Why I Can No Longer Recommend Bluehost Web Hosting (I Owe An Explanation)
I’ve long recommended Bluehost as my first-level recommendation for web hosting. However, I can no longer do so. Here’s why.
You’ve probably noticed that a lot of bloggers out there recommend Bluehost. Why is that?
Well, they’re popular. They’re affordable. And they pay a respectable commission.
That last part really is the key, I believe. There are a lot of bloggers out there who will recommend Bluehost simply because of the commission. And typically, web hosting companies pay pretty good commissions.
Being in the position I am in here, I always need to have a “go to” recommendation for web hosting. But, it has been a little bit of an odd thing for me.
My first rule of any product recommendation has always been: I don’t recommend anything I haven’t used myself.
The web hosting that I am currently using for this website is WPEngine. If I had my way, I’d have all of my new blog owners sign up for hosting at WPEngine. I think they’re a great company, has support among the best I’ve ever worked with in my 17 years in the business, and their Wordpress-specific features (like one-click staging site) is just freakin’ awesome.
So, if you want to go for what I think is your best bet, you’d use WPEngine. (although, wait get to the end of this post as it could change your mind)
That said, I realize that many in my audience will find WPEngine too expensive. With plans starting at $29/month, it can be a bit of a buzz kill for a blogger who is bootstrapping. The ol’ motto of “you get what you pay for” remains true, but it doesn’t sting any less.
So, for quite some time, my “go to” recommendation has been Bluehost. It falls within the budget of a bootstrapping new blogger and that’s important.
It also happens to satisfy the rule I have. I do currently still have something hosted with Bluehost.
Plus, Bluehost is affordable. They can adapt to you as you grow. They fit the bill very well for many new and upcoming blog owners getting established with their business. And to be clear, I will continue to hold Bluehost as a viable option.
That said, I’ve cooled off on it. And I think I need to explain why.
It Started “Over There”, Then It Happened To Me…
For the last year or so (give or take), I was hearing rumblings of issues over at Bluehost. I’d see conversations about sites getting hacked over and over again, people getting fed up and moving elsewhere.
I also have people I know who don’t like Bluehost. One friend of mine who does custom sites for clients and he tells me to stay far away from Bluehost, based on his experience.
The story is that Bluehost is part of a larger conglomerate that also includes Hostgator and many other companies. That parent company is Endurance International Group, or EIG. They own a number of subsidiary brands, including Bluehost, Hostgator, Constant Contact, Domain.com, Dotster, iPage, JustHost and many others. When EIG took over Bluehost, the rumors are that the quality of service dropped.
For me, those rumors were always “over there”. I heard some of these rumors through the grapevine but I hadn’t experienced any of it myself.
But, then I did.
I woke up one morning to find that the site that I have hosted with Bluehost had been hacked.
The hackers clearly didn’t have any bad intentions toward me. This was just to show they could. They littered my account with a bunch of oddball files and they dropped a text file into every directory to claim the credit and name their group. I actually think they look at it as a public service to show security vulnerabilities by hacking. My site was up and running fine – they didn’t damage anything. They simply littered up the file system with bogus files.
So, first issue is that they were able to do that quite easily. I highly doubt they singled me out. This site isn’t even a public site that I host over there. It is an internal system. So, this was clearly a broad mass hack taking advantage of an insecure hosting environment on shared hosting.
The second issue, however, is how Bluehost handled it.
I wish I had the emails to show, but I don’t. Essentially, I contacted Bluehost support to tell them my account had been hacked. I pointed out that they had injected the file system with a bunch of files, and I pointed out one of the files as an example.
The response from Bluehost was essentially to delete that ONE file (leaving all the rest)… then told me it was handled. There was literally ZERO comment about how they were able to get into the server to begin with. When I emailed back to tell them this, the response was just to tell me to update my software.
What struck me about all this was:
- The support person was clearly not experienced, and the job was simply to close the support ticket.
- It was as if there was zero concern at all that their system just got hacked.
- The support person didn’t actually read my email. I’m a pretty techie person, so I was pretty specific in what I saw had happened. So, for the response to be to delete one file and call it a day, I was surprised at the lack of attention.
