In the last decade as a web professional, I’ve seen a lot of scary things:
- websites whose code bases were so insecure, a high school computer science class would give you all the skills you needed to hack in;
- website owners who ignored relevant privacy and security laws, putting themselves and their customers at risk through negligence;
- the time I had to defend a website meant for student artists from ISIS hackers. Yes, ISIS has whole terrorist cells whose job it is to cause cyber-terror! In this case, they were attempting to spatter the site with graphic images of beheadings. I battled them for hours, and later had to turn over server logs of the incident to the FBI. True story!
But the horror story I’ve decided to talk about this October is something much more insidious, much more common, something there’s a very good chance is lurking around your own business: cheap website hosting.
I’ve written at length about how the “race to the bottom” in web host pricing can negatively impact businesses and cost them hundreds or thousands in lost sales (even if they DON’T result in the business’ site getting hacked, which they often do), all for an average savings of $10 to $20 a month.
But those articles are all about broad concepts; this one is about the blood and guts of what cheap hosting really looks like up close.
I get a lot of calls from new clients who need help recovering from a hack, and the vast majority of them were on Bluehost when that hack happened. It’s a prime example of rock-bottom pricing for bottom of the barrel service. I have so many horror stories about Bluehost that it was hard to choose only a few to share. Here’s one special gem I posted to my Facebook in disbelief right after it happened in February 2016:
Hours wasted on the phone with Bluehost support today… Their customer service has gone way downhill.
“Hi, I need to request a restore from backup so that I can –”
“That NEVER works.”
“What doesn’t? Restoring from backup?… Isn’t backup a service this client is paying you monthly to handle?”
“Yeah, but it’s useless. Don’t bother.”
“Okay, but I need you to restore from backup so I can–”
“I’m just looking out for YOU, I don’t want you to look bad, because you can’t fix a hacked site.”
I’ve fixed probably hundreds of hacked sites at this point, so I suspect this woman has absolutely no clue how hacking works. She confirms this a few minutes later by asking me where a bunch of keys are on her keyboard, because she can’t figure out how to type in the information I’m giving her.
If you don’t know how your keyboard works, you definitely don’t know how hacking works.
2016 too long ago for you? Maybe you’re thinking they’ve improved since then? Here’s another, from just this week:
A client asked me to set up a blank WordPress blog for them on their new Bluehost hosting. The type of thing that takes five minutes. Easiest job in the world, right?
Wrong. Their control panel is so broken right now that it can’t create DNS zone files – these are essentially a special kind of text file that lets other computers find your website when they type in your domain name.
Let me repeat that: It can’t even create what amounts to a text file. One that is required to have a working website of any description. Literally every website you’ve ever visited in your life time has one of these.
Bluehost’s job is to host websites and point domain names at those hosted sites. I called customer support twice yesterday to ask them to fix this issue. Each time, I was told that the problem had been resolved and I should try accessing the site again in 30 minutes, tops.
By the time I woke up the following day, the problem had not resolved, so I called support again. The first person I reached asked me to confirm my password to verify the account, and told me the password was wrong even though I was logging in and out with it successfully while on the phone with her. She asked me to generate a support token instead, then hung up on me midway through my reading it out. I know she hung up on me rather than the call dropping, because I was still on the line and it dumped me into the post-call customer survey.
Called back AGAIN, second guy accepted the last 4 of the password as valid immediately, and explained that they only have real technicians employed during the day so my ticket from last night had not even been looked at yet despite the claims of a 30 minute wait — the real tech support staff was just coming in for the morning. Said to try again in the evening after the techs had had a chance to work their way up to our ticket.
The timing on this story is so on the nose that I’m afraid it will read as made up, but I’ve got news articles to back me up. Almost as soon as the calendar turned over from September to October, our clients using this host started to experience intermittent issues receiving their email. A few days later, their websites slowed to a crawl, email ceased entirely, and the entire SpiritOne company website vanished off the internet. Calling their customer support line yielded a canned message stating that the company was experiencing a “global outage,” but after nearly four days of no service, SpiritOne’s CEO made a statement to the news:
“The company’s up and running,” he said. He said the voice message describing the outage is “out of order.”
Any issues, Ogden said, are caused by Spirit One’s migration to new servers. But he said its website is accessible from some locations and clients’ emails are being preserved for later delivery.
And that was it. Beyond an off-site monitoring page reporting that SpiritOne was experiencing “some” disruptions, there was no other communication or contact from the company. If the CEO’s statement is true, that the outages were caused by a migration to news servers, that on its own is a major problem – it would mean there was some HUGE technical screw up. Maybe a couple of hours of downtime would be acceptable in that scenario, but transitions like the one being claimed typically come with MONTHS of warning so that customers can plan around them. Having no warning, a conflicting story, and no estimate for when things will come back up? This is a real horror story.
Our clients who used their hosting and email services were forced to abandon ship; but worst hit of all were those who also had their domains registered through SpiritOne. Because SpiritOne’s control panel had gone offline with the rest of the company, there was no way to point their email addresses or domains at new hosts, and they were trapped on the apparently sinking ship.
This was a long story, but I’ll try to put it in a nutshell: After HostPond was acquired by CanvasHost, all of Hostpond’s old customers were migrated to new servers owned by CanvasHost. With no notice whatsoever, all of those customers suddenly found themselves on less powerful servers with lower memory allowances, different versions of PHP and other core services than they had been running on before, and in the case of my client caught up in this transition, massive quantities of data were lost in the transition.
More than a grand was spent on debugging, reprogramming, and attempting to get software that had been working fine for years to run on the newly downgraded hardware – for which they were being charged the same price as before. Customer service was dismissive and cavalier throughout the experience. In the end, the only recourse was to move to a vastly better host.
And many others
GoDaddy, Dreamhost, HostMonster and many others… I’ve got spine-tingling stories about dozens of cheap hosts. Your company website should not have to live in a haunted house. Please, save yourself before it’s too late!