HostGator review: Good performance, bad security web hosting

If you are in search of a web hosting supplier, you’ve an incredible variety of decisions. In my Best web hosting suppliers for 2021, I checked out 15 suppliers who provide a variety of plans.

To get a greater really feel for every particular person supplier, I arrange essentially the most fundamental account attainable and carried out a collection of assessments. In this text, we’ll dive into HostGator’s choices. Stay tuned for in-depth seems to be at different suppliers in future articles.

HostGator at a look

HostGator was based in 2002 by a scholar at Florida Atlantic University (therefore the “gator” in HostGator). Today, HostGator is one in every of almost 100 web hosting manufacturers owned by Endurance International Group (EIG).

EIG was within the information in 2018, when the Times of India reported that its former CEO and CFO have been charged by the US Securities and Exchange Commission for “overstating the corporate’s subscriber base.” The firm agreed to pay an $8 million penalty with out admitting fault.

UPDATE: HostGator reached out to us requesting modifications to the Quick Security Checks part of this text. Their feedback and our responses are included inline in that part.


Because there’s such variability amongst plans and choices amongst hosting suppliers, it is laborious to get an excellent comparability. I’ve discovered that top-of-the-line methods to see how a supplier performs is to have a look at the least costly plan they provide. You can count on the least high quality, the least consideration to element, and the least efficiency from such a plan.

If the seller gives good service for the bottom-shelf plans, you’ll be able to usually assume the higher plans will even profit from related high quality. In the case of HostGator, there have been some brilliant spots, some annoyances, and a few severe security considerations.

For the collection of hosting critiques I’m doing now, I’m testing essentially the most fundamental, most entry-level plan a vendor is providing. In the case of HostGator, that is what they name their Hatchling plan. To get pricing, I merely went to the corporate’s predominant website at If you need to avoid wasting cash, although, learn to the top of this part.

Like almost each hosting supplier within the enterprise, their providing is considerably deceptive. There isn’t any choice to simply get billed $2.75 monthly. Notice the omnipotent asterisk subsequent to the value.

While it seems to be like you may get the Hatchling plan for $2.75 monthly, that is provided that you prepay for 3 full years, which suggests you are truly paying $105.35. If you need just one 12 months, you are charging $76.11 to your card (which is $5.95 monthly). If you need to purchase the service on a month-by-month foundation, you are paying $10.95 monthly.

When you hit the Buy Now button, the corporate pre-populates a one 12 months subscription with non-obligatory add-ons for website monitoring and backup, including $43.94 to the invoice (however you’ll be able to uncheck these choices).

There’s a painful gotcha to those “beginning at” costs. When you renew, you are going to pay extra. This, too, just isn’t unusual for hosting plans and is a follow I strongly want the hosting business would cease. Instead of paying $105.35 for 3 years, upon renewal you will be paying a whopping $250.20 on a single bank card cost, a value improve that is greater than double the unique value.

What the bottom plan consists of

As with most hosting distributors as of late, HostGator claims limitless disk area, limitless bandwidth, and limitless electronic mail. In follow, these limitless values are restricted within the phrases of service. You cannot use your limitless storage as an enormous backup tank the place you dump gigabytes of video, for instance. They additionally state, “HostGator expressly reserves the fitting to evaluate each shared account for extreme utilization of CPU, disk area and different assets which may be attributable to a violation of this Agreement or the Acceptable Use Policy.”

In different phrases, do not abuse the assets you are shopping for, and purchase the extent of plan fairly commensurate along with your anticipated utilization. If you are about to run an enormous, nationwide promotion the place you count on numerous site visitors, you won’t need to use the Hatchling plan. If you get an excessive amount of site visitors, HostGator would possibly shut you down or invoice you much more.

Their terms of service proceed, “HostGator might, in our sole discretion, terminate entry to the Services, apply further charges, or take away or delete User Content for these accounts which can be discovered to be in violation of HostGator’s phrases and circumstances.”

The base-level plan has some compelling options. First, and that is necessary as we transfer ahead in a quest for a safer web, is the supply of free SSL to your website. This provides that little lock icon to your browser’s deal with bar and makes positive site visitors between your website and your guests is encrypted.

The firm additionally gives 24/7/365 assist which not solely consists of ticket and chat however cellphone assist as nicely. While you are solely ready to make use of one area, you need to use as many subdomains as you want. The firm additionally gives a coupon for $100 in Google adverts and one other $100 in Bing adverts. While you in all probability will not get sufficient advert hits to cowl your value of hosting, it can make it easier to get your ft moist on the planet of Google and Bing promoting.