After all that, I got a survey for me to rate my satisfaction with their support. Found that funny, really, seeing as they had closed my ticket and the situation was not resolved.
So, this experience definitely had me questioning Bluehost.
How can I, in good conscience, continue to recommend Bluehost as my first-level hosting recommendation to new people when they clearly have an insecure hosting environment (at least on their cheaper shared plans) and don’t even care that that’s the case?
So, Does Bluehost Suck Now?
Well, not sure I’d go that far. Certainly, there are still many people using Bluehost who are satisfied.
You get a lot for your money with Bluehost. It has been mostly just fine for what I’m using it for. I paid Bluehost about $142 for 3 years of hosting, which works out to $3.95/month. I mean, it is cheaper than dirt so it is what it is.
However, Bluehost is a company which makes money in volume. I think their support people may very well be overseas and I don’t think they’re super-experienced. Bluehost is just fine as long as things keep working. And I’m sure there are stories out there of good support from Bluehost. I never really had a problem with them until this hacking incident. To be clear, though, I never contacted Bluehost support until this incident, so from my perspective, this is a 1-to-1 ratio of incompetence.
Some other bloggers may continue to recommend Bluehost and ignore this issue because, well, the affiliate commissions are good. And there are a fair amount of bloggers who make good money pimping Bluehost – some more than others.
But, I can’t continue to recommend as my first recommendation a company which personally disappointed me.
My New First-Level Recommendation: SiteGround
I have been aware of SiteGround for quite some time, but it was just one of the many hosts in the mix. Didn’t pay it any attention.
But, it began to spring up in conversations more often. I’d see social media threads of people complaining about Bluehost and said they’ve had good luck moving to Siteground.
Then, it began to happen inside the Blog Monetization Lab itself. Several of my Lab members moved to SiteGround (before I ever recommended it) and were very happy with it.
Then, one day I got approached by the affiliate manager for SiteGround. No surprise there, as affiliate marketing is a huge way hosts promote themselves. I had a conversation with him (over email) about why SiteGround is better than Bluehost. He even explained to me why he thinks SiteGround is a better solution that WPEngine, which he knew I liked.
The bullet points were this:
- He believes WPEngine charges a premium for a level of service which doesn’t justify the cost. SiteGround offers similar managed Wordpress hosting for less.
- They run an effecient operation, with a very heavily systematized business. This allows them to keep costs down for higher levels of service.
- The platform they used to manage their systems is tried and true and the development costs for it are in the past, which means they don’t have to pass the cost onto customers.
- He believes that WPEngine’s pricing is more about going after that perception of “high end hosting”, but in reality the hosting isn’t much different than the managed WP hosting of its competitors
- They have aggressive hiring and training practices for their support staff.
- They provide free website transfers from other hosts.
- Free domains for LIFE.
- Their managed hosting for Wordpress doesn’t limit you to Wordpress, which means you can run other software, too. That’s an advantage.
So, I was impressed. I know he was selling his company (that’s his job), but he was making good points.
But, to back all this up, I was seeing great reviews and experiences from Siteground customers – even from inside my own Lab community. That says alot.
My ONLY problem here was my own personal rule about not recommending something I haven’t personally used. And, as of this time, I do not currently have a SiteGround account.
I will be fixing that issue in due time. 🙂 My Bluehost account is pre-paid for a bit and I have had other priorities than moving what’s over there, but I will very likely be moving off Bluehost and switching it to SiteGround.
I also have a little side blog I just started (more on that later, perhaps). It is currently with WPEngine, however I’m going to move it to Siteground as my test of their managed WP hosting.
I do, of course, now have an affiliate relationship with SiteGround. I’m a businessman, so that’s obvious. 🙂 But, I hope I’ve made clear here that I take my product recommendations seriously around here. I don’t promote anything just for a commission. I do it based on what I think is truly their best option for where they’re at.
In fact, I’m taking a commission hit by switching my primary recommendation. I don’t currently make as much per signup as a Siteground affiliate as I do with Bluehost. However, there’s a matter of consistency and, well… karma.
