It’s not you Bluehost, it is me. I’ve grown a lot since this relationship began and I have to go out there and see the world again. We can still be friends though, right? Maybe you can host some of my non-critical and test sites…
I’ve alluded to this in the post, Security is Serious Business, and a little further in the Bluehost vs Linode speed comparison. But I think I can go in to a little more detail about this now that all of the files and domain records have transfered & settled down.
Speed and Throttling
One nice thing about Bluehost, is that any shared account can handle crazy bursts of traffic. Sort of.
Instead of banning overactive sites like most shared web hosts would do, Bluehost has implemented a throttling system that simply delays requests to the most demanding domains. While this is a lot better than the blue screen of suspension death, it still means slow page loads during the peak half of the day. Yeah, not just an hour or two, but from noon to midnight.
In all, it averaged that pages from this blog served on Bluehost were taking 3.7 seconds to load. Once moving to Linode, the same page went up in 2.2. Pretty damn significant. On that point alone, it was probably worth paying the extra $12 a month for the VPS account at Linode.
Security, security, security
My original security strategy amounted to this: Never collect and store sensitive information about the users. I’m not selling anything directly or ever handling credit card numbers, so I figured there would be nothing on my site worth hacking.
Boy, I was wrong.
The first problem happened last July while I was in Ireland and visiting with my girlfriend’s family. Just as I was gone for two weeks, someone managed to slip in through a Joomla exploit in my politics blog, and gain access to the hosting account’s email servers. A few hours later, my domain was a spam mill and I was offline for at least a week. Even when I completely deleted the offending site and secured what I knew how to secure, Bluehost let me know that I was going to be offline for good if I got reported for something similar a second time. Combined with the fact that they couldn’t provide many details or assistance in the recovery, I decided to just leave the email servers off for the sake of safety & simplicity.
The second attack was even worse, and it also happened while I was out of town.
When I got back from a more recent trip, I had a warning in my Gmail account that my websites were suspected of distributing malware. I was floored: how could this happen?
Apparently, someone had gained access to all the files and included some Base64 decoded instructions in the .php that would call up a java script exploit. This particular attack seemed aimed at Mac computers, so anyone on an unsecured Apple might have got in trouble if they visited my College blog that weekend.
Thankfully, Google keeps good records when they accuse your site of distributing malware. I was able to find the source and methods of the attack, and create a clearn recovery of the sites.
It was what I learned about the access point that shocked me.
According to Google, about half of the domains on my Bluehost server were somehow compromised and spreading infection. This was way too much to be coincidence, and it didn’t fully stop until I changed all of my FTP account passwords. Someone must have got their hands on a nice account list, because I can’t imagine how else every domain on a machine would get hacked simultaneously. I just feel bad for the people who didn’t catch it and clean it so quickly…
Time to go
So between the speed and the multiple security vulnerabilities, I just couldn’t trust my most valuable websites to Bluehost any more. When my sites were small experiments, Bluehost was a perfect choice – now that there is like two thousand a month on the line, I just can’t afford to cut corners and take the easy way.
Now, I’ll need to update my Bluehost review with a link to this one, but I’m still very happy with how Bluehost helped me go from complete newb to fairly successful webmaster in just a few short years. I didn’t know the first thing about web development back then, and if it weren’t for the automated installs I might have never got started on the content writing & promotion that really makes me money. After that three years of messing with the tech side as necessary, I could then easily set up a LAMP server from scratch on the Linode VPS. I never would have learned the necessary skills if it weren’t for that introductory step of Bluehost, so I really can’t say that I feel let down in any way.