Web Hosts: WordPress is here to stay. Adapt!

WordPress is the number one user-installed web app, and its growth is showing no signs of slowing. If you are a web host, and you don’t have a specific strategy for WordPress, you’re likely operating your service inefficiently, and may be opening yourself up to security issues. This is the year to adapt, or be left behind by nimbler upstarts.

Performance

WordPress does not currently ship with any output caching. First, because most blogs never get enough traffic to need it, so it’s not worth the added complexity and configuration that it would add to our relatively nimble core. But also because every environment is different, and what works on one web host may actually degrade performance on another. So we leave it up to the WordPress user to choose whether they need a caching plugin, and which one to run.

As a web host, you know what caching strategies will work best with your server architecture. You have the ability to roll out things like Memcached or APC. You can route image requests to a lightweight web server or a CDN. These changes will result in a better user experience, and they’ll save you money.

Security

All code has bugs. WordPress has had its share of security issues through the years. As a web host, you can help keep your users out in front of security issues instead of just being reactive when someone gets hacked. First, by encouraging, or even demanding that users upgrade their sites to the newest available version of WordPress. In practice, there aren’t any widespread attacks against the current version of WordPress. The large scale attacks you see from time to time are against old versions of the software whose users haven’t updated in a while. It is in a web host’s interest to encourage upgrades and reduce the incidence of exploitation.

Because WordPress is so widespread, it also is often the victim of attacks that originated against other software or server misconfiguration. So a bad guy gets in using something else, and then once in, they look for WordPress installs to exploit. You can help users recover from these attacks by aggressively backing up their data and by looking for suspicious files or suspicious code that could indicate that a bad actor is exploiting their WordPress install.

What you can do

  • Get your company to abandon the mindset that you’re just a dumb host who doesn’t care what software your users are running. Users want and are willing to pay for a more specialized experience. If you tell them that it’s not your problem, they’re going to go find a service that will support their web hosting needs.
  • Offer WordPress-specific hosting. Specially optimized, prodigiously backed up, with a more locked-down environment. And because it is a specialty service, you can charge more than you do for your regular hosting products!
  • Build an internal WordPress Response Team that has in-depth training to help diagnose and fix WordPress bug, security and scaling issues. And in the meantime, hire a WordPress consultant like me or one of these fine consultancies to get your WordPress strategy rolling.

People ask me for hosting recommendations all the time. I have a few decent hosts that I’ll recommend, but I don’t have any hosts about which I can say “use them, because they know how to host WordPress, and they’ll support you.” I’d like nothing better than to have a dozen such hosts to recommend by this time next year. WordPress is here to stay, and it’s time for web hosts to adapt!

108 thoughts on “Web Hosts: WordPress is here to stay. Adapt!

  1. Random Passerby says:

    Why does this all seem so Jobs-like?

    WordPress is good, no doubt. But outright cockiness about your product isn’t going to help making hosts improve on their security.

    • Mark – your message is clear and 100% helpful. I regularly deal with WordPress sites that have been hacked and it’s always because users and host compagnies don’t take all security measures to enhance the security of the site. We cannot talk about this enough. I manage blogs on GoDaddy, BlueHost, WebsiteHost, iWeb, 1and1, Nost, etc, and I would not host my blog on some of these (I will not name any as some of my clients are on these hosting plans that I did not choose for them).

  2. When talking about caching you say “First, because most blogs never get enough traffic to need it”.

    You think websites with low traffic don’t need to be fast? Speed is good for users and for search engines. Google use speed in it’s algorithm nowdays.

    Speed for WordPress will be even more important in the future I think.

    • It’s not that they don’t need to be fast, it’s that they don’t need it to not be slow (or available at all). I agree that speed it good, but Google’s speed algorithms don’t come into play until the extremes.

      With a caching layer, you give up some or your “dynamicness,” so for the vast majority of people who never get enough traffic to make their site slow, choosing to be dynamic all the time may be the better choice.

      I’ve given a lot of thought to how a caching layer would have to work to be built in to WordPress core. It would have to be much simpler than the ones available now, and perhaps even be traffic-sensing.

  3. I recommend WP host BlogOnCloud9 (http://www.blogoncloud9.com/).

    They do all the things mentioned above, and host your files using Rackspace. They also place a high emphasis on security.

    They’re currently hosting 3 of my sites, one of which is a pretty complex set up with WordPress integrated with bbPress, PHP List, Media Wiki, Mint, and OpenSSL.

  4. This is definetly not a JOb you have to remember, that you cane outsource most of you’re dayli tasks actualy everything. This is the new way of earning living in my opinion and nothing compared to an average 9-5 JOb

  5. Mark, this is an excellent call to action to the hosting services! A follow up from the user side would be good; challenging users to meet their own responsibilities to update code, set strong passwords and strengthen security. The complete community needs to work together on securing our sites. WordPress is indeed here to stay and is experiencing what Microsoft has fought for years – attacks from the bad hackers. Wake up everyone and take serious action for site security!

