WordPress based membership sites have certain requirements, and make use of certain applications that, in my experience, makes most of the popular hosting providers a poor choice.
While there are plenty of excellent hosting providers out there that would work well for a regular (i.e. non-membership) website, most hosting companies don’t give you a solid foundation for launching and growing a WordPress membership site without running into constant, annoying issues.
Let’s look at some of the reasons for this…
Aggressive caching breaks membership sites
Most web hosting companies that provide WordPress-specific hosting packages promise impressive page load times.
How can they make such a promise across the board despite the significant differences between various websites in terms of resources consumption, file and database sizes, traffic figures, and other factors that influence page load times?
That is, if I have a one page site with 2 plugins installed and I get 10 unique visitors per day, while you have a massive authority site with hundreds of pages, dozens of plugins, and thousands of visitors per day, is it possible to promise the same site speed improvements?
The answer of course is NO, but you can still achieve a significant improvement on most websites.
This is done primarily by using aggressive caching techniques on the server level.
By “server level” I mean that the caching is activated by your hosting provider for all of your domains, and not by a plugin inside your WordPress dashboard for each individual domain.
The problem with this approach is that caching often “breaks” membership sites.
Specifically, caching on a membership website can result in content access issues, strange billing events, login problems, and other seemingly inexplicable issues, which are of course perfectly explicable.
Furthermore, if you turn your caching OFF (assuming your hosting provider even gives you that option) you will lose the primary benefit that the hosting company promises in the first place (increased site speed)!
In a best case scenario, caching isn’t implemented as one big on/off switch but rather as a series of performance improvement “layers”.
This would be a great boon because sometimes only one caching layer causes issues on your website (most typically the varnish cache).
If you were able to disable just that particular layer, you’d still be able to retain the speed benefits of having the other layers enabled (like say Memcached or Redis).
Unfortunately, none of the managed WordPress hosting companies I’ve worked with allow you to enable and disable individual caching layers.
You can either turn caching ON or OFF.
Not enough caching exclusions
Similarly, sometimes you only need certain posts or pages to be excluded from getting cached.
It makes sense that you’d want your forward-facing pages – such as your sales pages, landing pages, blog, etc. – to receive the speed benefits of caching.
Yet you want to exclude all system pages and member-facing pages (login, logout, my account, my profile, etc.) from being cached, as not doing so often results in weird conflicts.
Some hosting companies allow you to request caching exceptions from the support team.
While I don’t know how each individual hosting provider handles this situation, and some may be more generous than others, my experience with WPEngine (who I’m not picking on, but just using as a readily available example) is that they only give you about 10 exceptions.
Too many exceptions negatively impacts the performance of the server, which also hosts other customers’ websites in addition to your own (that’s right folks, WPEngine is shared hosting).
How likely is it that your membership site will have only 10 or fewer pages that need to be excluded from the cache?
Pretty darn unlikely.
Which makes WPEngine problematic as a hosting provider for membership websites, as detailed in this case study of Brittany Lynch’s authority membership site.
What you really need is the ability to exclude an unlimited amount of pages from getting cached, among other options.
I reiterate that this aggressive server-side caching would be fine if you were running a non-membership site, so long as it didn’t conflict with any of your other applications.
But often the conflict is unresolvable.
This is by the way one of the reasons why it’s always a good idea to keep your “main” site and your membership site on completely separate domains.
Site speed chained to caching
One of the chief value propositions of many WordPress-focused hosting companies is faster load times for your websites.
But they achieve this increased speed through aggressive caching.
While that would be fine for a non-membership site, this caching very often causes all sorts of conflicts with the various WordPress membership scripts including MemberMouse, Digital Access Pass (DAP), MemberPress, OptimizeMember, iMember360, and others.
It’s not surprising that heavy caching impacts most of the major membership plugins in strange ways because caching by its very nature conflicts with the way membership plugins function.
If you disable caching – if it’s even an option – you fix the conflict.
However, you wind up losing the speed boost that you signed up for in the first place.
So why would you pay a premium for a hosting platform whose main benefit doesn’t apply to your websites?
Thankfully, caching isn’t the only factor that influences site speed.
There are (at least) three other important factors:
1. Server location
2. Quality and configuration of the server
3. Number of applications and activity on the server
Let’s take a quick look at each of these factors…
The importance of your server location
Most hosting providers don’t give you the ability to deploy your server in the geography of your choice.