Dashboard entry

The very first thing I love to do when a brand new hosting supplier is discover their dashboard. Is it an previous good friend, like cPanel? Is it some form of cobbled-together home-grown mess? Or is it a rigorously crafted customized dashboard? These are sometimes those that fear me essentially the most as a result of they virtually at all times conceal restrictions that I’m going to should work round one way or the other.

When you first log into HostGator’s dashboard, you are greeted with their buyer portal. Here you’ll be able to handle your bank card data, get assist, and — most necessary, apparently — purchase the upsell choices they provide.


This just isn’t the one dashboard you will be utilizing. The predominant dashboard is cPanel, which is widespread to many, many websites throughout the Web. While cPanel could be irritating at instances, it is a very succesful interface that permits you to handle all points of your website.

It took a surprisingly very long time for cPanel to launch, virtually a full minute. What’s slightly extra bothersome, although, is the vary of further upsells in the course of cPanel. cPanel is normally fairly predictable and seeing virtually as many adverts and upsells as administration choices have been tedious.


Installing WordPress

There are definitely different content material administration and running a blog purposes you need to use in addition to WordPress. That stated, since 32 percent of the entire Web uses WordPress, it is a good place to begin. WordPress websites could be moved from hosting supplier to hosting supplier, so there is no lock-in. And by testing a website constructed with WordPress, we are able to get some consistency in our testing between hosting suppliers.

I went forward and clicked the Build a New WordPress Site button on the primary cPanel web page… and acquired hit with one other web page of upsell promotions:


At $399, costs have been actually beginning to climb from that tasty little $2.75 provide the corporate promoted. The promos on this setup web page did not say what theme they’d be putting in. WordPress does include a pleasant set of free themes, and most themes are comparatively cheap. I attempted to determine what the $399 program was for, however so far as I can inform, it is merely establishing WordPress, which is normally a couple of five-minute course of.

The distinction between the $199 and $399 program was the addition of search engine optimisation and WordPress website security. To be truthful, most WordPress security plugins and add-ons value a couple of hundred bucks a 12 months, and there are premium search engine optimisation plugins that may value the same quantity. But with out going all over the checkout, it wasn’t clear what instruments HostGator was offering in return for its virtually $400 of upsell.

My recommendation is to skip these upsells. Simply set up WordPress, get to know your website, after which begin with a device like Wordfence or Sucuri to maintain your website protected.

Once I entered my consumer identify and area, I used to be… await it… offered with one other upsell:


I went forward and hit the login button, and… it failed:


I took a fast take a look at the File Manager and decided that the WordPress set up gave the impression to be in place. So, as a substitute of utilizing HostGator’s login button, I simply used the usual WordPress admin URL, which is This labored.

I used to be, nonetheless, not stunned to seek out extra upsells. In this case, the complete predominant dashboard web page — going nicely beneath the scroll of the web page — had upsells.


There appears to be an enormous push for utilizing numerous plugins which can be both freemium or affiliate-based. Jetpack is produced by Automattic, the corporate behind WordPress. It additionally has an associates program.

My guess is that HostGator is pre-installing plugins the place they get some affiliate income. There’s nothing significantly mistaken with that, however plastering these upsells in the course of configuration screens is getting previous.

HostGator additionally dropped in a plugin for one thing known as Mojo Marketplace. This, too, had pages and pages of upsells, this time for themes.


With all of the added plugins, junk, and upsell, it is no surprise that the positioning initially failed once I hit the positioning login button from the HostGator dashboard.

Let me be clear. There is nothing mistaken with utilizing numerous plugins on a WordPress website. That’s one in every of WordPress’s largest strengths. But filling a website with crapware earlier than it is even dwell is nothing however a distraction, can add a substantial quantity of confusion to new customers, and should trigger potential issues by way of performance. Plus, it is simply impolite.

Quick security checks

Security is without doubt one of the largest points in the case of working a web site. You need to be sure that your website is protected from hackers, would not flag Google, and may join securely to fee engines for those who’re operating an e-commerce website of any type. You additionally do not need to distribute malware to your guests. That’s bad.

While the scope of this text would not enable for exhaustive security testing, there are a number of fast checks that may assist point out whether or not HostGator’s most cheap platform is beginning with a safe basis. Here’s the tl;dr: it isn’t. This factor is dangerously insecure.