  6. Yeah, you would think hosts would adapt but no…. they still try to blame one application for their own failures. In my personal experience WordPress is as secure as user who installed and supports it and host its running on. Granted there are a few enhancements I think are long overdue for the main code related to security and I just published a blog post about it – but those could be also overcome…

  7. Great post, Mark!

    As a webmaster myself, I take my website security very seriously for both myself and my visitors. I take the time to do research on which WP plugins to use and my hosting company. Since I do security monitoring of my website, anytime I find that my hosting company has outdated applications, I inform them immediately. Sometimes they comply and sometimes they don’t. It’s my job to decide to stay with them or move somewhere else.

    I also keep up with my WP updates, make backups of my backups and add any security elements that I have control of, as an end user.

  8. Mark …

    The points you raise are exactly why we launched BlogOnCloud9 (thanks, Ron!).

    After struggling with under-performing, indifferent hosts for our WordPress blogging clients, the ContentRobot team decided to take matters into our own hands.

    Here’s our story: http://www.blogoncloud9.com/our-story/

    We take upgrades, backups, security, and WordPress support very seriously. We’ll work hard to earn your recommendation as a reputable WP host.

    Thanks, Karen & Dana

    • Jason, We will support the multi-user functionality in 3.0 when it is released but have not made a final decision on how it will fit into our hosting packages – it most likely will be a new package.

    • @BlogOnCloud9:

      Not a good start:

      This website is temporarily unavailable. Please check back later.

      Unfortunately there were no suitable nodes available to serve this request.

  9. Insightful, Mark. Thanks for the post. This is undoubtedly why many of us have rolled our own VPS to have more control over the environment. Some hosts are better than others at support (hat tip to Midphase) but none of them are, are you suggest, truly WordPress friendly.

  10. You are right. I have experience with a web host that got their server attacked, blame WordPress for that. I don’t need to say what web host.

    I hope all web hosts offering WordPress read it and take your advice. Thank you!

  11. Mark,

    Excellent post. These points are also why we offer our enhanced WordPress hosting (along with our WordPress-specific CDN)…and why we’ll soon add more WordPress-specific options.

    We probably should enhance our product descriptions to describe our focus on security. We run as tight a ship as we think we can while preserving functionality.

    I also think it would be a good idea for hosts (us included) to add tutorials on securing a WordPress installation. Even if we have various global security methods in place, if a user installs WordPress without tightening down certain things (for example, keeping the default “admin” username), our methods lose a lot of effectiveness.

    Great article.

    Mark

  12. You Adapt says:

    WordPress is popular because it is the best blogging software currently in existence. However, that doesn’t mean it is well-written software or even well-designed software. After having written a number of plugins for it and used it on a fairly large site, I can tell you that it is neither. And several groups I participate in and all my web developer friends say the exact same thing about WordPress – “currently the best blogging platform but it sucks.” I hear it over and over again practically every day.

    Basically, all it would take to eliminate the almighty WordPress is a single developer who actually knows how to write software. The behind-the-scenes code of WordPress is a huge disaster – a mish-mash of poorly written code that somehow miraculously functions – either Jesus or duct tape is holding this software together. WordPress’ past security vulnerabilities are the result of poor backend design strategies. If you worked for me, I would fire you for writing such lousy, unreadable code.

    On top of that, there are several views of the lead WordPress developers that REALLY annoy me:

    The first view is that WordPress should NOT have a caching system out-of-the-box. That’s just stupid. However, this is the exact sort of mindset that the developers of WordPress have. I typically find this mindset among developers who settle for less and refuse to listen to professional developers many years their senior.

    Second, WordPress is painfully slow without local caching. The main browser-based editor is a 1MB download according to Firebug. Of what? After a couple years of using WPMU, I still have yet to figure that one out. The developer’s mindset here is to throw Google Gears at it as a solution. This is called a hack, NOT a solution. The solution is to fix the product so you don’t need hacks.

    Third, WordPress is impossible to move between websites too. This is the direct result of not thinking far enough ahead when designing the original product. WordPress was originally a college student’s toy project never meant to go beyond that point. In other words, the blogging world runs on a little toy project and NOT a professionally designed piece of software. Supposedly it has been rewritten a few times but it still has that college project gone awry feel to it.

    And last, but hardly the least, the documentation is about the crappiest documentation I’ve ever seen. WordPress attempts to present itself as professional product yet the documentation is horrible. Having no documentation would be roughly the same experience as the current so-called documentation. That’s how bad WP’s documentation is. And WPMU’s documentation is a lot worse.

    I know exactly what you will say to this as a WP developer: “Well, why don’t you help improve these areas…it is open source after all!” Put simply, I’d have to make my own blogging platform from scratch to even begin to fix the problems and I don’t like the GPL – too restrictive. I don’t have time for that. It is your product anyway. You fix it.

    I use WordPress MU and supposedly WP 3.0, the next version of WP, is WPMU. WPMU is a hacked up version of WP to allow multiple blogs on a single platform. It may power wordpress.com. However, it also barely functions for our professional needs and required weeks of effort just to get a rudimentary site built. WPMU merely perpetuates the bad coding and design that WP reeks of.