That’s unfortunate because the closer your server is to your visitors’ location, the faster your site will load for them.
If, for example, your audience is primarily Australians, having your server located somewhere in the USA would result in really slow page load times because their devices (in Australia) have to connect to a server on the other side of the world (in the US).
Some cloud hosting providers allow you to choose your server location, and I consider it to be a huge (and rather underrated) selling point because it can have such a profound affect on page load times.
Further, if you can’t make full use of caching on a membership site (which you can’t), you want to max out the other speed factors.
And server location is a biggie.
Quality and configuration of your server
Suffice it to say that you want your site hosted on the highest quality servers possible, which are configured as optimally as possible.
These are really two separate issues but I’ve bundled them together because a fastidious configuration on a fundamentally poor quality server will still yield poor results.
You need both.
And of course, every hosting company claims they have “best in class” servers and pepper their sales copy with superlatives.
That may or may not be true of certain providers; it’s impossible to prove one way or another.
My strategy is much simpler.
I use the most trusted cloud hosting providers in the world and let them worry about the hardware.
These are the best-known providers in the world, who invest millions of dollars into industry-leading infrastructure.
So you may as well partner with them if you can (and you can!)
And in fact, you may be surprised to learn that many of the largest hosting companies in the world piggyback on these very same providers – most typically AWS – for their server needs.
By using one of these cloud hosting providers you have more freedom about where your server is located and how it’s configured.
Thus you can provide the best possible page load times to your visitors without having to rely solely on aggressive caching techniques, which are likely to interfere with the functioning of your membership site in the first place.
Number of websites on your server affects load times
The more applications (websites) you have on your server, the more these sites compete for your finite server resources.
This is the reason that shared hosting is generally slower than dedicated, VPS and cloud hosting.
It’s because the shared server not only hosts all of your domains but also the domains of hundreds, even thousands of other customers.
In this model hosting companies keep tight controls over resource consumption (SiteGround is infamous for being particularly stingy) because if they allow unchecked resource usage their costs per customer would skyrocket, and the performance of the other sites on the server would fall.
If you’re just starting out with your project or are trying to validate if it’s a viable business idea, shared hosting is actually a good deal simply because it’s cheap.
Once you’re getting ready to launch a product to an eager audience, or you’re already making sales of your membership, THEN it’s time to get off shared hosting and outlay for a more professional solution.
Best shared hosting for a membership site
The best shared hosting provider I’ve had the pleasure to work with is MediaTemple, and they’re who I’d recommend if you’re just starting out.
By the way, I get no money for endorsing MediaTemple.
Whereas if I told you that Bluehost is the best I’d get $100 commission straight to my Paypal if you signed up with my referral link (Pat Flynn from SmartPassiveIncome.com earns tens of thousands of dollars per month recommending Bluehost to his audience).
WPEngine pays out over $200 per referral.
And that’s the rub.
If you search around online you’ll find a lot of people who recommend HostGator, Bluehost, GoDaddy, Siteground and others and all tout them as “the best”.
But it’s hard to gauge whether these are genuine endorsements based on a lot of positive personal experience with these companies OR biased endorsements because referring a new customer pays incredible commissions.
In far too many cases I suspect it’s the latter.
My experience with HostGator, Bluehost, and GoDaddy has been that they are high-volume providers who don’t give you the best performance, outsource all of their support to India (which would be fine if the support didn’t suck), and try to sell you a bunch of crap you don’t need all the time.
Not to mention, they partner with crooked companies like Sitelock to try and screw honest people who don’t know any better out of their hard-earned cash.
Not my kind of company.
Is SiteGround a good hosting provider for membership sites?
SiteGround is perhaps the most highly recommended hosting company online.
But my experience with them has not been very positive.
There are two areas in particular where SiteGround do a poor job.
First, they start your hosting account out in “resource starvation”.
Let me explain what that means.
One of my customers had built a membership site but only had a small trickle of traffic and members.
I’m talking less than 20 unique visitors per day…
The site itself is standard fare and doesn’t run some insane amount of resource-hungry applications that would bring his server to the brink of burnout.