I cannot, in good conscience, continue to recommend to all my readers to get a Bluehost account. If I personally got hacked, was disappointed in how they handled it, and am thinking of leaving, then how can I recommend it to others?
I think SiteGround is just a better option.
And while I still like WPEngine, I’d be a fool not to admit that SiteGround can provide what looks to be the same level of service for much less than WPEngine. I haven’t tested it yet, but I will be and I will update you on my findings.
So, here’s the deal…
Sign Up For SiteGround Via This Link and…
- Get treated well. 🙂
- Get WPEngine-style hosting for much less monthly
- They’ll move your site from your current host for free
- You’ll get a free domain – FOR LIFE.
SiteGround will now be listed as my main hosting recommendation on my Resources page. And now, you know why. 🙂
Word of warning. SiteGround customer reviews have been getting more negative in 2020.
Do not buy multi-year hosting packages from a hosting service that does not offer anytime, pro-rated refunds.
SiteGround does not offer pro-rated, anytime refunds. If you pay for 3 years and don’t cancel within 30 days of starting, they will keep the other 2 years and 11 months of payment. You are stuck with them. Their service can deteriorate, but you can’t get your money back. Got Ya! Keep your subscription time short in case they crash or sell out to EIG, whatever.
A2 offers anytime pro-rated refunds to the month. Isn’t that better when you pay in advance?
Shoot I just noticed siteground is on the hackers’ target list! Well the search will have to continue…
I wouldn’t worry about it. No company is completely immune, but Siteground is better than the EIG companies.
I’ve been with bluehost since 2006. The trouble started in 2015 when I discovered hackers using my email server for phishing. Around that same time they wrecked my website so I just erased everything in public_html as my life’s work had changed and I no longer needed a site, just a mail server. Next thing I’m discovering email accounts that I did not create. Then a few times the hackers put stuff in my public_html that was generating spam or lord knows what. It took 5 minutes this time just to delete the thousands of files.
The important thing I want to share with you is this list of hosts I found in a readme.txt in an assets folder. I have a feeling these are good hosts to avoid. The readme starts with
“This kit requires php7.1 or later and ioncube extension installed as mentioned in the store page.
So if you want to get a host check if it supports ioncube first.”
and then later gives this list:
2. cPanel Hosting
http://www.tmdhosting.com
http://www.siteground.com
http://www.digitalocean.com
http://www.ionos.com
http://www.hostgator.com
http://www.bluehost.com
http://www.liquidweb.com
http://www.dreamhost.com
http://www.cloudways.com
http://www.uk2.net
pacifichost.com
awardspace.com
http://www.bigrock.com
I’m done with bluehost now and will investigate siteground.
What I hate about your blog is that there are no dates on the comments. I have no idea if this post is a total waste of time or what. Why do you turn the dates off?
Dates are off mainly because dates aren’t very relevant to the material on this site, for the most part.
I’m about to start a blog…and sign up for your academy 🙂 Am looking at hosting. Do you have any thoughts on A2 hosting? There seems to be a lot of buzz going around about it. I’ve used Siteground in the past and they were ok.
Hey David!
The link at the end of this post for your resource page isn’t working.
Thanks for this information. I literally just left an online chat with bluehost support because I was indeed getting NO support! So frustrating. As a relatively new blogger, I must be conscientious about where I invest. WPEngine isn’t even an option and bluehost makes life hard when you are a tech newbie trying to figure things out and build a reputable site! I look forward to hearing about your experience with SiteGround. I definitely want you to kick the tires around for me before I would consider switching… 🙂
Thanks, Shelley! Got it fixed now. 😉
Shelly, I’ve had a Siteground account now for several months. BMA isn’t hosted there, but I have some smaller stuff there. It is indeed a solid service and I think you’ll be a-OK switching to them.
As always, thanks for your straight forward, balanced and honest review. I have Bluehost and experienced many of the challenges being discussed and I am now taking advantage of the affiliate link you provided to Siteground. Did my own research and fingers crossed, there is actually a company with a desire to provide customer service to the customer and the shareholders eventually benefit vs squeeze the customer and employees and shareholders make a buck…..