    WordPress may represent the best blogging platform in existence BUT it leaves a LOT to be desired. I’m not alone in this view. Everyone around me thinks the same. But there are no alternatives.

    I’m not a web hosting provider, but if I were, this would be my view of your product. I’m not surprised at how web hosts treat your product. It isn’t web host-friendly, so they shouldn’t care. Your recommendation to create a special environment just for your super special product immediately throws up red flags that the product might not be well-written (and after using it extensively, I’ve discovered that it isn’t). A web host should not have to provide support nor a special environment for YOUR software. If you want it to be everywhere, then YOUR software should play nice in any environment. From personal experience as a heavy WPMU user, it clearly doesn’t.

    In summary: If anyone needs to adapt, it is YOU.

    (This comment will probably get deleted. I just had to say my piece though. But don’t say I didn’t warn you when someone finally comes out with a better product and you suddenly have everyone leaving in droves. WordPress really isn’t as good as you think it is.)

    • Are you trolling, or something?

      “Third, WordPress is impossible to move between websites too. This is the direct result of not thinking far enough ahead when designing the original product.”

      What are you talking about? I move whole WordPress installations around to different servers like every day.

      Also, the market is *saturated* with other blog software, some of which is positioned specifically as faster, more secure alternatives to WordPress. And yet, WordPress maintains its popularity. I wonder why that is…

    • Basically, all it would take to eliminate the almighty WordPress is a single developer who actually knows how to write software. The behind-the-scenes code of WordPress is a huge disaster – a mish-mash of poorly written code that somehow miraculously functions [...]

      You’re not our audience. I agree — WordPress is a hodgepodge of spaghetti code. It doesn’t matter. It does what people want. It is near-infinitely extendible. It runs on almost every hosting environment out there. And it has a large and diverse community behind it.

      I’m not surprised at how web hosts treat your product. It isn’t web host-friendly, so they shouldn’t care. Your recommendation to create a special environment just for your super special product immediately throws up red flags that the product might not be well-written (and after using it extensively, I’ve discovered that it isn’t). A web host should not have to provide support nor a special environment for YOUR software. If you want it to be everywhere, then YOUR software should play nice in any environment.

      WordPress “plays nice” in a bunch of environments. For all intents and purposes, it does run everywhere. But if web hosts want to run it most efficiently, not in a lowest-common-denominator mode, they’ll need to provide a better environment. The same is true of any popular web app. The more popular an app is, the more benefit will come from tweaking your environment to be optimized for that app.

    • This is a pretty good rant overall, and I don’t think you’re trolling either. Just screeching frustration.

      Couple of things:
      1. You’re right about the code… in my view it’s even worse, it’s PHP! But…
      2. What you complain about isn’t the much different than any other widespread software. Seriously, you know this is true.

      As for documentation, find your little corner and make it your mission. For example, I wrote some canonical documentation for register_activation_hook. Jeff Sayre wrote it do_action. Pick something and contribute.

      It’s not a perfect world. But it doesn’t have to be.

    • lol…

      “Basically, all it would take to eliminate the almighty WordPress is a single developer who actually knows how to write software”

      I think you need to put your money where your mouth it. Quit complaining and develop. If it is any good we will use it.

      However, you will have an up hill battle. WordPress has a massive following and no matter how obscure clients request are you can guarantee that there is ‘a plugin for that’. As for documentation.. I could not agree with your assertion that it is poor. There are a million blogs talking about blogs and I don’t think I have ever had to go off the 1st set of Google results to find the answer to any question.

      Oh and it takes seconds to move a site between hosts.. what do you mean by your comment?

      As a small but specialised hosting company I agree with the original post. Look for hosts who deal specifically with the product you want to use. There is no point spending £3 a month on 1and1 hosting and expecting them to give you any support. A small but dedicated host will charge you little extra but they will hold your hand all the way.

      We chose to work with Wordpres and magento.. I can tell you which is the easiest.. and its not Magento.

    • Cheers. I found this page trying to find what exactly the deal with WordPress is and why everyone is freaking out about it. You and are I are most likely not the target audience of WordPress, as I generally just write code from scratch and my primary income is from construction services – meaning, I’m not some skilled coder. I went to school for Economics. I’m just a good direction-follower and the speed at which I could write a plugin for my own business’ site is probably faster than figuring out what this whole WordPress system is about.

      I again want to reiterate that I don’t think I’m some coding genius, but just a product of the information age that is increasingly making us all more self-sufficient. I’ve been recently toying with the idea of writing for myself a CMS where all page elements are clickable (in Edit mode, for instance) such that I go to my site and change anything at will, WYSIWYG style. It’d probably take a bit of time to figure out – but then again, I don’t really understand the value of WordPress having not needed to investigate it. I wrote a user commenting system that can be plugged into any page on my site, and wrote it in 4 hours….still lots of tweaks I could make, but heck, this is just a hobby and I’m too poor to hire someone else :)

      So my point is – I’m just some normal, motivated guy and I think(HOPE) more and more people will have faith in themselves to write stuff from scratch and build and share plugins that are independent of some larger platform. The wealth of knowledge at your fingertips by just typing things like “secure login script” or “javascript setting cookies” etc. turns out countless forums where a motivated person can quickly learn whatever they can imagine to ask.

