X
Tech
Why you can trust ZDNET : ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission. Our process

'ZDNET Recommends': What exactly does it mean?

ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.

When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.

ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.

Close

HostGator review: Good performance, bad security web hosting

If you want to set up a simple website as an online brochure, HostGator should be fine. But if you want users to login or pay for something through your site, do not use this hosting provider's base plan.
Written by David Gewirtz, Senior Contributing Editor

If you're looking for a web hosting provider, you have a tremendous number of choices. In my Best web hosting providers for 2021, I looked at 15 providers who offer a wide range of plans.

To get a better feel for each individual provider, I set up the most basic account possible and performed a series of tests. In this article, we're going to dive into HostGator's offerings. Stay tuned for in-depth looks at other providers in future articles.


HostGator at a glance


HostGator was founded in 2002 by a student at Florida Atlantic University (hence the "gator" in HostGator). Today, HostGator is one of nearly 100 web hosting brands owned by Endurance International Group (EIG).

EIG was in the news in 2018, when the Times of India reported that its former CEO and CFO were charged by the US Securities and Exchange Commission for "overstating the company's subscriber base." The company agreed to pay an $8 million penalty without admitting fault.

UPDATE: HostGator reached out to us requesting changes to the Quick Security Checks section of this article. Their comments and our responses are included inline in that section.

Because there's such variability among plans and offerings among hosting providers, it's hard to get a good comparison. I've found that one of the best ways to see how a provider performs is to look at the least expensive plan they offer. You can expect the least quality, the least attention to detail, and the least performance from such a plan.

If the vendor provides good service for the bottom-shelf plans, you can generally assume the better plans will also benefit from similar quality. In the case of HostGator, there were some bright spots, some annoyances, and some serious security concerns.

For the series of hosting reviews I'm doing now, I'm testing the most basic, most entry-level plan a vendor is offering. In the case of HostGator, that's what they call their Hatchling plan. To get pricing, I simply went to the company's main site at HostGator.com. If you want to save some money, though, read to the end of this section.

Like nearly every hosting provider in the business, their offering is somewhat misleading. There is no option to just get billed $2.75 per month. Notice the all-powerful asterisk next to the price.

While it looks like you can get the Hatchling plan for $2.75 per month, that's only if you prepay for three full years, which means you're actually paying $105.35. If you want only one year, you're charging $76.11 to your card (which is $5.95 per month). If you want to buy the service on a month-by-month basis, you're paying $10.95 per month.

When you hit the Buy Now button, the company pre-populates a one year subscription with optional add-ons for site monitoring and backup, adding $43.94 to the bill (but you can uncheck these options).

There's a painful gotcha to these "starting at" prices. When you renew, you're going to pay more. This, too, is not uncommon for hosting plans and is a practice I strongly wish the hosting industry would stop. Instead of paying $105.35 for three years, upon renewal you'll be paying a whopping $250.20 on a single credit card charge, a price increase that's more than double the original price.

What the base plan includes

As with most hosting vendors these days, HostGator claims unlimited disk space, unlimited bandwidth, and unlimited email. In practice, these unlimited values are limited in the terms of service. You can't use your unlimited storage as a giant backup tank where you dump gigabytes of video, for example. They also state, "HostGator expressly reserves the right to review every shared account for excessive usage of CPU, disk space and other resources that may be caused by a violation of this Agreement or the Acceptable Use Policy."

In other words, don't abuse the resources you're buying, and buy the level of plan reasonably commensurate with your expected usage. If you're about to run a big, national promotion where you expect lots of traffic, you might not want to use the Hatchling plan. If you get too much traffic, HostGator might shut you down or bill you a lot more.

Their terms of service continue, "HostGator may, in our sole discretion, terminate access to the Services, apply additional fees, or remove or delete User Content for those accounts that are found to be in violation of HostGator's terms and conditions."

The base-level plan has some compelling features. First, and this is important as we move forward in a quest for a more secure web, is the availability of free SSL for your site. This adds that little lock icon to your browser's address bar and makes sure traffic between your site and your visitors is encrypted.