Yeah, I stopped recommending and referring clients to Bluehost a while back. The additional amount they pay in commissions is definitely not worth the hit to my reputation. Glad to see others like you doing the ethical thing.
I was with Bluehost for many years. Didn’t have many issues. However they talked me into “upgrading” at a very significant cost, for 3 years in advance. They put me on a server they later admitted had a serious bug that resulted in hundreds of false cron job errors hitting my mail box every day.
They refused to change me to another server, and I had six months of hell while they failed to fix the problem.
In the end I took all my sites to a local host in Australia, and got a refund for the unused portion of the hosting.
I couldn’t possibly recommend Bluehost. Well, maybe to my worst enemy 🙂
I pay $14/mo with Bluehost for hosting, and I’m due for renewal in a few days. I’ve asked them previously why I’m paying so much and they said the 3.95 deal is for newcomers, which I think is crap. If I’m not happy with what they offer me, I’m walkin’!
You’re not stuck there. 🙂
I use Siteground, Dreamhost, and Lumarpages.
The last will be phased out due to security errors like you described. Hours of lost productivity due to Lunarpages and their tech support took 72+ hours between replies to make progress.
I like both Sitegound and Dreamhost for my needs. Customers service response times are impressive, and solutions have worked.
I had an old Optimize press that got hacked and infected all my domains a few years ago, and both dreamhost and Siteground were great at guiding me to a fix after updating.
I am recommending to my group to leave lunarpages and decide between siteground and dreamhost.
So. I have to chime in here as this stuff has always been “my bag”
I currently use WPengine for my main site. I have just taken a look at SiteGround and the offer seemed attractive, not least because it allows unlimited sites. So I asked a presales guy the question of can I increase disk space when/if I run out and the answer is NO.
You may wonder why I think this is fundamentally a big issue….the fact you can run unlimited sites is no longer true. You can run unlimited sites UP to the disk space you have. So on a geek plan 30GB.
The geek plan currently at £20 a month would then need to be upgraded to a cloud plan. The entry level is double that £40+ and you get LESS space, 10GB less in fact. However Siteground pointed out I can upgrade the disk space on cloud plans. So now we are looking at £50+ per month JUST to get the extra space.
The sales/support guy was nice and friendly but it took a while for him to see and accept my points above. They really need to fix this I think. Im still on the fence.
Interesting. My only point, really, is that 30GB is a lot of space. If all you have is the database, the core files, and some images, then it’d take a LOONNNG time to fill up 30GB. As for videos, you really shouldn’t be hosting them there anyway.
I’ve used HostGator for years and I can say the service has indeed decreased in everything but I still use them to teach how to use cPanel and I only host things that aren’t that important.
I’m currently evaluating a few different hosting companies including SiteGround and DreamHost and I’ve had fantastic results with them and both options are really affordable.
I just cancelled an account I was using for a membership site at MediaTemple and I don’t recommend them. At some point, my site got infected with malware (an OP site that was completely healthy when I moved it over) and they neglected to move a finger if I didn’t pay for the clean out service (when even HostGator removes this kind of stuff for you for free, given that it only happens to you once or so).
I have never used WPEngine before but I know from several other marketers that if you can pay for it, it’s an absolute must have but at the same time, I have heard the same exact thing from LiquidWeb as well but I still haven’t used them either.
As far as I have tested both SiteGround and DreamHost, you can’t go wrong with either one of those, hope that helps a bit.
I used to use JustHost web hosting. I moved to it from fasthosts.co.uk (Avoid at all costs.) in November 2010. In 2010/11 JustHost were great; they were quick, competent, responsive…
By 2014 the service was suffering, and I was hacked in July of that year. I put things right, and at the same time I notified JustHost that I’d been hacked. Their response was to attempt to sell me security software at an inflated price. I declined, and installed Stop Spammers Plugin and WordFence – free.
