in

Bluehost review: Good performance, well-designed UX, up-to-date security

It seems like there is an almost unlimited number of hosting providers who will serve your website for a monthly fee. In the best web hosting providers for 2021, I spotlighted 15 providers that offer a wide range of plans. When doing a full review of a single hosting provider, I set up the most basic account possible and run the service through a barrage of tests. In this article, I’ll dive into Bluehost’s offerings.

  • Shared hosting starting a $2.95 per month
  • Online store hosting starting at $12.95 per month
  • Managed WordPress hosting starting at $9.95 per month
  • Virtual private server (VPS) hosting starting at $18.99 per month
  • Dedicated server hosting starting at $79.99 per month
  • Price bump after end of period: Yes

View Now at Bluehost


Because there are so many variables among plans and offerings, not only among hosting providers, but within the plans offered by any one provider, it can be difficult to get a good comparison. I’ve found that one of the best ways to see how a provider performs is to look at the least expensive plan they offer. You can expect the least quality, the least attention to detail, and the least performance from such a plan.

How hosting provider pricing really works

For this series of hosting reviews, I’m testing the most basic, most entry-level plan a vendor is offering. In the case of Bluehost, it’s their appropriately named Basic plan. To get pricing, I went to the company’s main site at Bluehost.com.

As with most every hosting provider, Bluehost’s published pricing is somewhat misleading. There is no option to get billed only $2.95 per month.

While it looks like you can get the Single Shared Hosting plan for $2.95 per month, that’s only if you prepay for three full years, which means you’re actually paying $106.20. A hundred bucks or so for three years of hosting isn’t a bad deal, but can be confusing. If you want only one year, you’re charging $59.40 to your card (which is $4.95 per month). It’s more expensive, but not terrible.

There’s a gotcha though. When you renew, you’re going to pay more. A lot more. Three times more. This, too, is not uncommon for hosting plans and is a practice I strongly wish the hosting industry would stop. When you renew your $2.95 three year plan, you’re going to jump to $8.99/month or $107.88/year. Of course, we have no idea what the pricing will be in three years, but you get the idea.

While $2.95 or even $4.95/mo isn’t a bad price for basic hosting, the fact is, your price will jump by more than triple what you paid when you signed up. I talked a lot about lock-in and switching costs in my How to create a website: The 2021 step-by-step guide overview. Read it, because Bluehost (and many other hosting providers) have business models that count on the switching costs being so painful that you’ll suck up a huge upcharge simply to avoid moving your site.

I focus on these pricing gimmicks in my reviews because it can be really unpleasant to suddenly get a bill that’s hundreds or even thousands of dollars (depending on the plan) more than you expected. Second, switching from one hosting provider to another hosting provider can be a very time-consuming and possibly expensive job, fraught with hassles and potential points of failure.

At least half of the hosting vendors I’ve looked at over the years do these promo deals, with big jumps in renewal fees, so Bluehost isn’t alone in this somewhat predatory practice.

What the Basic plan includes

Most bottom-end plans are for one website, and Bluehost is no different.

Before we move into the details, let’s spend a moment talking about what a base plan really is. All websites are not created equal. While you might be able to pay under three bucks a month to run your website, I pay about a hundred bucks each month to run my small fleet of sites.

A base site is designed for a business or individual who wants a basic online presence. That’s a bunch of pages, some product or service images, and a lot of text. If you want to run complex web applications, or you expect a lot of traffic, a basic site is not for you.

If you’re just trying to get started with an online presence, starting simply is a good way to go. In this series, we’re reviewing the least expensive program each hosting provider offers. That’s going to be what the majority of buyers will want, and it will give us a good insight into the company.

Bluehost offers a number of pretty solid features in their Basic plan. The base plan includes 50GB website space (maxing out at a whopping 200,000 files), five email accounts, 100MB of email storage (which is pretty low if you’re active), up to 500 emails sent per hour, one free domain registration (for a year), 25 subdomains, a basic SSL certificate, and what they describe as unmetered bandwidth.

Be careful, though. In practice, if you push your account near the limits, or use an excessive amount of bandwidth, it’s likely that the service will throttle you back. Bluehost was one of the earliest providers to institute server throttling when “unlimited” resource usage got to be too much.

There are some wins, most notably that even the basic plan is hosted on SSDs. Even if a site is using caching (which reduces the load on a server), having fast drives is always a plus.

The company does have 24/7 chat and phone support, and Bluehost offers a 30-day money-back guarantee. It’s not as long as some of the company’s competitors, but it is a fair amount of time for you to get a simple site up and running and see how things work.

Getting started

Once your account is created and you log in, you’re presented with this screen:

I like this. While I always like to go it on my own, I’ve gotten panicked calls from too many friends who log into their hosting providers for the first time and have no idea what to do. I was a little surprise to find that even though I hit “No help needed,” I was presented with a choice:

Again, though, I can’t really complain about guidance. After all, I didn’t hit “Skip this step” on the first screen. I did now. I’m still in a wizard, even though I did select “Skip this step.”