The company also offers 24/7/365 support which not only includes ticket and chat but phone support as well. While you're only able to use one domain, you can use as many subdomains as you wish. The company also provides a coupon for $100 in Google ads and another $100 in Bing ads. While you probably won't get enough ad hits to cover your cost of hosting, it will help you get your feet wet in the world of Google and Bing advertising.

Dashboard access

The first thing I like to do when looking at a new hosting provider is explore their dashboard. Is it an old friend, like cPanel? Is it some sort of cobbled-together home-grown mess? Or is it a carefully crafted custom dashboard? These are often the ones that worry me the most because they almost always hide restrictions that I'm going to have to work around somehow.

When you first log into HostGator's dashboard, you're greeted with their customer portal. Here you can manage your credit card information, get support, and -- most important, apparently -- buy the upsell options they offer.

image1.png

This is not the only dashboard you'll be using. The main dashboard is cPanel, which is common to many, many sites across the Web. While cPanel can be frustrating at times, it's a very capable interface that lets you manage all aspects of your site.

It took a surprisingly long time for cPanel to launch, almost a full minute. What's a little more bothersome, though, is the range of additional upsells in the middle of cPanel. cPanel is usually pretty predictable and seeing almost as many ads and upsells as management options were tedious.

image3.png

Installing WordPress

There are certainly other content management and blogging applications you can use besides WordPress. That said, since 32 percent of the entire Web uses WordPress, it's a good place to start. WordPress sites can be moved from hosting provider to hosting provider, so there's no lock-in. And by testing a site built with WordPress, we can get some consistency in our testing between hosting providers.

I went ahead and clicked the Build a New WordPress Site button on the main cPanel page… and got hit with another page of upsell promotions:

image11.png

At $399, prices were really starting to climb from that tasty little $2.75 offer the company promoted. The promos on this setup page didn't say what theme they'd be installing. WordPress does come with a nice set of free themes, and most themes are relatively inexpensive. I tried to figure out what the $399 program was for, but as far as I can tell, it's simply setting up WordPress, which is usually about a five-minute process.

The difference between the $199 and $399 program was the addition of SEO and WordPress site security. To be fair, most WordPress security plugins and add-ons cost about a hundred bucks a year, and there are premium SEO plugins that can cost a similar amount. But without going all the way through the checkout, it wasn't clear what tools HostGator was providing in return for its almost $400 of upsell.

My advice is to skip these upsells. Simply install WordPress, get to know your site, and then start with a tool like Wordfence or Sucuri to keep your site protected.

Once I entered my user name and domain, I was… wait for it… presented with another upsell:

image8.png

I went ahead and hit the login button, and… it failed:

image5.png

I took a quick look at the File Manager and determined that the WordPress install appeared to be in place. So, instead of using HostGator's login button, I just used the standard WordPress admin URL, which is domain.com/wp-admin. This worked.

I was, however, no longer surprised to find more upsells. In this case, the entire main dashboard page -- going well below the scroll of the page -- had upsells.

image2.png

There seems to be a big push for using a number of plugins that are either freemium or affiliate-based. Jetpack is produced by Automattic, the company behind WordPress. It also has an affiliate program.

My guess is that HostGator is pre-installing plugins where they get some affiliate revenue. There's nothing particularly wrong with that, but plastering these upsells in the middle of configuration screens is getting old.

HostGator also dropped in a plugin for something called Mojo Marketplace. This, too, had pages and pages of upsells, this time for themes.

image9.png

With all the added plugins, junk, and upsell, it's no wonder that the site initially failed when I hit the site login button from the HostGator dashboard.

Let me be clear. There is nothing wrong with using lots of plugins on a WordPress site. That's one of WordPress's biggest strengths. But filling a site with crapware before it's even live is nothing but a distraction, can add a considerable amount of confusion to new users, and may cause potential problems in terms of functionality. Plus, it's just rude.

Quick security checks

Security is one of the biggest issues when it comes to operating a website. You want to make sure your site is safe from hackers, doesn't flag Google, and can connect securely to payment engines if you're running an e-commerce site of any kind. You also don't want to distribute malware to your visitors. That's bad.