The first of those fast checks is multifactor authentication. It’s manner too simple for hackers to simply bang away at a web site’s login display screen and brute-force a password. One of my websites has been pounded on for weeks by some hacker or one other, however as a result of I’ve some comparatively sturdy protections in place, the bad actor hasn’t been in a position to get in.

Unfortunately, I’ve to ding HostGator for what I think about a reasonably severe security flaw. When you log into their buyer portal, all it is advisable to present is a username and password. However, if you wish to ask assist questions and get solutions, you do must arrange a assist PIN. This is a partial step ahead. The downside is that for those who’re in a position to log into the primary administration account, you’ll be able to change the e-mail deal with related to it, after which have a brand new assist PIN despatched out. The backside line is with out a second issue for login authentication, the PIN is actually nugatory.

Secondly, in accordance with the assist particular person I reached out to on chat, HostGator’s cPanel implementation additionally doesn’t assist multi-factor authentication, at the least within the lower-end accounts.


Multi-factor authentication ought to by no means be an upsell choice or offered just for premium accounts. It takes little or no effort for a hosting supplier to allow it. Not solely does it defend the person clients utilizing the function, however it additionally protects all the purchasers of the hosting supplier. That’s as a result of most shared hosting servers share IP addresses. If a spammer or scammer hijacks a shared hosting account and that account is blocked, it is totally attainable that every one the accounts sharing that IP or that IP’s bigger block of numbers will likely be blocked as nicely.

I strongly suggest that HostGator implement MFA for all accounts instantly, for his or her profit in addition to that of their clients.

I discussed earlier that HostGator gives a free SSL certificates. They’re utilizing Let’s Encrypt, a program that gives free, automated SSL certificates. Let’s Encrypt is enabled by default, so when you arrange a web site, all it is advisable to do is use your https:// in your URL to supply encrypted URLs to your guests.

As my final fast security examine, I like to have a look at the variations of a number of the predominant system parts that run web purposes. To make issues simple, I selected 4 parts essential to protected WordPress operation. While different apps might use different parts, I’ve discovered that if parts are up-to-date for one set of wants, they’re normally updated throughout the board.

Here are my findings derived from the HostGator versions page and a nice tech assist dialog, as of the day I examined [in July 2019], for HostGator’s Hatchling plan:


Version Provided

Current Version

How Old



7.4.14 (8.0 continues to be a bit new)

fairly present 




8 years / 2904 days (finish of assist is Feb 21)




11.3 years / 4124 days


 1.0.1e-fips 11

1.0.2t (and 1.1.1)

7.1 years / 2592 days

The cURL library, which is supposed for knowledge switch, significantly of safe data, is vastly and woefully old-fashioned. A fast take a look at the cURL release table exhibits there have been 1000’s of bugs mounted and lots of of vulnerabilities resolved for the reason that model of cURL being offered by HostGator was launched again in 2009. That’s greater than a decade previous. That could be like strolling round at this time with an iPhone 3GS and operating Windows Vista in your PC!

UPDATE: HostGator advised us, “cURL does record an older uncooked model, however RedHat/CentOS backport security patches and we replace all servers at the least each day. This is normal for RedHat/CentOS and anticipated conduct.” This is definitely a really fascinating course of. Red Hat does go back to older versions of standard Linux software and port security fixes, as HostGator said. However, even with security fixes utilized, providing an almost 10-year-old model of cURL will present web site house owners with ongoing compatibility challenges, significantly with fee gateways.

The firm helps OpenSSL 1.0.1e-fips 11, the place the completely most present model is 1.1.1. The gotcha is that when OpenSSL went to 1.1, it broke lots of code. As a end result, the OpenSSL challenge is updating each the 1.0.2 department and the 1.1 department. I do know, it is sufficient to provide you a headache. Here, regardless of all of the model quantity confusion, there’s one reality it is advisable to know: the model of OpenSSL HostGator is supplying can be vastly old-fashioned.

UPDATE: HostGator advised us, “OpenSSL additionally lists an older uncooked model, however once more RedHat backports security patches and we guarantee each day updates.” This is identical backporting course of Red Hat makes use of for cURL. It signifies that whereas security flaws have been up to date, the model and its compatibility continues to be almost a decade previous.

HostGator is utilizing model 5.6 of MySQL. While MySQL helps many variations, the newest is 8.0. HostGator’s MySQL implementation is eight years previous.