      Shortly before finding this page, I saw a site where a guy was selling for $4 a script/plugin for logging into one’s site via Facebook, Twitter, etc. authentication….and to my amusement, someone commented “Make a WordPress plugin and I’ll buy it – when will that be?” The developer answered: 10-15 days. Dumbness on both their accounts.

      There have been times when I have looked for work in the web development section of craigslist and was discouraged to so often see “Seeking WordPress genius” and what am I going to say – “Hi, I don’t know what WordPress is, but tell me what your website needs and I’ll make it happen.” A lot of people would just think I lack skill. Ironic.

      BEGIN: Rant against use of word “Trolling”

      I’ve recently come to realize trolling is almost in all instances used to denigrate someone who is denigrating a page they do not agree with, and a fan of the viewpoint being knocked responds “Go away troll,” in lieu of “Oh, maybe you have a point, we appreciate your criticism.”

      Many people find pages they disagree with because they are trying to learn about something they do not understand, find a page that promotes an idea that conflicts with theirs, and proceeds to comment. This is a beautiful thing that brings us closer to common wisdom.

      A world without what insecure people call “trolling” would be where any page where an opinion is purported has nothing but comments that congratulate or reinforce the views of the author. I hardly see the value in this, as comments can serve a great purpose of informing new visitors other ways of looking at the concept besides the way the author intended.

  13. Pingback: WP TurnKey
  14. Rich says:

    @You Adapt – no question WP isn’t optimally written, but do you have a suggestion for a better blog CMS?

  15. Excellent post Mark. There have been a lot of talking during the last month, about the many WordPress blogs that were hacked. But as we know, in all those cases it was either a problem of security configuration in the SERVER or weak passwords. And thus, it has nothing to do with WordPress core or coding.

    WordPress is one of the most secure CMS platforms out there. But you also need a properly configurated Hosting Account, Server, VPS, etc.

    Greetings,
    Alex.

  16. Great post Mark. You hit most of the points that I have been thinking about writing specially since all these moronic hosts are blaming WordPress at first until they realize it was their file permission settings.

  17. Excellent post, which points out (again, but differently) the lack of professionalism coming from web hosters.

    “Listen to your customers” should be their first worry !

  18. I have felt like this for a long time and have not been able to recommend a good host that cares enough about WordPress to understand and build systems for it. The loss of data on major websites isn’t even enough to provoke awareness. Thank you for writing up this post.

    My company hosts WordPress-based corporate sites and designs almost exclusively with WordPress, so I agree that it takes a special environment to properly take care of your client’s best interests.

  19. Sustainable Websites is a small web hosting company with a lot of knowledge about wordpress. We do help our customers with wordpress specific issues, and also help them understand security issues and backups.

    Regardless, WordPress represents the vast majority of sites that get hacked and costs us a lot of time and money.

    Even completely up-to-date sites, with the right file permissions, strong passwords, and with many security plugins and tweaks get hacked. How can you expect normal part time web masters, small biz owners, and bloggers, to keep up if experienced wordpress developers still are getting hacked?

    We are going to recommend alternatives to people now unless WordPress 3 turns out to be much better security wise.

    I think it’s time for the Ruby on Rails, CakePHP, or other modern framework communities to step up and offer a better alternative to WordPress, and I am supporting efforts that do that.

    • It is highly unlikely that up-to-date WordPress sites with strong passwords are getting compromised due to WordPress security flaws. More likely causes:

      - A plugin or a theme vulnerability
      - Passwords aren’t as strong as you think
      - Passwords compromised elsewhere, or phished
      - Another web app is compromised, and used to find WordPress installs to exploit

      If you have specific information about up-to-date WordPress installs being hacked due to flaws in WordPress itself, send the information to security at wordpress dot org.

  20. Hi Mark.

    You make some very good points here.

    I believe there’s a real need for more wordpress specific hosting and, as you say, for hosts to realise that wordpress is a far bigger deal than many seem to think.

    Thanks for getting the conversation moving on this, Mark.

  21. I recently tried to encourage my host to develop material on WordPress security (to no avail) so I agree with your post, however it’s a pity this post didn’t come from an independant party, after all WordPress could do more to educate also.

    It is not clear what the ‘correct’ folder permissions should be for a functioning and secure WordPress install.

    ‘insecure plugins’ is a phrase bandied about a lot in the blame game, but what is WordPress doing to identify these rogue plugins’? Is a list being compiled? Are these damaging plugins’ available via wordpress.org/extend? I’m not clear, without coding experience, how one can limit the security risks from plugins’ despite all these warnings.

    You can’t on one hand extoll the virtues of extendability through plugins and on the other hand explain that’s where a large portion of security risks lie – particularly when the official WordPress site, and app, pushes said plugins with no security rating.

    On the issue of speed, it may indeed only come into play with Google ‘at the extremes’ but you can be sure your bounce rate will come into play long before that.