From April 2015 the server started experiencing frequent periods of downtime. I mentioned this to JustHost multiple times. Eventually in June they took the server (Just 118) offline for a few hours and claimed the problem was fixed. – It wasn’t; in fact it was worse, with multiple periods of down time of between 10 minutes and 3 hours daily. I contacted them repeatedly about this again, and eventually thy finally fixed the server… The company then experienced a DDOS attack; which put my site offline for 2 days. Around the same time as I was hacked again in July.
I analysed the hack used, the method of implementation, the server-logs… I realised that to inject the small script which was supposed to redirect my visitors to a malware-infested download, both of my security programs would need to be temporarily disabled for a cross-site scripting attempt to be successful, and therefore I gathered that it had been injected directly on to the server on an insider level but had been deactivated and rendered harmless by a WordFence malware-scan; even though my site was brought down as a result.
Again I contacted JustHost about the hack; this time sure that the hack was implemented at the server itself. JustHost’s response was again to try to sell me overpriced security software. It appeared to me that they may well have deliberately hacked my site in order to get me to purchase their software.
I questioned them, put my suspicions to them – which they didn’t deny exactly; they just stated that they had no idea how my site was hacked; but that it wouldn’t have been hacked if I was using adequate protection. They also assure me that te server was fixed now, and I wouldn’t be experiencing the regular periods of downtime I’d been experiencing.
I left JustHost for SiteGround shortly afterwards. JustHost still host 1 of my inactive domains; that’s all: I moved 3 domains to SiteGround. The first of those they transferred for free, the other 2 I paid a nominal fee to have them transfer hosting.
SiteGround are great. I am one of the people David is talking about when he said in the article above :
“Then, it began to happen inside the Blog Monetization Lab itself. Several of my Lab members moved to SiteGround (before I ever recommended it) and were very happy with it.”
There’s no more to be said really.
I switched to SiteGround a couple of months ago. I like their weekly “clean’ alerts. My site has gone down twice, but both were easy fixes. Their customer service was very helpful and the issues resolved quickly. Oh, and they are patient! They speak in layman’s terms and not “tech speak”. I know social media like the back of my hand, but I am not really tech savvy. I need crystal clear instructions.
David, my experience is very similar to yours. After using Bluehost for several sites for years, and recommending them to others, I started getting frustrated. Downtime was increasing – there was one weekend when my sites were down for nearly 48 hours with no explanation given – and there were other issues.
I contacted support via chat one evening because Google was telling me they couldn’t find my robots.txt file. In the course of the chat, the rep continually typed it as “robot.txt” and indicated that he didn’t have a clue what I was talking about. Finally, he announced there was no “robot.txt” file and hung up on me.
That was it for me. I’ve now moved all my shared hosting to Siteground and have been very happy with them.
Great post David – love that you’re being so transparent about this. I had the same thing happen with Bluehost about 4 years ago and had to stop recommending them too. Hoping more affiliates follow suit as their service has really suffered since EIG took over.
I’m with A2Hosting now but going to take a look SiteGround on your recommendation 🙂
David, to say that “It was as if there was zero concern at all that their system just got hacked” is like saying that you called the dealer that you leased your vehicle from and informed them that someone was breaking into your car right now and you wanted them to do something about it. They would respond, “Uhhh, it’s your car, call the police, it’s your problem not ours.” Your WordPress site is your responsibility, not Blue Host’s. They provide you a platform of server resources to set up a WordPress account and give you the full reins to alter it however you like. If they were responsible for securing every customer’s websites and all the different ways a customer (who has full control of how their WordPress site is customized) can alter a default WordPress site, all the plugins, the custom code, well they would have to charge you for that and they would be running your website, not you. I think your blame on Bluehost is misplaced. Full disclosure: I am a Bluehost customer but I have never received any referral fees.
I understand that. I have been in this business a long time, and I am very familiar with the technical side of web programming, scripting, databases, hosting, and the server environment. So, I know better than most that there is always client responsibility as well.
But, to be clear:
(1) The site that got hacked was not Wordpress. In fact, it isn’t even a public site. It is a private system I use internally in my business that I happen to host there. Nobody would have even known it was there unless they were able to scan the server, at the server level, and find it. That’s an environment issue.
