How to find a good website hosting provider: The Q&A edition
Does the new host offer free migrations?
While migrating a site becomes simpler if you are using a CMS or framework that supports the ability to import and export, not all hosts are created equal. Technologies used and versions of software that are in place may not be optimal or compatible with your current site. Alternatively, your site may not be updated enough to take advantage of some of the newest features and configurations provided which may cause errors on your site after the migration, some which may not be directly visible by viewing the site. When moving away from an existing web hosting company, you should look for a website provider that offers a free migration service. This will help you save money and provide peace of mind that your site will be transferred successfully and with minimum downtime. For an overview on the website migration process, take a look at our Website Migrations article.
Does the new host offer free SSL certificates?
Free SSL certificates are generally issued by non-profit certificate authorities. Let’s Encrypt, one of the leading non-profit Certificate Authorities, provides SSL/TLS certificates for free to anyone who wants one for their site. The purpose is to encrypt the entire web to the extent that SSL encrypted websites become the norm. Almost all browsers will attempt SSL protocol before falling back to unencrypted communications. Hosting companies have also jumped onboard with this option and are offering free basic SSL certificates with all of their hosting plans. One major advantage of this is that the SSL certificate itself is maintained by the hosting provider, including the initial generation and the renewals. While the certificates created from these free services are usually only valid for 90 days, the host will automatically update them as the end of the window gets closer.
The reason that hosting providers and Certificate Authorities can supply these free SSL certificates is because they are the simplest possible verification type. To help clarify, there are three main types of certificate validation levels: domain validated (DV), organization validated (OV), and extended validation (EV). Validation level refers to how the Certificate Authority confirms the identity of the company and person(s) who are applying to obtain the certificate. Free SSL certificates are domain validated certificates, and thus the lowest requirement for validation. This is why your hosting provider can request them on your behalf, as they control your website or DNS. Domain validated SSL certificates show that a domain is registered and you are the owner of that domain and website, or at least have access to the site to make changes via DNS or by adding files.
If you want to ensure a higher level of security for you and your customers, you can increase the validation level of the certificate. A side effect of this is the cost of the certificate increases as the Certificate Authority must take additional steps, some which cannot be automated. Most websites are find with a standard Domain Validation certificate, but if you are running an eCommerce website or handling sensitive customer information, you may consider upgrading the certificate to provide additional validation that your customers are able to identify your site.
The next level of validation for SSL certificates is the the organization validated SSL certificate. The organization validated SSL certificate shows that you own a domain while also verifying that you own an organization in a particular country, state, and city. The process for obtaining one of these certificates is exactly like getting a domain validated certificate, but you have to take some extra steps to verify your company’s identity after validating the domain information.
Lastly, the third tier of certificate validation is the extended validation SSL certificate. The extended validation SSL certificate requires businesses to provide even more records to prove their ownership of a company. This certificate gives you the same kind of validation as both domain and organization validated certificates, but it also proves that you have legally registered the company as a business. In addition to this it also shows that a company is aware of the request for an SSL certificate and has approved it. The certificate authorities only grant these kinds of certificates after they have received documents that prove the operational existence, physical location and registration, and the consistency between those records.
Does the new host offer a backup solution and what are the policies or restrictions?
There are a number of different scenarios where you might find yourself needing a backup of your website. It may be because of a software-related issue during upgrades, host failures, or a simple case of human error. Whatever the case may be, when your site crashes, you need to restore a backed up version of it quickly. For this reason, it’s important that the backup solution provider you rely on is reputable, fast, and helps you restore your site from a backup. This may not be the case with all web hosting providers. Some of the more common areas of interest around backups are automation, coverage, frequency, retention, and security.
Most web hosting companies offer free, automatic backups with their hosting plans. Depending on the provider, they may only backup your site automatically if it’s within their website size limit, or only a portion of your website. This still fulfills their ability to say they offer free website backups while allowing them to keep the storage costs from getting too large. Backups cost space and if a customer creates too many backups, or has an extensively large site or other data, it may cost the hosting provider more than they are making from the monthly payment.
Websites are generally files and other data. However, newer sites that use CMS or frameworks consist of databases as well. If you are also using your hosting provider as the DNS name servers, they should also be backing up your DNS zone files. It’s important to know exactly what your web hosting provider is backing up and whether or how you can access to it for review. Familiarizing yourself with the backup solutions that are provided, what they back up, and the process for restoring them is paramount for any website owner. If you can’t find the information about the backup system readily on the hosting providers website, check their knowledge base, or contact them directly to request additional information. Additionally, the location of the stored backups is important. If they are stored with your website they may not be viable in the event of file corruption or malware within your website. A great backup plan includes both local and remote backups to ensure that any possible event is covered.
Another item to consider for backups is how often your provider is taking backups. Some websites don’t change day to day, but some do. If your website is changing daily and a backup is required, how far back do you need to go to get it back up and running? Days, weeks, months? If your website provider is not taking backups at an interval that is useful to your site, then the entire backup is most likely not useful to you as a customer.