    So, yes, hosts should probably recognise WordPress’s popularity, and adapt to customer needs – but WordPress too needs to show willing and adress some of the issues to afford hosts and users alike more confidence in the product.

    Finally, did I mention I <3 WordPress? :)

  22. As a Managed Service Provider I think it is fair to say that there is plenty of blame to be placed on all parties. Users, developers and web hosts.

    Users have largely been assisted by budget hosting providers who have provided easy to install (and forget) application such as WordPress — fantastico being a prime example.

    Developers both inside and outside of the wordpress community do not have a fantastic track record on issues of security. A majority of the wordpress related security issues we have seen stem from third party modules. Instances of core exploitation have generally been a result of outdated installations of wordpress.

    Web Hosts charging $5-10/Month for hosting cannot realistically capitalize on talented and competent system engineering teams with security backgrounds, third party security appliances for content inspection and filtering, and web application firewalls.

    I would not expect budget hosting providers to meet the level of standards you are prescribing in this message. The education should be towards the users in knowing that a more robust and secure environment is going to cost a bit more than typical shared hosting.

    Lastly, some fundamental shifts in security from the developer perspective can begin immediately. Start with forcing https authentication for administrators from the get go. There’s absolutely no reason anyone should ever be passing user credentials via plain-text, and the WordPress developers and enforce this secure mentality by building it out of the box.

  23. I’d like you to look into how Dreamhost handles this for its customers.

    I don’t work for them, but I have been a customer for 12 years (since July 1998).

    Their support of WP is truly above and beyond.
    1. Automated upgrades of all your WP installations with one click or fully on auto-pilot. I just upgraded 20 instances and got confirmations. This is a recently added feature.
    2. One-click installation. New installs are either in “Easy” mode or “Advanced” mode.
    3. A nice selection of pre-selected themes
    4. Cache enabled out of the box
    5. Secure passwords are generated for users and they don’t have to think about database configuration because that’s handled automatically.

    As an advanced user, I can do whatever I want after I get my base install done with a click.

    I can also tell a clueless user to simply let them manage it.

    In my book, that makes them committed to WordPress and they understand how it operates well.

    Back in the dark ages of late 90s, I chose this company because they had ssh accounts and my perl scripts ran without having to be hacked up to death.

  24. @ Mark Bailey ^^ 14 May – the default admin username cannot be removed from WPMU – this is what I have been told by Donncha and Andrea_r in the WPMU forums (several times).

    On a WP 2.9.2 (and lower) single user WP install, the default admin user can be removed after creating a new admin user with a different name, but how many people know to do it?

    What WP should be doing is allowing the installing user to create a first-admin username during the install. They should also have a mechanism (a-la-osCommerce) where the three key folders (wp-admin, wp-content, and wp-includes) can be renamed during install – i.e. the entire script addresses them using variables, not fixed names.

    Then there’s the age-old hack inject route related to any WP install that does not have a /wp-content/1/ folder – create one and make in non-read/write/execute to all but the install owner, and read-only to them. Why is this folder not part of the default install package? It’s just an empty folder with permissions set after all.

    WPMU advises on the second install page screen to delete the install file … unfortunately, this advice is two screen heights below the username and password with the “LOGIN NOW” caption – so how many users never scroll all the way down there before logging in, and thus leave the install file in situ?

    It’s the little things like this (and the list of over 100 other things on my checklist for each install) that WordPress and the WP Devs have known about for years in some cases, that need addressed before hosts would take Mark’s post seriously.

    Don’t get me wrong – I love WP and WPMU and right now I’m build sites side by side for myself and clients on a daily basis, but I do wish they’d sometimes slow down on the new features and releaqse number updates to just clear the backlog of niggling little security issues that would be so much better addressed from point of installation or upgrade.

  25. @GazOut, those are very valid points that make this entire scenario challenging for hosting providers like us. We try to educate our users on things like the default admin issue and other security points. But, as you’ve pointed out, there are many potential breach points.

    I think this also amplifies the difference between WordPress-specific hosts and general hosts. Of course, WP-centric hosts are always monitoring these kinds of issues and trying to inform clients. Other hosts won’t have this kind of attention to detail or won’t be willing to invest so much time if they’re also trying to present themselves as the ideal host for Joomla!, Drupal, and a lot of other architectures.

    The points you’ve brought up are excellent (especially the idea of renaming the folders during installation). With the upsurge of attacks on WP and web hosts in general, I hope that WordPress will make it a priority to implement as many of these measures as possible. I agree that a default installation has too many holes.

  26. “Offer WordPress-specific hosting… …you can charge more than you do for your regular hosting products!”

    I don’t agree with encouraging a web host to charge more for WordPress specific hosting. It enforces a mindset that WordPress is more difficult to host and somehow requires a special environment. This seems at odds with “WordPress is what you use when you want to work with your blogging software, not fight it”

    If WordPress is so ubiquitous, the end users shouldn’t have to pay extra to get a web hosting environment that is complimentary to using it.

