Choosing WordPress hosting is one of the most important decisions you will make when you create a new WordPress website. There are a wide array of WordPress hosting options to choose from. From bargain shared WordPress hosting options that cost just a few dollars per month to more costly dedicated WordPress hosting, to self hosting your WordPress site.
The features, practices and capacity limits offered with each WordPress hosting option have a direct bearing on the performance, availability and security of your WordPress website. Most WordPress hosting providers offer fully hosted environments, which is the focus of this article.
The first thing to look for in a WordPress hosting plan is what kind of CPU limitations are included. In a shared hosting environment you are buying a fraction of the computing power of the web server after all, so it is important to understand how much of it you are allowed to use. Shared WordPress hosting plans will often give you the maximum amount of CPU that you are allowed to use, along with how many seconds you are allowed to remain at that level. In general, the higher each of these numbers are the better. And obviously the more traffic your website receives, the more this will matter to you.
In order to manage your WordPress site you are going to need the ability to upload and change files on your WordPress hosting account or web server. It is very important that you use a secure connection, which you can accomplish by using either SSH or sFTP whenever you connect. Ensure that your WordPress hosting provider supports the secure access that you need. Connecting to your server over plain old FTP opens you up to significant security risks because this information is sent over the internet in plain text, where as SSH or sFTP will use encryption.
TLS (and its predecessor SSL) is the encryption technology that is used to provide encrypted communication between your website visitors’ browser and your WordPress web server. You can spot a web page that leverages TLS because it will always begin with https instead of http. We recommend that you run an https-only website. At a minimum, you should ensure that your WordPress login page (usually something like https://example.com/wp-login.php) and any pages that accept sensitive information from your users or present it back to them are https pages. Most hosting plans will charge extra for this capability or you may have to purchase your own certificate, so make sure that you understand how much it will cost you.
Most websites on shared WordPress hosting plans share an IP address with their neighbors. For the most part there is no problem with this. In general it should not slow down your website or impact your SEO rankings. There is always a chance that if one of your IP address neighbors engages in malicious or spammy behavior, that may impact you by getting your IP address blacklisted by an organization like Spamhaus. In addition, there are a number of things that are easier if you have a dedicated IP address. We suggest that you make sure that you know whether dedicated IP addresses are available and that you understand the cost before you commit to a WordPress hosting plan.
In order to keep their costs low, shared WordPress hosting plans place a large number of sites on the same server. This is a great option for many WordPress websites, as the hosting company generally passes those savings on to you in the form of very low hosting prices. As long as they can provide you with the capacity and availability that you need to keep your website visitors happy and the functionality that you need to properly secure your website you should be just fine with one of these plans. One of the most important things for you to confirm is that your website is properly isolated (or “jailed”) from the other websites you are sharing a server with. If your website isn’t properly isolated from the other websites hosted on your server, you run the risk of being hacked by a hacker who has first gained access to one of your “server mates”.
During our research for this article and companion list, we found that almost all hosting companies claim to provide some level of account isolation. However, a number of them refused to provide any details about how they achieve it, citing confidentiality or intellectual property concerns. While they may be telling the truth, this is an incredibly important detail that we absolutely need to get right. We recommend that you avoid any hosting provider who cannot or will not share how they have implemented account isolation on their shared web servers.
ModSecurity is an open source web application firewall that can generally be configured to augment what a recommended WordPress security plugin like Wordfence does in a compatible way. Most WordPress hosting providers offer it in some form. We recommend that you choose a host that offers it, and ideally gives you the ability to customize how it is configured.
Many WordPress hosts will offer additional security software options. They may also restrict which security software you are allowed to run. We recommend that you verify that you are allowed to install and run the Wordfence security plugin.
In the event that your site is hacked, it is incredibly important that you are able to react quickly. Generally, the faster you recover from the hack, the smaller the impact to you and your users. In many cases you will need your WordPress host to help with your recovery efforts. Because of this it is very important that you understand how quickly your hosts’ support team responds, how you are allowed to contact them and how competent their support resources are. We recommend that you choose a host that provides immediate phone support when needed on a 24/7 basis and that they are competent.
In the case of a hack, backups are one of your most important tools. Having the ability to restore your website to a “pre hack” state can make it very easy to eliminate malicious code from your site and get your website back up quickly. We recommend selecting a host that automatically backs up your site daily and retains backups for at least 30 days. This is important because sometimes your site has been hacked for days without you noticing, so if you have older backups it can be very beneficial.
Server log files are a rich source of information when you are trying to identify the vulnerability that led to a website hack and the total impact it had on your website. At a minimum we recommend a WordPress hosting plan that gives you immediate access to log files going back at least 24 hours. Ideally you should also have the ability to archive log files older than 24 hours old for 30 days.
We hope that this article has given you a solid understanding of the specific features you should be looking for in a WordPress hosting plan and why.