Yet shortly after completing the site he received a message from SiteGround informing him that he was running out of resources and if he wanted to continue running his site without issues, he’d need to upgrade to a plan that offers additional resources.
This, to me, is some sneaky shit.
In fact, it’s been reported all over the web by other SiteGround customers who quite rightly wondered how their dinky little sites with little to no traffic could possibly consume enough resources to warrant an upgrade.
Answer: it’s because SiteGround’s entry level plan is so fundamentally limited that you will inevitably run into resource consumption issues.
Then when you write in to support to complain you will most certainly get pitched on their next tier of service.
In contrast, on CloudWays you can run a WordPress site that gets 10 THOUSAND unique visitors per month on a pipsqueak 1GB server instance from Digital Ocean for all of $17/month, and you’re unlikely to go into resource starvation.
I feel I can be objective here because SiteGround pays excellent commissions (as do Bluehost, WPEngine, and many others) and CloudWays pays downright awful commissions.
So I don’t stand to make more than a little coffee money by recommending CloudWays.
I recommend them because I use them, they absolutely rock, and I run my entire hosting with a service company on their platform, period, end of story.
It’s a case of “follow the money”.
CloudWays has (presumably) narrower margins in their business because they provide a better service.
Bluehost, SiteGround and the other shared hosting companies can afford to pay big ass commissions because they nickel and dime their customers and employ shady tactics to secure additional cash.
The only shared hosting company that I’ve had a consistently positive experience with is MediaTemple, and again, I make no commissions from recommending them.
The folks at this company are consummate professionals.
The product itself is fantastic and the support is great.
My business partner Lesly managed to get the page load times for his unlimited graphic design service, Rapid Bear Design, down to under 2 seconds on Media Temple.
And this is on shared hosting!
The SECOND major problem with SiteGround is that when you submit a support ticket, multiple support agents reply to it.
This often results in your issue being volleyed back and forth between different support reps with nobody taking full ownership of solving your problem.
This increases the time to resolution and pisses off customers who quite naturally feel like support keeps passing the baton instead of running it home.
Their support also has a strange approach of notifying but not rectifying.
In terms of notifying, they do a fantastic job.
“Sir, you have such and such a problem, and here’s why, and here’s what you might do to fix it.”
Whereas with CloudWays my experience has been “Sir, please wait a moment. [5 minutes later] Ok, please check your site now. [Problem fixed]”
Subtle difference that makes all the difference.
My beef with “managed” WordPress hosting
The so-called managed WordPress hosting industry has been exploding over the past few years.
There are countless hosting providers who offer WordPress-specific hosting and market it under the name “managed WordPress hosting”.
Many of them are essentially resellers of Amazon’s cloud hosting platform, or Digital Ocean, or others.
(And there’s nothing wrong with that because my hosting company is essentially a reseller of premium cloud hosting as well, but with a premium service on top.)
Then there are the more well-known web hosts you’ve probably heard of like WPEngine, Pagely, Flywheel, Liquid Web, et al.
But how do these companies define “managed”, anyway?
Do they actual “manage” anything?
From what I can tell, “managed” is a marketing term rather than an apt description of what you get.
It mostly means that they configure your hosting “stack”.
Otherwise you’d have to hire a sys admin to do it for you since it’s pretty technical stuff.
It can also mean that you get automated backups, and other sundry items that, to me, should already be a core part of any hosting offering for non-technical end users (i.e. the great majority of people!)
So in the sense that you don’t have to set up and configure your server settings from scratch, the hosting is indeed “managed”.
But in the sense that a real human being is looking after and taking care of your site proactively as if it were his own, they are most certainly NOT managed.
What we do at SpeedKills.io can accurately be described as managed; what the other guys do might be better described as “configured”.
Bundle up with managed WordPress hosting
Furthermore, managed WordPress hosting packages typically consist of a number of features or products bundled together.
Often when you sign up for a product or service, you only really want one or two high-value features.
But you tend to accept the rest of the bundle because that’s the price of getting those coveted main features.
Or you simply go to another provider.
I learned this lesson when I was collecting customer feedback for my podcast production service, JustRecord.it.
I was offering an all-inclusive, done-for-you service where I would edit your podcast, transcribe it, write a blog post about it, post on social media, write your broadcast email, etc.
But as it turns out, people only really care about editing and (to a lesser degree) transcription.
