If you're looking for a web hosting provider, you have a tremendous number of choices. In my Best web hosting providers for 2019, I looked at 15 providers who offer a wide range of plans.
To get a better feel for each individual provider, I set up the most basic account possible and performed a series of tests. In this article, we're going to dive into HostGator's offerings. Stay tuned for in-depth looks at other providers in future articles.
HostGator at a glance
- Shared hosting starting at $2.75 /mo.
- Cloud hosting starting at $4.95 /mo.
- WordPress hosting starting at $5.95 /mo.
- Reseller hosting starting at $19.95 /mo.
- VPS hosting starting at $29.95 /mo.
- Dedicated servers starting at $119 /mo.
HostGator was founded in 2002 by a student at Florida Atlantic University (hence the "gator" in HostGator). Today, HostGator is one of nearly 100 web hosting brands owned by Endurance International Group (EIG).
EIG was in the news in 2018, when the Times of India reported that its former CEO and CFO were charged by the US Securities and Exchange Commission for "overstating the company's subscriber base." The company agreed to pay an $8 million penalty without admitting fault.
UPDATE: HostGator reached out to us requesting changes to the Quick Security Checks section of this article. Their comments and our responses are included inline in that section.
How pricing really works
Because there's such variability among plans and offerings among hosting providers, it's hard to get a good comparison. I've found that one of the best ways to see how a provider performs is to look at the least expensive plan they offer. You can expect the least quality, the least attention to detail, and the least performance from such a plan.
If the vendor provides good service for the bottom-shelf plans, you can generally assume the better plans will also benefit from similar quality. In the case of HostGator, there were some bright spots, some annoyances, and some serious security concerns.
For the series of hosting reviews I'm doing now, I'm testing the most basic, most entry-level plan a vendor is offering. In the case of HostGator, that's what they call their Hatchling plan. To get pricing, I simply went to the company's main site at HostGator.com. If you want to save some money, though, read to the end of this section.
Like nearly every hosting provider in the business, their offering is somewhat misleading. There is no option to just get billed $2.75 per month. Notice the all-powerful asterisk next to the price.
While it looks like you can get the Hatchling plan for $2.75 per month, that's only if you prepay for three full years, which means you're actually paying $105.35. If you want only one year, you're charging $76.11 to your card (which is $5.95 per month). If you want to buy the service on a month-by-month basis, you're paying $10.95 per month.
When you hit the Buy Now button, the company pre-populates a one year subscription with optional add-ons for site monitoring and backup, adding $43.94 to the bill (but you can uncheck these options).
There's a painful gotcha to these "starting at" prices. When you renew, you're going to pay more. This, too, is not uncommon for hosting plans and is a practice I strongly wish the hosting industry would stop. Instead of paying $105.35 for three years, upon renewal you'll be paying a whopping $250.20 on a single credit card charge, a price increase that's more than double the original price.
Here's another way to save money. If you come in through the affiliate link in CNET's hosting providers directory, you get access to slightly lower prices on a per-month basis.
Even though you can get a deal through that affiliate link, when your initial period ends, you'll still be expected to pay the full renewal price for another three full years.
I harp on high renewal fees in my coverage of hosting vendors for two key reasons. First, it's a really nasty feeling suddenly getting a bill that's hundreds or even thousands of dollars (depending on the plan) more than you expect. Second, switching from one hosting provider to another hosting provider can be a very time-consuming and possibly expensive job, fraught with hassles and potential points of failure.
Unfortunately, while not a universal practice, at least half of the hosting vendors I've looked at over the years do these promo deals, with big jumps in renewal fees once they have you locked in.
What the base plan includes
As with most hosting vendors these days, HostGator claims unlimited disk space, unlimited bandwidth, and unlimited email. In practice, these unlimited values are limited in the terms of service. You can't use your unlimited storage as a giant backup tank where you dump gigabytes of video, for example. They also state, "HostGator expressly reserves the right to review every shared account for excessive usage of CPU, disk space and other resources that may be caused by a violation of this Agreement or the Acceptable Use Policy."
In other words, don't abuse the resources you're buying, and buy the level of plan reasonably commensurate with your expected usage. If you're about to run a big, national promotion where you expect lots of traffic, you might not want to use the Hatchling plan. If you get too much traffic, HostGator might shut you down or bill you a lot more.