While the scope of this article doesn't allow for exhaustive security testing, there are a few quick checks that can help indicate whether HostGator's most inexpensive platform is starting with a secure foundation. Here's the tl;dr: it's not. This thing is dangerously insecure.

The first of these quick checks is multifactor authentication. It's way too easy for hackers to just bang away at a website's login screen and brute-force a password. One of my sites has been pounded on for weeks by some hacker or another, but because I have some relatively strong protections in place, the bad actor hasn't been able to get in.

Unfortunately, I have to ding HostGator for what I consider a pretty serious security flaw. When you log into their customer portal, all you need to provide is a username and password. However, if you want to ask support questions and get answers, you do need to set up a support PIN. This is a partial step forward. The problem is that if you're able to log into the main management account, you can change the email address associated with it, and then have a new support PIN sent out. The bottom line is without a second factor for login authentication, the PIN is essentially worthless.

Secondly, according to the support person I reached out to on chat, HostGator's cPanel implementation also does not support multi-factor authentication, at least in the lower-end accounts.

image4.png

Multi-factor authentication should never be an upsell option or provided only for premium accounts. It takes very little effort for a hosting provider to enable it. Not only does it protect the individual customers using the feature, but it also protects all the customers of the hosting provider. That's because most shared hosting servers share IP addresses. If a spammer or scammer hijacks a shared hosting account and that account is blocked, it's entirely possible that all the accounts sharing that IP or that IP's larger block of numbers will be blocked as well.

I strongly recommend that HostGator implement MFA for all accounts immediately, for their benefit as well as that of their customers.

I mentioned earlier that HostGator provides a free SSL certificate. They're using Let's Encrypt, a program that provides free, automated SSL certificates. Let's Encrypt is enabled by default, so once you set up a website, all you need to do is use your https:// in your URL to provide encrypted URLs for your visitors.

As my last quick security check, I like to look at the versions of some of the main system components that run web applications. To make things easy, I chose four components necessary to safe WordPress operation. While other apps may use other components, I've found that if components are up-to-date for one set of needs, they're usually up to date across the board.

Here are my findings derived from the HostGator versions page and a pleasant tech support conversation, as of the day I tested [in July 2019], for HostGator's Hatchling plan:

Component

Version Provided

Current Version

How Old

PHP

7.4

7.4.14 (8.0 is still a bit new)

reasonably current 

MySQL

5.6.x

8.0.23

8 years / 2904 days (end of support is Feb 21)

cURL

7.19.7

7.75

11.3 years / 4124 days

OpenSSL

 1.0.1e-fips 11

1.0.2t (and 1.1.1)

7.1 years / 2592 days

The cURL library, which is meant for data transfer, particularly of secure information, is vastly and woefully out of date. A quick look at the cURL release table shows there have been thousands of bugs fixed and hundreds of vulnerabilities resolved since the version of cURL being provided by HostGator was released back in 2009. That's more than a decade old. That would be like walking around today with an iPhone 3GS and running Windows Vista on your PC!

UPDATE: HostGator told us, "cURL does list an older raw version, but RedHat/CentOS backport security patches and we update all servers at least daily. This is standard for RedHat/CentOS and expected behavior." This is actually a very interesting process. Red Hat does go back to older versions of standard Linux software and port security fixes, as HostGator stated. However, even with security fixes applied, offering a nearly 10-year-old version of cURL will provide website owners with ongoing compatibility challenges, particularly with payment gateways.

The company supports OpenSSL 1.0.1e-fips 11, where the absolutely most current version is 1.1.1. The gotcha is that when OpenSSL went to 1.1, it broke a lot of code. As a result, the OpenSSL project is updating both the 1.0.2 branch and the 1.1 branch. I know, it's enough to give you a headache. Here, despite all the version number confusion, there's one fact you need to know: the version of OpenSSL HostGator is supplying is also vastly out of date.