    That being said, I have found on the couple of different hosting companies that I’ve used it on, there might be an official “No extra WordPress specific tech support” policy, but most of the tech support people have been willing to poke around a little to make it work.

  27. So it isn’t in my head when I have difficulty installing WP on a ‘standard apache setup’ server? The techies found this for the config file to make WP work:

    add_filter(‘filesystem_method’, create_function(‘$a’, ‘return “direct”;’ ));
    define( ‘FS_CHMOD_DIR’, 0751 );

    This is a case of a server not be very WP-friendly, isn’t it? And for future reference, what type of ‘file system’ does WP use?

    Thanks for this article!

  28. Pingback: Domain Reseller?
  29. I have started using WordPress two months ago for my blog and it has been a blast. The enormous flexibility through themes and plug-ins have made my yaw drop from time to time. Especially because I have experienced the trouble you can get in to when using an other platform.

    Therefore I can only agree with your blog post that WordPress is here to stay!

  30. “I don’t agree with encouraging a web host to charge more for WordPress specific hosting.”

    I think it’s acceptable if hosting providers are truly offering a value-added service. For example, we have to invest time in researching and implementing optimal security processes. We feel that WordPress performs much better with LiteSpeed than Apache, so we pay to license LiteSpeed. We’ve also put time into fine-tuning our servers with APC and other performance enhancements, and tweaking those to work optimally with W3 Total Cache. (Thanks to the plugin’s author, Frederick Townes, for assistance.)

    So, in our case, we offer high-performance, WordPress-tweaked web hosting that costs us more to offer. We don’t explicitly charge more for WordPress hosting (as our hosting is ideal for any app), but in general we do charge more than the mass-market hosts because we don’t overcrowd our servers.

    However, I think it would be fair for hosts to charge more for WP if they truly are spending additional resources to support WP optimally. Customers can always choose lower-priced hosts with various feature sets. So, the question is whether the value adds are worth the extra price to the user.

    Mark

  31. As a web hosting provider, I see a huge opportunity in bringing up a custom hosting environment sliced for wordpress alone.

    Biggest strength with wordpress is the community. We the community should work towards making better webhosts.
    A test account from hosting providers to wordpress group is a best idea. Expert can suggest what is right and what is wrong. We have adopted a team to support only blogging community.
    kudos to wordpress

  32. The only downside is that while the vulnerability of comment spam. And so indispensable for WordPress blogs and websites that already talk about his functional …
    Sincerely, Denis Polishchuk

  33. I love WordPress, I use it for many of my own sites as well as sites for clients but I think this post comes off as a bit arrogant. I realize where you are coming from and that your message was likely not intended to come across that way.

    What people need to understand is that its not a perfect world and nothing therefor nothing is perfect, that said the WordPress team needs to keep in mind that you build a platform that people use, they host your platform on various hosting environments and it is your responsibility to adapt not the hosts.

    I agree that a policy of best practices should be in place by all hosts but they should not have to do anything specifically or solely for WordPress in my opinion. If they have a fast secure server it should perform equally well no matter what scripts are run on it and that is the typical environment that WordPress should be built to operate correctly and securely on.

  34. Great karma for trying, this is sound advice. Honestly It would be more fun to start our own hosting… I’m thinking about that myself, the problem is investors.

    WordPress trunk is really starting to push the limits of awesome, keep up the great work

  35. It’s been awhile since I’ve seen such engaging commentators, fun blog!

    As the author of one of the popular WP security plugins and as a hacker myself I lol at all the security blame of late. Because its ridiculous. WP may not be the most proper code, but php isn’t suited for it. PHP is all WP really needs, its incredibly compatible and robust in that regard, even works on php 4!

    I’ve also written a caching plugin, with its own socket class, and know the code of the top 5 cache plugins practically by heart. Ive thought about it a lot and WP is doing the smart thing by waiting for quality caching code. Since I became a developer I’ve seen a number of baby steps in the right direction, but obviously it is a weakness. Combining scripts-great. But the URI?v3.1 used by WP is a dead giveaway for a

  36. Malte says:

    WordPress is freaking great! I love it and it’s cool that you take care to really blame the hosters here.

    There are so many bad hosters out there and they have really performance issues. And won’t think that any hoster who is doing it right will be upset by that bias in your message.

    These bad hosters can really make one angry!

    And WP is not nothing, I mean it’s really a great application. So those hosts just have to deal with the shortcomings in performance and stability that *might* be there. As you said, it’s not a WordPress fault that on some configurations there are issues.

    In the end it is just a pile of PHP scripts connected to MySQL and that is what a hoster should take care of! Give us the speed and performance we deserve! This should be kick-ass instead of slow-mo.

    The message you put out is very important because that will allow developers to concentrate better on new features and plugins instead of taking care about some hosting issues on certain servers.

    Infact there is no need to deal with some minor issues in WP when you can far better deal with them on the hosters side. Infact, it’s even not possible in WordPress code, because every hoster is different. Some still offer PHP 4 for your WordPress (*shrug*), some offer outdated MySQL some not. Or the Webserver Version. So this should be nothing WP cares about, it’s the Hosters Business.