Their terms of service continue, "HostGator may, in our sole discretion, terminate access to the Services, apply additional fees, or remove or delete User Content for those accounts that are found to be in violation of HostGator's terms and conditions."
The base level plan has some compelling features. First, and this is important as we move forward in a quest for a more secure web, is the availability of free SSL for your site. This adds that little lock icon to your browser's address bar and makes sure traffic between your site and your visitors is encrypted.
The company also offers 24/7/365 support which not only includes ticket and chat, but phone support as well. While you're only able to use one domain, you can use as many subdomains as you wish. The company also provides a coupon for $100 in Google ads and another $100 in Bing ads. While you probably won't get enough ad hits to cover your cost of hosting, it will help you get your feet wet in the world of Google and Bing advertising.
The first thing I like to do when looking at a new hosting provider is explore their dashboard. Is it an old friend, like cPanel? Is it some sort of cobbled-together home-grown mess? Or is it a carefully crafted custom dashboard? These are often the ones that worry me the most, because they almost always hide restrictions that I'm going to have to work around somehow.
When you first log into HostGator's dashboard, you're greeted with their customer portal. Here you can manage your credit card information, get support, and -- most important, apparently -- buy the upsell options they offer.
This is not the only dashboard you'll be using. The main dashboard is cPanel, which is common to many, many sites across the Web. While cPanel can be frustrating at times, it's a very capable interface that lets you manage all aspects of your site.
It took a surprisingly long time for cPanel to launch, almost a full minute. What's a little more bothersome, though, is the range of additional upsells in the middle of cPanel. cPanel is usually pretty predictable and seeing almost as many ads and upsells as management options was tedious.
There are certainly other content management and blogging applications you can use besides WordPress. That said, since 32 percent of the entire Web uses WordPress, it's a good place to start. WordPress sites can be moved from hosting provider to hosting provider, so there's no lock-in. And by testing a site built with WordPress, we can get some consistency in our testing between hosting providers.
I went ahead and clicked the Build a New WordPress Site button on the main cPanel page… and got hit with another page of upsell promotions:
At $399, prices were really starting to climb from that tasty little $2.75 offer the company promoted. The promos on this setup page didn't say what theme they'd be installing. WordPress does come with a nice set of free themes, and most themes are relatively inexpensive. I tried to figure out what the $399 program was for, but as far as I can tell, it's simply setting up WordPress, which is usually about a five minute process.
The difference between the $199 and $399 program was the addition of SEO and WordPress site security. To be fair, most WordPress security plugins and add-ons cost about a hundred bucks a year, and there are premium SEO plugins that can cost a similar amount. But without going all the way through the checkout, it wasn't clear what tools HostGator was providing in return for its almost $400 of upsell.
Once I entered my user name and domain, I was… wait for it… presented with another upsell:
I went ahead and hit the login button, and… it failed:
I took a quick look at the File Manager and determined that the WordPress install appeared to be in place. So, instead of using HostGator's login button, I just used the standard WordPress admin URL, which is domain.com/wp-admin. This worked.
I was, however, no longer surprised to find more upsells. In this case, the entire main dashboard page -- going well below the scroll of the page -- had upsells.
There seems to be a big push for using a number of plugins that are either freemium or affiliate-based. Jetpack is produced by Automattic, the company behind WordPress. It also has an affiliate program.
My guess is that HostGator is pre-installing plugins where they get some affiliate revenue. There's nothing particularly wrong with that, but plastering these upsells in the middle of configuration screens is getting old.
HostGator also dropped in a plugin for something called Mojo Marketplace. This, too, had pages and pages of upsells, this time for themes.
With all the added plugins, junk, and upsell, it's no wonder that the site initially failed when I hit the site login button from the HostGator dashboard.
Let me be clear. There is nothing wrong with using lots of plugins on a WordPress site. That's one of WordPress's biggest strengths. But filling a site with crapware before it's even live is nothing but a distraction, can add a considerable amount of confusion to new users, and may cause potential problems in terms of functionality. Plus, it's just rude.
Quick security checks
Security is one of the biggest issues when it comes to operating a website. You want to make sure your site is safe from hackers, doesn't flag Google, and can connect securely to payment engines if you're running an ecommerce site of any kind. You also don't want to distribute malware to your visitors. That's bad.