UPDATE: HostGator advised us, “All HG containers have MySQL 5.6 or increased. The article experiences 5.5, which hasn’t been in place for a very long time.” While this was the model proven on HostGator’s personal variations web page when the article was written, we’re glad to see MySQL has been up to date.

What’s worse, every of the variations of those packages are beneath WordPress’s minimum requirements

Because MFA just isn’t obtainable and since many of those variations (even with backported security updates) will trigger trendy software program to fail, we think about HostGator a lower than optimum alternative for e-commerce or any security-related website.

Performance testing

Next, I wished to see how the positioning carried out utilizing some on-line efficiency testing instruments. It’s necessary to not take these assessments too significantly. We’re purposely wanting on the most low-end choices of hosting distributors, so the websites they produce are anticipated to be comparatively sluggish.

That stated, it is good to have an concept of what to anticipate, and that is what we’re doing right here. The manner I take a look at is to make use of the contemporary set up of WordPress after which take a look at the “Hello, world” web page, which is generally textual content, with simply a picture header. That manner, we’re in a position to deal with the responsiveness of a fundamental web page with out being too involved about media overhead.

One notice: usually I would not take a look at a website with all of the crapware plugins put in. But since most customers who purchase these plans in all probability will not know learn how to take away the plugins or which plugins are protected to take away, I examined efficiency with these plugins put in. I absolutely anticipated efficiency numbers to take successful from all that added cruft, however I used to be mistaken. The efficiency wasn’t bad in any respect.

First, I ran two Pingdom Tools assessments, one hitting the positioning from San Francisco and the second from Germany. Here’s the San Francisco take a look at score:


And here is the identical website from Germany:


Next, I ran the same take a look at utilizing the Bitchatcha service:


Finally, I hit the positioning with Load Impact, which sends 25 digital customers over the course of three minutes to the positioning after which measures the responsiveness.


The Load Impact take a look at was additionally considerably sudden. At the start of the take a look at, some web page load instances took longer than they need to. But because the variety of digital customers climbed, responsiveness settled into a pleasant rhythm.

While lower-end hosting plans typically have spotty efficiency, this was an excellent displaying. Most lower-end plans, together with the one we’re testing, share server assets with different clients. So, at instances of heavy exercise, if one website is seeing heavy utilization, the opposite websites might undergo. I’m testing this website on a Sunday afternoon, which is a comparatively sluggish interval in web hosting phrases, besides, the efficiency for this bottom-end website was unexpectedly cheap.

Support responsiveness

I solely wanted to contact assist as soon as, by way of the chat interface. I used to be related to somebody inside about 5 minutes. It took a number of extra minutes to determine a assist PIN, however then I acquired my reply rapidly.

For a Sunday afternoon, it was a whole, fairly educated reply. I’ve definitely skilled far worse assist.

Overall conclusion

You by no means need to get your expectations too excessive for a bottom-end plan. The economics of operating such a super-cheap providing is that the supplier has to make it up on quantity. Professional and enterprise hosting plans with numerous site visitors and efficiency should, out of necessity, value extra.

The solely method to actually know what it is like to make use of a service is to run a dwell web site on it for a number of years. That stated, I used to be each happy and upset with HostGator’s displaying.

I discovered my interactions with HostGator’s buyer portal and cPanel to be sluggish. It typically took 30 seconds to a minute for a click on to course of by way of to a end result.

On the opposite hand, the efficiency of the positioning being hosted by HostGator, the positioning you are paying for and need to be extremely performant, was fairly good.

HostGator’s comparatively fixed upsell, particularly inside the configuration and operational points of the management panel proved intrusive. The firm put in manner too many plugins within the default WordPress set up, which not solely precipitated the preliminary login to fail, however would possibly make it way more complicated for brand new customers.

Finally, the corporate’s lack of assist for contemporary security protocols and login security is deeply disturbing. They’re letting lots of of 1000’s of consumers launch web sites with woefully out-of-date security software program. Given that the security libraries are free and open supply, there’s simply no supportable cause for HostGator to be lax on this most necessary side of Web security.

The firm gives a 45-day money-back assure, which is affordable.

The backside line is that this: if you wish to arrange a easy web site as a web based brochure, HostGator must be high-quality. But if you need customers to log in to or pay for one thing by way of your website, do not use this plan.

You can comply with my day-to-day challenge updates on social media. Be positive to comply with me on Twitter at @DavidGewirtz, on Facebook at, on Instagram at, and on YouTube at

Related Articles

Leave a Reply

Back to top button