    To the User what the Users deserve: New Features in WordPress and better Hosting everywhere!

    Maybe Ryan can consider the following points to this years Hosters Wishlist:

    - Proxy Access to the WordPress Upload Directory for high speed access or easy CDN integration

    - Latest stable PHP version incl. the modules needed for WP

    - Latest stable MySQL with enough POWER. DB Access is to be optimized on the DB-Server side, not on the WP side.

    - The Environment we deserver: APC, Memcached, Fast-CGI or SAPI, X-Sendfile, Suhosin Support and all the like.

    Finally: I hate it, when I find a plugin, give it a run and then it’s broken. And plugin support tells me as so often: This is a limitation of your Server and Configuration.

    I hate that these hosters can’t properly take care of such a simple thing like installing WordPress!

  37. Malte says:

    I must admit that I sometimes get into rage when it comes to that hosting topic and WP. Sorry for that, I hope you can understand that for us users this isn’t really simple situation.

  38. Malte says:

    Some little addition, this is how the de-fact-best wordpress hoster on the planet is doing it (wp.com):

    First Hit:

    Next Hit:

    Just a real live example. The Plugin is batcache by Andy Skelton.

    I recommend wordpress.com for worry free wordpress hosting. And you support the project in the end when you buy something there. So a win win for us all.

  39. Malte says:

    Some little addition, this is how the de-fact-best wordpress hoster on the planet is doing it (wp.com):

    First Hit:

    generated in 11.309 seconds
    87400 bytes batcached for 300 seconds

    Next Hit:

    generated 99 seconds ago
    generated in 11.309 seconds
    served from batcache in 0.003 seconds
    expires in 201 seconds

    Just a real live example. The Plugin is batcache by Andy Skelton.

    I recommend wordpress.com for worry free wordpress hosting. And you support the project in the end when you buy something there. So a win win for us all.

    (please delete the prvious comment)

  40. Malte says:

    Some little addition, this is how the de-fact-best wordpress hoster on the planet is doing it (wp.com):

    First Hit:

    generated in 11.309 seconds
    87400 bytes batcached for 300 seconds

    Next Hit:

    generated 99 seconds ago
    generated in 11.309 seconds
    served from batcache in 0.003 seconds
    expires in 201 seconds

    Just a real live example. The Plugin is batcache by Andy Skelton.

    I recommend wordpress.com for worry free wordpress hosting. And you support the project in the end when you buy something there. So a win win for us all.

    (please delete the previous comment)

  41. We host our WP on Media Temple Grid (with a stepped up DB, the stock is too slow) and Rack Space Cloud Sites.

    Our Rack Space cloud site account handles almost 6M page views per month with very little caching. We use a CDN (maxCDN) to lower the cost of bandwidth (currently 1-2TB per month in images and JS)

    Rack Space Cloud Sites backs up automatically. and we Rsync off each night for Media Temple.

    Your mileage will vary.

    You can host WP very well on these systems, just not for $4 per month.

  42. With WordPress being able to upgrade itself very easy now (and its plugins), I don’t think its too big a deal for web hosts anymore.

  43. Hey Mark, great post. I’ve been amazed for a long time how few web hosts have been willing to specialize in apps. Seems the obvious thing to do…

    Question about WP core: If a webhost offered Memcached by default is there a way that core can take advantage of it, or would core have to be hacked? I’ve never used Memcached (because I don’t set up my own servers) so I’m not really sure how to best leverage it.

  44. I agree.

    In the past when I was noob I’ve had problems with WP, and my host helped me solve them.

    I’d say that the time of static html documents (aka Geocities :D ) has gone, and now all web presence is done with some kind of dynamic generated pages, much probably a CMS.

    There are many free web presence services out there, like yorkut and fotolog. When somebody is willing to pay for a host, he wants something custom, 99% of the time it’s a CMS or forum.

    So, provide simple webhost and leave your customers to deal with web apps isn’t wise, many of them are not webapp envy and is just willing to pay to get it done, and just manage the software.

    Some of them like me start as a total noob and learn to become a plugin dev, but most of them just want it simple. And WordPress is the easiest software available, so it’s the first choice for a website CMS. Since most WP users are willing simple solutions, webhosts that provide specialized support will get those guys :D

    And yes, hire us to develop custom code :P

  45. Malte says:

    To all you hosting and support folks (yes mark, you included), how can a plugin / config just deal with a simple:

    408 Request Time-out

    so you scalled all to the max. now what? please let me know, only non-ranting answers please. I want to see serious resonses here.

  46. malte,

    I’m not sure I understand the question.

    A 408 error can be caused by numerous things at either end of the connection.

    Where did you receive a 408 error message?

    Mark

    • Malte says:

      Backend. Sympton in general is: How do you deal with the situation, when the blogs users content is throwing WP into nirvana. That’s somehting you can’t blame the hoster for then (well actually you can).

      So normally in those situation we deal with it that way to blame the customer, especially when he blames us for that.

      To Summarize:

      1.) Always blame the hoster. He could have always done better. More Hardware, better Configuration all the stuff.