While the scope of this article doesn't allow for exhaustive security testing, there are a few quick checks that can help indicate whether HostGator's most inexpensive platform is starting with a secure foundation. Here's the tl;dr: it's not. This thing is dangerously insecure.
The first of these quick checks is multifactor authentication. It's way too easy for hackers to just bang away at a website's login screen and bruteforce a password. One of my sites has been pounded on for weeks by some hacker or another, but because I have some relatively strong protections in place, the bad actor hasn't been able to get in.
Unfortunately, I have to ding HostGator for what I consider a pretty serious security flaw. When you log into their customer portal, all you need to provide is a username and password. However, if you want to ask support questions and get answers, you do need to set up a support PIN. This is a partial step forward. The problem is that if you're able to log into the main management account, you can change the email address associated with it, and then have a new support PIN sent out. The bottom line is without a second factor for login authentication, the PIN is essentially worthless.
Secondly, according to the support person I reached out to on chat, HostGator's cPanel implementation also does not support multi-factor authentication, at least in the lower-end accounts.
Multi-factor authentication should never be an upsell option, or provided only for premium accounts. It takes very little effort for a hosting provider to enable it. Not only does it protect the individual customers using the feature, it also protects all the customers of the hosting provider. That's because most shared hosting servers share IP addresses. If a spammer or scammer hijacks a shared hosting account and that account is blocked, it's entirely possible that all the accounts sharing that IP or that IP's larger block of numbers will be blocked as well.
I strongly recommend that HostGator implement MFA for all accounts immediately, for their benefit as well as that of their customers.
I mentioned earlier that HostGator provides a free SSL certificate. They're using Let's Encrypt, a program that provides free, automated SSL certificates. Let's Encrypt is enabled by default, so once you set up a website, all you need to do is use your https:// in your URL to provide encrypted URLs for your visitors.
As my last quick security check, I like to look at the versions of some of the main system components that run web applications. To make things easy, I chose four components necessary to safe WordPress operation. While other apps may use other components, I've found that if components are up-to-date for one set of needs, they're usually up to date across the board.
Here are my findings derived from the HostGator versions page and a pleasant tech support conversation, as of the day I tested, for HostGator's Hatchling plan:
2.3 years / 840 days
5.6 years / 2067 days
9.7 years / 3557 days
1.0.2s (and 1.1.1)
6.4 years / 2362
The results are worrisome. You need to know the component to know how to read these results. For example, WordPress prefers PHP 7.2. Instead, HostGator defaults to running PHP 5.6.30, a release that's two and a half years old and has been deprecated for the version of WordPress installed by HostGator (5.1.1). It's definitely risky. You can select a different PHP version, up to 7.1, so that's what I listed in the table above. That said, most users won't know to pick a more current version of PHP.
UPDATE: HostGator told us, "All HG boxes (with the exception of OWP) have access to PHP 7.3. All have at least 7.2. As of mid-July, all new customers default to 7.2 or higher."
The cURL library, which is meant for data transfer, particularly of secure information, is vastly and woefully out of date. A quick look at the cURL release table shows there have been thousands of bugs fixed and hundreds of vulnerabilities resolved since the version of cURL being provided by HostGator was released back in 2009. That's a decade old. That would be like walking around today with an iPhone 3GS and running Windows Vista on your PC!
UPDATE: HostGator told us, "cURL does list an older raw version, but RedHat/CentOS backport security patches and we update all servers at least daily. This is standard for RedHat/CentOS and expected behavior." This is actually a very interesting process. Red Hat does go back to older versions of standard Linux software and port security fixes, as HostGator stated. However, even with security fixes applied, offering a nearly 10 year old version of cURL will provide website owners with ongoing compatibility challenges, particularly with payment gateways.
The company supports OpenSSL 1.0.1e-fips 11, where the absolutely most current version is 1.1.1. The gotcha is that when OpenSSL went to 1.1, it broke a lot of code. As a result, the OpenSSL project is updating both the 1.0.2 branch and the 1.1 branch. I know, it's enough to give you a headache. Here, despite all the version number confusion, there's one fact you need to know: the version of OpenSSL HostGator is supplying is also vastly out of date.
UPDATE: HostGator told us, "OpenSSL also lists an older raw version, but again RedHat backports security patches and we ensure daily updates." This is the same backporting process Red Hat uses for cURL. It means that while security flaws have been updated, the version and its compatibility is still nearly a decade old.