Even if your prospective provider takes backups of any size, within your desired interval, and has a simple way to restore it, they may not store multiple versions of the backups. Again, storage costs the hosting provider money and they aim to limit what they have to spend in most cases. If you find out you have a breach on your site after a month, will the backups cover you that far back, or will you have to deal with the issue without backups.
Lastly, the security of your backups is also a great question to be informed about. Providers generally don’t store backups as encrypted files due to the overhead and ease of access and may transfer them to remote third party storage with or without your knowledge. This means that the backups could be tampered with if there is a breach of security for either the hosting provider or their remote backup system.
Does the new host support realtime malware and virus scanning?
Unfortunately, several hosting providers, even some high-end ones, do not offer free scanning and detection of malware and viruses for the websites they host. In most cases a single compromised user, even on a shared hosting platform, cannot effect the other users on the platform. However, it may drag down the reputation of that hosting provider (or at least the shared server IP) by becoming listed as a security risk on various anti-malware and safe browsing lists. Due to the resources required to support scanning and detection of malicious files, most providers offer this as an add on package or at least an upgrade to a higher level hosting package. It’s highly beneficial to have this feature as it can prevent your website from scamming others or at a minimum to help you know that the site has been compromised as soon as possible. In additional to file scanning, try to find a hosting provider that supports realtime attack and DDoS protection via a Web Application Firewall. This will assist in deterring some online attacks against your website even before it gets to it. This can assist in keeping your website safe by detecting and stopping many forms of cross website scripting, bad user agents, SQL injection attacks, session hijacking, or other exploits.
Does the new host ensure that protocols are patched and up to date?
Second to ensuring that the website is secure is to ensure that the hosting provider itself is secure and takes proper precautions against potential exploit. This can be a highly complex and controversial topic, so we’ll stick to the basics. As times goes on, website applications and codebases change, usually for the better. Security patches, updated features, and bug-fixes are common on most platforms and its the responsibility of the web hosting provider to ensure that these changes are implemented to protect themselves as well as their customers.
As an example, at the end of 2019, the support for PHP 7.1 ended, thus removing any additional fixes to be added to the codebase. PHP’s website details that users of this release should upgrade as soon as possible, as they may be exposed to unpatched security vulnerabilities. Because of this, many website providers removed support for PHP 7.1 within their hosting systems, to ensure that their customers and their own systems would be protected from any new exploits or vulnerabilities that were discovered in the legacy codebase. However, some providers are still allowing customers to use this version, with some even allowing highly deprecated versions going back to PHP 5. Older versions of PHP may be required for your site, but they impose a very real security risk to you and your hosting provider. Please ensure that the new provider you are moving to supports the version of your codebase that is used in your website, or ensure you have a plan, or the budget to upgrade the site during the migration.
Does the new host support ‘unlimited’ storage or bandwidth?
This can be a red flag for most customers as nothing is truly unlimited. Bandwidth translates to the amount of traffic and number of page views your website can handle every single month. Fortunately, it’s becoming common practice to offer unlimited bandwidth by most providers. Just be aware that with any host, unlimited or otherwise, there’s a chance your site could be throttled down, or your site could go offline if you’re experiencing a massive traffic surge — such as during a holiday sale or if one of your blog posts just went viral. This usually has to do with rapid scalability within a hosting infrastructure more than bandwidth, however, if you are aware of an increased traffic requirement, please notify your hosting provider sooner rather than later to ensure your site stays online. Now for the rant about ‘unlimited’ storage. There is no such thing. Period. They all come with an asterisk, a caveat, or a context. Some providers limit on number of files or inodes, some limit on size of contiguous file, others still limit on file type, and the most devious detail ‘at our discretion’. Most providers will fully detail what they allow and do not allow, along with the limitations of the ‘unlimited’ storage. For most websites, this is not an issue, but it’s never a good thing to wake up to your website being offline because you uploaded a recent zip file for a colleague and they found it to be out of compliance with their terms. Find a hosting provider that details exactly how much space you get and that you can use it for whatever you want – within applicable laws and statues of course. The limits for storage vary widely across hosting companies and platforms. However, unless you’re storing videos, collecting and storing user data, or a ton of media content, you can probably get away with using minimum levels of storage.
Does the new host have a support channel and it is responsive?
Customer support is something some people don’t think about until it’s too late. For some reason, your website is offline and no matter what you do you can’t it back online. You’ve tried contacting your hosting company’s support team and they’re non-responsive. Plus, you’ve got a big launch the next day. That scenario doesn’t sound fun for anyone. For this reason, you’ll want to test support yourself before selecting your hosting provider. Submit a question or two and ensure their methods of support work for you. For example, some companies only offer email support with a ticketing system, while others include live chat and phone support. Lastly, a solid host should have an educational blog, along with a resource library or knowledge base, that should be able to help you work through any issues you may be experiencing.
Does the new host provide clear pricing?
Hosting price increases are pretty common practice—unless you end up purchasing hosting for multiple years at a time. Price variances will happen, but they shouldn’t come as a shock. Make sure you select a hosting company that has clear pricing terms, so you know if and when a price increase is going to happen. Additionally, don’t fall for the marked down $2.99/month for a $11/month price. There are so many websites that use this marketing tactic to get customers signed up, only to not have them realize it only applies to a portion of their term.