HostGator implement MFA for all accounts immediately, for their benefit as well as that of their customers.

I mentioned earlier that HostGator provides a free SSL certificate. They’re using Let’s Encrypt, a program that provides free, automated SSL certificates. Let’s Encrypt is enabled by default, so once you set up a website, all you need to do is use your https:// in your URL to provide encrypted URLs for your visitors.

As my last quick security check, I like to look at the versions of some of the main system components that run web applications. To make things easy, I chose four components necessary to safe WordPress operation. While other apps may use other components, I’ve found that if components are up-to-date for one set of needs, they’re usually up to date across the board.

Here are my findings derived from the HostGator versions page and a pleasant tech support conversation, as of the day I tested [in July 2019], for HostGator’s Hatchling plan:

Component

Version Provided

Current Version

How Old

PHP

7.4

7.4.14 (8.0 is still a bit new)

reasonably current 

MySQL

5.6.x

8.0.23

8 years / 2904 days (end of support is Feb 21)

cURL

7.19.7

7.75

11.3 years / 4124 days

OpenSSL

 1.0.1e-fips 11

1.0.2t (and 1.1.1)

7.1 years / 2592 days

The cURL library, which is meant for data transfer, particularly of secure information, is…

HostGator review: Good performance, bad security web hosting

Post a Comment

Previous Post Next Post