      2.) If there are issues, the hoster is already blamed but he does not move, go on straigh to the customer blame. I mean he is not responsefully using the software, right? (hint).

      With this two-step check-list in mind, you can pretty much handle any of your customers wordpress-support-tasks with ease.

      You can solve 100% of all WordPress related problems with that sheme. The good thing is, plugin developers and core coders can concentrate on new features and to not need to take care about mistereous issues that really can cost a lot of time.

  47. Yes i agree, wordpress very easy to use, but there problem eat some high process, we cant blame user or hosting provider, but we can reduce the load process with small modification on it.

  48. One of the reasons that http://www.imSMB.com was started was to make the user experience of “hosting” or really just getting a web presence a super simple and easily manageable experience. So SMB’s can focus on what they do well and we take the tech out of the technology.

    Our consultants all recommend using WordPress, more than that we will recommend and install the proper plugins ( like w3cache ) for sites that need it.

    In addition, if we get an alert that a customer is using too many server resources, instead of just shutting them down (like almost every host does) the first thing we look for is if caching is enables or not.

    As the WordPress community; I would pose a question.

    What plugins do you feel should be included (and configured) out of the box for a small business?

  49. Interesting post, considering one of your comments elsewhere:

    “I’m with you, Ryan. PHP4 has no death in sight. Without an EOL announcement, and as long as PHP5 (and its development) continues as an adolescent teenager (complete with “this is who I am, deal with it” rants), PHP4 will live on.”

    I think that some of the above commenters are absolutely right — regardless of whether wordpress “does what people want” — performance DOES matter. As you said, rather than screaming “this is who I am, deal with it”, the WordPress team should work to improve their code so that it doesn’t cause major issues for web hosts, not expect everyone else to bend to meet the needs of WordPress.

  50. you would think hosts would adapt but no…. they still try to blame one application for their own failures. In my personal experience WordPress is as secure as user who installed and supports it and host its running on. Granted there are a few enhancements I think are long overdue for the main code related to security

  51. Great Post.

    being new to web ownership I must admit the ease of use of wordpress to HTML is amazing.

    I also agree with you that it would be nice if Hosts put more effort into helping new owners with wordpress.

    Especialy memory size allocation.

  52. pagelywp says:

    Hey Mark,
    Siting here at WordCamp Boulder and someone mentioned this post to me. We at page.ly are focused exclusively on WP hosting. Would love to get a chance to bend your ear a bit and talk.

    @strebel < twitter

  53. I ran into the cache problem a month ago when my blog exploded. The server was crashing ever 4 fours. The hosting company gave me 4 different cache scripts to try, all garbage. I use total cache now.

  54. Absolutely, positively, mark my words – You will be left behind if you do not adapt. It is not a matter of if you will be left behind, it is just matter of when.

    Mark, you put it perfectly just with one word. ADAPT!

    People can choose to sit and gripe about “how things used to be when I was into web design, or marketing, or whatever” Or- they can choose to adapt. And get on the stinkin’ train.

    Like I said, it’s a choice. But you are making the wrong one by not going with WordPress. Anyone in any kind of actual marketing and SEO knowledge knows this fact.

    The one;s who keep griping about it, I will see you in 5 years when WordPress is the only way and you are scrambling to catch up.
    :)

    Go Mark!!

  55. This is definetly not a JOb you have to remember, that you cane outsource most of you’re dayli tasks actualy everything. This is the new way of earning living in my opinion and nothing compared to an average 9-5 JOb

  56. Great blog Mark – I just found it. You provide some great useful information. I’m defiantly subscribing!

    I have been teaching my readers at nichewebsitestrategy dot com to actually delete the intsall.php file after successfully installing WordPress.

    Do you agree this creates a good stumbling block for hackers that are trying to compromise your WordPress installation?

  57. I always advise people to go with wordpress for their site platform. But than people here the word blog and they don’t understand how versatile a wordpress “blog” can be.

    With the hundreds of amazing plugins and obvious SEO advantage its a no brainer for many businesses to go with a wordpress backend. Without even mentioned the user friendly interface for making changes and updates.

    This post may be a little dated, but people still need to adapt!

  58. People can choose to sit and gripe about “how things used to be when I was into web design, or marketing, or whatever” Or- they can choose to adapt. And get on the stinkin’ train.

  59. We’ve all heard the phrase “content is King” well in this case WP is king! Every internet professional knows and understands the ease and value of word press in the eyes, well spiders, of search engines. Reading some of the comments above… if there is cocky, well… it is well deserved. Word Press kicks a$$!

  60. Finding a web hosting service should not be that difficult.There is a company that has madeweb hostingeasy. says:

    There are several web hosting companies out there on the market. However, very few come with all the bells and whistles. Normally speaking when you sign up for a web hosting account you will have to purchase additional services that are needed to run your internet business. A couple of services you will most likely need to run your online business are an opt-in system, an autoresponder, video creation and hosting (Video marketing is huge online.), and a webinar system (To conduct online presentations to your customers.). There is a web hosting service that offers all of this including unlimited domain hosting all at one low price.

Comments are closed.