I hit “Skip this step” again, and once again I’m presented with a wizard. However, once again for basic users, I like that there are helper choices and even a solid FAQ for folks not sure what to do next. 

I have to admit that I’m getting a little impatient. I want to see the dashboard so I can see what I can do with this service. That said, I hit the “Limitless customization” option. From this point on, there were more selection options. I just kept hitting “Skip this step.” Finally, I reached a page with some more options. Most important to me, initially, is checking out the Advanced tab.

Yes! We finally have cPanel. I did a little happy dance (in my mind — I don’t actually dance, jump, or run, but I can celebrate running the gauntlet in my head, can’t I?).

Dashboard access

The first thing I like to do when looking at a new hosting provider is exploring their dashboard. Is it an old friend, like cPanel? Is it some sort of janky, barely configured open source or homegrown mess? Or is it a carefully crafted custom dashboard? These are often the ones that worry me the most because they almost always hide restrictions that I’m going to have to work around somehow.

I got rid of the welcome message and started to look around. I like how Bluehost has the normal cPanel interface, but also provides access to Bluehost services on the left. That’s convenient.

Basic WordPress access

I thought about nuking WordPress and installing it myself, but I wanted to see what most users would be presented with when they started the service. So I hit the My Sites button with the WordPress logo icon — and was presented with upsell city:

To be fair, the upsells don’t seem nearly as intrusive as Bluehost’s sister vendor, Hostgator. Once logged in, the WordPress dashboard is filled with a lot of stuff that’s not traditional to the WordPress dashboard, but it seems more helpful than egregious.

Ooh, this is interesting. Bluehost provides a staging site, even in the base plan. They get some big points for that. It’s always nice to having a staging site, and many more expensive plans don’t come with one. Granted, this is a staging site managed inside the main WordPress install (which can be a bit dicey when things go waaaay bad), but it’s still a great feature for a bottom-level plan.

The Plugins dashboard is quite busy, but that’s mostly because Jetpack (a product made by WordPress’s developer Automattic) takes up a lot of space and has a lot of upsell action — I received an email from Jetpack before I even got Bluehost’s login credentials. Fortunately, it was easy to dismiss the banners and get on with work. 

Unfortunately, after I dismissed them, I discovered they came back whenever I returned to the Plugins dashboard. That was annoying. The easy solution was to delete the Jetpack and Creative Mail plugins, which I did.

How to do WordPress upsells

I have to admit, Bluehost did this right. There were the few upsells I pointed out as we moved into the WordPress part of our review, but nothing that made using the service unpleasant. More to the point, Bluehost has its own plugin install and while it does offer upsells, it does so in a surprisingly non-intrusive way.

That first welcome page I showed you back when we first logged into WordPress is part of the Bluehost plugin, but it’s mostly pointers to how to get work done. We already talked about the staging feature, which is also provided by the Bluehost plugin.

A key page provided by the Bluehost plugin is the Settings page. Notice that there is not a single upsell on this mission-critical page.

So where are the upsells? They are conveniently tucked into the Themes, Plugins, and Services tabs of the Bluehost plugin:

I have nothing against upsells. Businesses need to pay expenses and salaries. What I often complain about — and did so vociferously with Hostgator — is when upsells get in the way of using the product already purchased. These Bluehost upsells do not get in the way. The Bluehost plugin is useful enough and non-intrusive enough that I’m not going to uninstall it. That’s a pretty ringing endorsement.

QUICK SECURITY CHECKS

Security is one of the biggest issues when it comes to operating a website. You want to make sure your site is safe from hackers, doesn’t flag Google, and can connect securely to payment engines if you’re running an e-commerce site of any kind.

While the scope of this article doesn’t allow for exhaustive security testing, there are a few quick checks that can help indicate whether Bluehost’s most inexpensive platform is starting with a secure foundation.

The first of these is multifactor authentication (MFA). It’s way too easy for hackers to just bang away at a website’s login screen and brute-force a password. In the past, many of my sites have been pounded on by some hacker or another, but because I have some relatively strong protections in place, the bad actor hasn’t been able to get in.

Bluehost picks up another win with dashboard-level MFA, which supports Google Authenticator and those compatible, like Authy. Bluehost also supports email authentication, but does the right thing by pushing its customers to smartphone Google Auth authentication as a safer choice.

Bluehost includes a free Let’s Encrypt SSL certificate, which is configured and enabled by default. While there are some overhead issues with Let’s Encrypt (the certificate needs to be renewed more often than commercially-sold SSL certificates), Bluehost automates that renewal process, so it’s not something site operators need to configure.

As my last quick security check, I like to look at the versions of some of the main system components that run web applications. To make things easy, I chose four components necessary to safe WordPress operation. While other apps may use other components, I’ve found that if components are up-to-date for one set of needs, they’re usually up to date across the board.