UPDATE: HostGator told us, "OpenSSL also lists an older raw version, but again RedHat backports security patches and we ensure daily updates." This is the same backporting process Red Hat uses for cURL. It means that while security flaws have been updated, the version and its compatibility is still nearly a decade old.

HostGator is using version 5.6 of MySQL. While MySQL supports many versions, the latest is 8.0. HostGator's MySQL implementation is eight years old.

UPDATE: HostGator told us, "All HG boxes have MySQL 5.6 or higher. The article reports 5.5, which hasn't been in place for a long time." While this was the version shown on HostGator's own versions page when the article was written, we're glad to see MySQL has been updated.

What's worse, each of the versions of these packages are below WordPress's minimum requirements

Because MFA is not available and because many of these versions (even with backported security updates) will cause modern software to fail, we consider HostGator a less than optimal choice for e-commerce or any security-related site.

Performance testing

Next, I wanted to see how the site performed using some online performance testing tools. It's important not to take these tests too seriously. We're purposely looking at the most low-end offerings of hosting vendors, so the sites they produce are expected to be relatively slow.

That said, it's nice to have an idea of what to expect, and that's what we're doing here. The way I test is to use the fresh install of WordPress and then test the "Hello, world" page, which is mostly text, with just an image header. That way, we're able to focus on the responsiveness of a basic page without being too concerned about media overhead.

One note: normally I wouldn't test a site with all the crapware plugins installed. But since most users who buy these plans probably won't know how to remove the plugins or which plugins are safe to remove, I tested performance with those plugins installed. I fully expected performance numbers to take a hit from all that added cruft, but I was wrong. The performance wasn't bad at all.

First, I ran two Pingdom Tools tests, one hitting the site from San Francisco and the second from Germany. Here's the San Francisco test rating:

image13.png

And here's the same site from Germany:

image7.png

Next, I ran a similar test using the Bitchatcha service:

image6.png

Finally, I hit the site with Load Impact, which sends 25 virtual users over the course of three minutes to the site and then measures the responsiveness.

image14.png

The Load Impact test was also somewhat unexpected. At the beginning of the test, some page load times took longer than they should. But as the number of virtual users climbed, responsiveness settled into a nice rhythm.

While lower-end hosting plans often have spotty performance, this was a good showing. Most lower-end plans, including the one we're testing, share server resources with other customers. So, at times of heavy activity, if one site is seeing heavy usage, the other sites may suffer. I'm testing this site on a Sunday afternoon, which is a relatively slow period in web hosting terms, but even so, the performance for this bottom-end site was unexpectedly reasonable.

Support responsiveness

I only needed to contact support once, through the chat interface. I was connected to someone within about five minutes. It took a few more minutes to establish a support PIN, but then I got my answer quickly.

For a Sunday afternoon, it was a complete, reasonably knowledgeable answer. I've certainly experienced far worse support.

Overall conclusion

You never want to get your expectations too high for a bottom-end plan. The economics of running such a super-cheap offering is that the provider has to make it up on volume. Professional and enterprise hosting plans with lots of traffic and performance must, out of necessity, cost more.

The only way to truly know what it's like to use a service is to run a live website on it for a few years. That said, I was both pleased and disappointed with HostGator's showing.

I found my interactions with HostGator's customer portal and cPanel to be sluggish. It often took 30 seconds to a minute for a click to process through to a result.

On the other hand, the performance of the site being hosted by HostGator, the site you're paying for and want to be highly performant, was quite good.

HostGator's relatively constant upsell, especially within the configuration and operational aspects of the control panel proved intrusive. The company installed way too many plugins in the default WordPress install, which not only caused the initial login to fail, but might make it far more confusing for new users.

Finally, the company's lack of support for modern security protocols and login security is deeply disturbing. They're letting hundreds of thousands of customers launch websites with woefully out-of-date security software. Given that the security libraries are free and open source, there's just no supportable reason for HostGator to be lax on this most important aspect of Web security.

The company offers a 45-day money-back guarantee, which is reasonable.

The bottom line is this: if you want to set up a simple website as an online brochure, HostGator should be fine. But if you want users to log in to or pay for something through your site, do not use this plan.


You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

Editorial standards