Sr. Front-end Developer, 15+ Years of Web Development on HubSpot and Various CMSs
July 2nd, 2020
Owning and operating a website has intrinsic risks associated that no one can shirk. Probably the most notable is the risk of being hacked.
It’s an unfortunate fact of life just like owning a home has associated risks — fire, theft, water damage, sinkhole... you get the idea — it’s the same with owning a website.
With this in mind, one thing many businesses overlook when shopping for a web host is evaluating the type of support you can get when your website gets hacked, but it might save the day when you least expect it.
Many platforms and hosting companies claim to be more secure than their competitors, but anything connected to the internet is vulnerable.
Choosing the right partner that will protect your site and your customers as much as possible, then quickly move to help get you back up and running is really the best you can do.
I’ve personally dealt with quite a few web hosts over the years, but no two more than GoDaddy and WP Engine. These two, for many reasons, are my go-to web hosts, depending on the client, their hosting needs, and budget.
Let’s see how they stack up when looking at their support in getting a hacked site back online.
What should you look for from support if you’re hacked?
Picture this: you wake up and there are 35 text messages and 13 missed phone calls waiting for you. You nervously call into work. Your site has been hacked.
It started out subtle at first, some weird links started showing up on pages here and there, then customers started calling to say that they submitted a form on your site and were redirected to an online casino. Now none of your site administrators can access the site.
Oh yeah, it’s hacked.
This nightmare scenario happens from time to time, and it’s in choosing the right hosting partner that the anxiety associated with the subject can be eased.
When you've been hacked, at first you might not know where to turn or exactly what you need to do first.
Well, I’m here to tell you that all you really need is someone that will make it easy to reach out for their help, will respond quickly, assume some responsibility, and help get you back up and running. That’s it.
These simple assurances help me sleep better at night — especially as our WordPress client base grows here at IMPACT — so let’s compare the two platforms based on these criteria.
Contacting support via chat
Chat is my preferred method of communication with support. It saves me time and allows me to work while they work in the background to solve the problem.
Both chat support experiences are commensurate and both do provide some immediate information.
GoDaddy’s chat starts off as just a bot; an automated response software which feels geared towards providing a way for customers to self-diagnose and self-support without immediate access to a human being.
Once you’ve self-categorized and gotten past all the prompts seemingly designed to make you go away, you do eventually end up chatting with a human being, but the communication feels disjointed at best — and downright frustrating at worst.
In some cases you’ll get canned responses, which are definitely polite but not especially helpful. In other cases, you’ll wait a long time, sometimes as much as 5-7 minutes for a response (which feel like an eternity) only to realize they’ve completely misunderstood your question.
I’ve had a few cases where I know they’ve suggested I do something that would have zero bearing on the issue I’ve described.
WP Engine, however, actually had another person in the chat that was able to intelligently respond with pertinent questions and information that helped get me back online quickly and efficiently with virtually zero hold time. It was an actual personalized conversation.
In the aftermath of a hacking, human connection and efficiency win the day.
Winner: WP Engine
Contacting support by phone
While GoDaddy’s call-in experience is a bit more fun, with some casual and humorous language designed to keep me entertained as I navigate through their phone prompts, I found that both providers had very knowledgeable support staff that were able to quickly provide next steps I should follow.
At GoDaddy, my personal experience with requesting support has mostly been limited to shared hosting, so I can’t compare apples to apples, but their support staff have always been able to diagnose the issue, disable infected files, and recover them where possible to get the site back online.
I’ve had to call GoDaddy more often since their chat option almost always leads to frustration for me. For this reason I do have quite a bit more experience with them on the phone.
WP Engine’s support staff, however, will usually recommend a restoration from the “last good backup” — typically recommending you use the backup generated at least one day before. This is to ensure that you don’t inadvertently restore a backup that still contains the hacked code.
I agree with this being the best approach. Then, once the site is restored, they’ll typically recommend you go through and update everything to the latest available version — in other words, the site’s core WordPress installation and all pending plugin updates.
All that said, both hosting providers have friendly and experienced staff and I honestly can’t complain with any of my experiences at either one, but I’d say GoDaddy has the upper edge here. Their hold times have been shorter, in my experience, and their phone support just feels more robust overall.
How quickly can we get back online?
I’ve asked this question many times over the years and the answer is always the same: “Don’t worry, we’re working fast to get you back up and running as quickly as possible.”
The thing is, that usually means back up and running in the current, potentially still-hacked state.
If the website's hacker has used self-propagating code, it’s very difficult to eradicate. Removing one file can sometimes trigger ten new files to be created.
The best way to ensure you get back to a clean version of your site is by using a backup you know, to the best of your knowledge, is clean.
WP Engine has one-click backup restore, which I’ve used quite a few times and works very well.
The process is painless and is a game changer when it comes to sleeping well at night. Having that backup service run every day is a security blanket you don’t know you need until you need it.
GoDaddy offers backup services included in their Managed WordPress hosting plan or for an additional fee on their shared hosting plans.
Using it is also one-click, and I’ve never had any issues with it.
This round is a tie, folks.
So, which do I recommend?
If you run a WordPress website and you have a little bit extra every month in your budget (I’m talking about $10 more), then I’d recommend going with WP Engine.
The services they offer and the way they’ve executed them, in my opinion, are superior when it comes to security and continuity. Overall they’re a better value.
For only $20 per month you get, essentially, the same services as WP Engine (Managed WordPress Hosting, backup, SSL, CDN, etc.) but to me it’s a bit harder to engage with GoDaddy if you ever need support.
If you don’t run a WordPress Website, then GoDaddy is your only option here. Any one of their plans can be augmented with a backup service for your peace of mind.
But the real trick is avoiding hacking altogether
Hopefully, you’ll never have to deal with any of this. Here are steps you can take right now to minimize the risk of being hacked.
We’ve covered some ways to secure your website before, and it’s always important to follow the usual best practices — like enforcing the use of strong passwords, keeping your software up-to-date, and generally being smart about your overall security practices — but here are some other ways you can minimize your risk.
If I could suggest just two steps that you could take right now that would accomplish 80% of the risk mitigation, it’d be the following:
1. For WordPress’ stand-alone content management system: Use a Managed WordPress hosting plan.
Oh and by the way, you don’t need to worry about this at all if you’re using a SaaS hosting provider.
When you rent your home, all the risks that come with it are assumed by the landlord and you pay a monthly fee (i.e. rent) that includes enough monetary value to assume all the associated risks and maintenance.
Typically, the parts of these softwares that power the overall browsing experience is shared among all their clients. This ensures the utmost attention and prevention possible since one breach would affect so many customers.
A hacking scenario is exceedingly rare because there are people working behind the scenes at all times to avoid it completely.
Usually a SaaS hosting company like HubSpot, for example, will cost a little more money, but that fee includes the assumption of responsibility that your site will always be working smoothly so you can focus on what you do best — delighting your customers.
Depending on your budget and software needs, this might be an alternative and attractive option.
Here Are Some Related Articles You May Find Interesting