Here are my findings (using the Health Check & Troubleshooting plugin), as of the day I tested, for Bluehost’s Basic plan:

Component

Version Provided

Current Version

How Old

PHP

7.4.16

7.4.16

Current

MySQL

5.7.23

5.7.34

32 months

cURL

7.76.0

7.76.1

Last month

OpenSSL

1.1.1k

1.0.2q (and 1.1.1a)

Last month

In general, these results are quite good — especially considering how out of date some of Bluehost’s competitors have been when I checked their versions. That said, you kind of need to know the component to know how to read these results. For example, a number of these components have multiple development tracks. PHP 8.0.2 is the latest version of PHP, for example. But WordPress lists PHP 7.4 as its base PHP version and the latest version of PHP 7 is 7.4.15, updated just a few weeks ago. 

MySQL can be even more confusing. The current version of MySQL is 8.0.23, but the production MySQL release process jumped from 5.7 to 8.0. While the MySQL 8.x branch is being updated, so is the MySQL 5.7.x branch. In that branch, Bluehost’s MySQL is getting a bit long in the tooth.

I also chatted with a Bluehost support person, who was helpful and nice, but woefully inaccurate. When I asked about PHP version, they told me PHP 7.4. Then I asked whether that was 7.4.0 or a later release and I was inaccurately told 7.4.0 (in fact, Bluehost offers a much more current version). I was told that the cURL version for this plan is 7.29.0 — a 97-month-old version rife with long-fixed bugs. In fact, Bluehost isn’t out of date. Their cURL is basically current. So, twice the tech support rep told me versions that were worse than are actually provided. On the other hand, the support person told me Bluehost provided MySQL 8.0 for the Basic plan, when the algorithmic Health Check reported it’s really 5.7.23. 

Are you confused yet? Let me simplify things. Bluehost is committing no crimes with the component versions it is offering. Most are current, and while the MySQL build is out of date, it’s still a supported build for WordPress. Honestly, I don’t have much to complain about here.

PERFORMANCE TESTING

Next, I wanted to see how the site performed using some online performance testing tools. It’s important not to take these tests too seriously. We’re purposely looking at the most low-end offerings of hosting vendors, so the sites they produce are expected to be relatively slow.

That said, it’s nice to have an idea of what to expect. The way I test is to use the fresh install of WordPress with the standard theme TwentyTwenty. I then performance test the “Hello, world” page, which is mostly text, with just an image header. That way, we’re able to focus on the responsiveness of a basic page without being too concerned about media overhead.

First, I ran two Pingdom Tools tests, one hitting the site from San Francisco and the second from Germany. Here’s the San Francisco test rating:

It’s not stellar, but a good solid B rating is all you can really expect from a bottom-of-the-barrel plan. It’s certainly workable and shouldn’t incur any Google juice SEO penalties. Here’s the same from Germany:

Also, definitely good enough for a small site.

Finally, I hit the site up with LoadStorm, which sends 10 virtual users over the course of 10 minutes to the site, and then measures responsiveness.

This chart is a little difficult to read, so let me first draw your attention to the green and cyan lines. These represent concurrent requests per second and number of users. As you can see, they rise over time. That’s because we want to see how the Bluehost site performs as the load increases. While peak response time bounces all over the map (the blue line), what we really care about is the average response time (the brown line). That seems to indicate that the speed of response actually goes down as load increases. That’s very good. That means that you can reasonably expect that if you get some traffic, your site won’t come screaming to a halt.

Support responsiveness

There’s not much to say here. I had only one interaction, late on a Sunday night. I did get connected with human via chat within about five minutes. The individual was nice and clearly wanted to help. I particularly liked how they let me know that some of the information would take a few minutes to dig up, so I wasn’t left hanging, wondering if they’d gone home for the night.

Unfortunately, as I mentioned above, the accuracy of the answers left a little to be desired. That said, being able to reach a support person who is responsive and who tries to be helpful late on a Sunday night is a good thing.

Overall conclusion

I was very pleasantly surprised. It’s almost impossible to believe that Bluehost and HostGator are part of the same company. HostGator slapped spammy upsells on everything, making the use of their service an annoyance. On top of that, nearly all their key security components were woefully out of date to the tune of 8 years, 7 years, and 11 years.

Bluehost, by comparison, is pretty much up to date. Their portal and even their implementation of upsells in the WordPress dashboard show a great deal of thought and consideration of the overall user experience.

Even though Bluehost is slightly more costly than HostGator ($0.20 per month) in the initial term and considerably more after term renewal ($2.00 more per month), I would definitely recommend Bluehost over HostGator. 

In fact, I’d put Bluehost into the running against the other base level plans I’ve reviewed. It offers a basic staging server mechanism, reasonably fast page loads, current security libraries, multi-factor authentication, and a low-key approach to upsells. It’s not bad at all. Now, maybe they can teach their siblings as HostGator to play nice with others.


You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.


Source: Networking - zdnet.com

University of Minnesota security researchers apologize for deliberately buggy Linux patches

The Linux Foundation's demands to the University of Minnesota for its bad Linux patches security project