HostGator is using version 5.5 of MySQL. While MySQL supports many versions, the latest is 8.0. HostGator's MySQL implementation is nearly six years old.
UPDATE: HostGator told us, "All HG boxes have MySQL 5.6 or higher. The article reports 5.5, which hasn't been in place for a long time." While this was the version shown on HostGator's own versions page when the article was written, we're glad to see MySQL has been updated.
What's worse, each of the versions of these packages are below WordPress's minimum requirements.
UPDATE: In light of HostGator's use of backported security updates, we're going to walk back the following statement. However, because MFA is not available and because many of these versions (even with backported security updates) will cause modern software to fail, we still consider HostGator a less than optimal choice for e-commerce or any security-related site.
Given the vulnerabilities fixed since these versions were released, I have only one recommendation: Do not use HostGator's Hatchling plan for anything e-commerce or security related. Period. Not only are you likely to run into conflicts with the various payment services who no longer support encryption libraries from the Stone Age, you're opening yourself and your potential customers to a vast array of known hacking vulnerabilities.
Next, I wanted to see how the site performed using some online performance testing tools. It's important not to take these tests too seriously. We're purposely looking at the most low-end offerings of hosting vendors, so the sites they produce are expected to be relatively slow.
That said, it's nice to have an idea what to expect, and that's what we're doing here. The way I test is to use the fresh install of WordPress and then test the "Hello, world" page, which is mostly text, with just an image header. That way, we're able to focus on the responsiveness of a basic page without being too concerned about media overhead.
One note: normally I wouldn't test a site with all the crapware plugins installed. But since most users who buy these plans probably won't know how to remove the plugins or which plugins are safe to remove, I tested performance with those plugins installed. I fully expected performance numbers to take a hit from all that added cruft, but I was wrong. Performance wasn't bad at all.
First, I ran two Pingdom Tools tests, one hitting the site from San Francisco and the second from Germany. Here's the San Francisco test rating:
And here's the same site from Germany:
Next, I ran a similar test using the Bitchatcha service:
Finally, I hit the site with Load Impact, which sends 25 virtual users over the course of three minutes to the site, and then measures the responsiveness.
The Load Impact test was also somewhat unexpected. At the beginning of the test, some page load times took longer than they should. But as the number of virtual users climbed, responsiveness settled into a nice rhythm.
While lower-end hosting plans often have spotty performance, this was a good showing. Most lower-end plans, including the one we're testing, share server resources with other customers. So, at times of heavy activity, if one site is seeing heavy usage, the other sites may suffer. I'm testing this site on a Sunday afternoon, which is a relatively slow period in web hosting terms, but even so, the performance for this bottom-end site was unexpectedly reasonable.
I only needed to contact support once, through the chat interface. I was connected to someone within about five minutes. It took a few more minutes to establish a support PIN, but then I got my answer quickly.
For a Sunday afternoon, it was a complete, reasonably knowledgeable answer. I've certainly experienced far worse support.
You never want to get your expectations too high for a bottom-end plan. The economics of running such a super-cheap offering is that the provider has to make it up on volume. Professional and enterprise hosting plans with lots of traffic and performance must, out of necessity, cost more.
The only way to truly know what it's like to use a service is to run a live website on it for a few years. That said, I was both pleased and disappointed with HostGator's showing.
I found my interactions with HostGator's customer portal and cPanel to be sluggish. It often took 30 seconds to a minute for a click to process through to a result.
On the other hand, performance of the site being hosted by HostGator, the site you're paying for and want to be highly performant, was quite good.
HostGator's relatively constant upsell, especially within the configuration and operational aspects of the control panel, proved intrusive. The company installed way too many plugins in the default WordPress install, which not only caused the initial login to fail, but might make it far more confusing for new users.
Finally, the company's lack of support for modern security protocols and login security is deeply disturbing. They're letting hundreds of thousands of customers launch websites with woefully out-of-date security software. Given that the security libraries are free and open source, there's just no supportable reason for HostGator to be lax on this most important aspect of Web security.
The company offers a 45-day money back guarantee, which is reasonable.
The bottom line is this: if you want to set up a simple website as an online brochure, HostGator should be fine. But if you want users to login to or pay for something through your site, do not use this plan.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.