(2) That says nothing about the way Bluehost handled it, which was at best lackluster. Even IF one could blame my site specifically, I would expect Bluehost to take it more seriously. After all, a software vulnerability that allows access to the file system would put the whole server at risk, not just my little folder on the server.
To fix your analogy, it would be like paying a parking facility to keep your car for you. A parking facility that promises secure, reliable service. Then, your car gets ransacked. You take it up with the parking people and they say to change your locks or something. Its just… irresponsibility.
If Bluehost had taken it seriously, this post wouldn’t be here. But, they didn’t. It was clear that the only priority was to close the ticket as fast as they could.
I see that I made some false presumptions David. Do you know how they got in? If so, how sure are you that that is the way the hackers compromised your account?
The following story of my experience may shed light upon some answers to your questions.
I used to be with JustHost; another EIG-owned company. I joined in 2010, before EIG had anything to do with it. In 2014 – after EIG took over – I was hacked; despite having reliable security software running. I reported that my site was down and was told that I’d been hacked but that my security software was inadequate. – However JustHost had just what I needed: XXX-super-duper-security-software for so many zillion dollars, that I’d never heard of, but that would make my site totally secure… I declined their kind offer.
I toghened up my security in my own way by running more than one piece of security software. The next thing that happened was a DDOS attack which took down the whole ‘Just 118’ server and lasted 3 days. After that there were daily periods of sporadic downtime. Despite complaints, and a claim from JH that they’d fixed the problem, these continued, and every time the Filipino helpdesk staff escalated the issue when I complained, they asked me to jump through hoops to comply with procedures, yet still nothing improved.
I was on the verge of leaving when 6 weeks later I was informed that the ‘Just 118’ server had undergone a major overhaul. Sure enough it was working properly again and with no downtime whatsoever.
Then I was hacked again, and offered overpriced security software again. Over the next 2 weeks I proved to them by a process of deduction and logic that my server had been attacked from inside the facility, the multiple security routines disabled from the server itself, and a script injected.
They couldn’t really deny it – as the logical evidence was staring them in the face – so they tried to change the subject after asking me to prove my claims as a fact so that they could take action on it.I told them that they were a waste of time and that I was leaving, They made various offers of free unheard-of software in an attempt to get me to not leave. I left and joined SiteGround.
Hi, David.
I’m a fan of your website, but there two web services that are really good. i have not heard from you about them.
WordPress Themes From Thrive Theme, They amazing content and page builder much easier than OptimizePress and Lead Pages.
And second: Media Temple Hosting is very good. when it comes to caching the website.
I like Thrive Themes. Never used MediaTemple, but I am aware of them.
I would also stay away from Hostgator. I’ve used them for years with no problems, but in the last year or so, things have gone down hill – they used to respond to support requests within one day. Now you are lucky if you hear anything in three days, and it seems they don’t read your support inquiries. Just five cents while on the topic of changing hosts.
They’re also EIG, so not a lot of difference between them and Bluehost.
I am seeing similar issues with degraded support and SLOW responses on problems. It’s a key lesson for all of us about keeping customer support HIGH and not going after profit at the expense of our brand.
After being with Bluehost for years I made the switch to SiteGround early this year. What attracted me was the proprietary caching system they have built. Pages that used to take 10+ seconds to load with Bluehost only take about 1 second to load with SiteGround. In addition, a couple of support emails I have had to submit have been responded to, and satisfactorily resolved, in about 10 minutes. So far I’m impressed.
Note that they have just pulled back their affiliate program from Commission Junction, now running it directly.
Yeah, that’s great. WPEngine has a caching system like that, too, and it makes a real difference. But, really cool to see that SiteGround has it too and it costs less than WPE.
Hi David,
So true. When you compare Bluehost with WP Engine, it doesn’t come any closer.
What I really like about WP engine is it offers regular backups and gives you free restoration of service just in case if your site gets hacked.
And I also know the fact that, sites hosted on it are rarely get hacked because they use advanced security metrics.