All of the other services I’d bundled together were pretty much worthless to my prospective customers, and served merely to raise the price and dilute my offer.
That’s why I prefer the CloudWays hosting platform.
It allows you to choose what you need á la carte without forcing you to accept a bunch of low-value services and features that you may not need.
In fact, we run our entire “hosting with a service” company, SpeedKills.io, entirely on the CloudWays platform.
Taking Security Seriously (Without Seriously Taking Advantage)
Security is an often misunderstood subject simply because most people don’t understand it.
(I know, I ought to write zen koans for a living).
This creates a situation where many companies take unfair advantage of people who don’t know any better when it comes to security.
Because the very mention of a hacked site strikes instant fear into the hearts of website owners everywhere, it becomes incredibly easy to sell somebody a service that they don’t actually need.
Bluehost Tries to Screw my Customer, Hilarity Ensues
My experience with Bluehost, for instance, illustrates this point perfectly.
Their malware scanners identified an infected file on one of my customer’s websites and immediately shut down their entire server.
All of my customer’s websites, which collectively generate thousands of dollars in sales per day had been shut down on the basis of an alleged malware infection.
When I got on the horn with Bluehost support they insisted that we had to pay $250 to clean up the hack.
“What hack?” I asked.
They were strangely reluctant to tell me where the supposedly hacked file was located in my client’s directory structure.
But I managed to get it out of them.
I then asked my malware removal specialist Cristian to investigate the situation.
Lo and behold, he found that the file in question was not in fact malware, but a licensing file with obfuscated code.
I messaged Bluehost support and they reinstated the websites.
But shortly after that we had a repeat of the same exact situation.
You see, most of these larger hosting companies use automated malware scanning scripts which often return false positives.
However, the second time around support refused to tell me all of the allegedly infected files so I wasn’t able to clean it myself, or even determine if any cleaning was needed!
I found this withholding of information to be total bullshit (most likely illegal bullshit, I might add).
Here Bluehost shuts down your site on the basis of an alleged hack, refuses to tell you where the hack is, demand $250 to clean up the problem (even if there isn’t one), and holds your sites (all of them) hostage until you do.
Is that not the definition of extortion?
As infuriating as this is, the reality is that most website owners would probably pay the fee and chalk it up to the cost of doing business online.
In fact, I suspect that many companies generate millions of dollars in ill-gotten revenue by exploiting this combination of fear and ignorance.
Once I explained this situation to my client and told her that I’d be happy to host her site for her, she eagerly agreed.
Bluehost practically pushed her into my arms.
I then requested that Bluehost reinstate the websites temporarily so we could move them but they were uncooperative on this point, too.
So we had to manually migrate all of my customer’s websites to CloudWays, manually clean them and harden them against future attacks.
How many problems have we had since then? ZERO.
That’s not surprising because we take security very seriously.
As soon as we learned about the CloudFlare data leak, for instance, we immediately went through and updated the salts in the wp-config.php file of all our customer websites that are run through CloudFlare (among other security measures).
Good security is largely a matter of preventative maintenance.
But if your site gets hacked, God forbid, your hosting provider should be all over it and it shouldn’t cost you an arm and a leg.
That’s why we do affordable malware cleanup for sites that aren’t hosted by us and free malware cleanup for our loyal customers.
Sitelock Tries to Scare My Customer Using Bully Tactics, hilarious GIF usage ensues
But the lay person who just wants to run their online business without incident remains an easy target for this breed of vultures.
Like Bluehost (who pimp Sitelock to their customers) they feed on a combination of fear and ignorance to secure the sale.
To wit, I recently moved one of my customers over from GoDaddy to my hosting platform.
A few days later she forwarded me a message that she received from SiteLock which she had active on her GoDaddy account.
They alleged that there was malware (so called “cross-domain scripting”) on her website and that she should pay to clean it up.
The only problem with their claim was that the website files and databases were already on my hosting platform, and the DNS was pointing to us too.
Therefore, if there was any vulnerability, it was a non-issue because all of the sites on that server were no longer hosted with GoDaddy, and we’d already cleaned and hardened the site.
My customer forwarded my reply to Sitelock and they responded saying that we still had some DNS records pointed to GoDaddy and that this still represented a vulnerability.
Again, this is a situation where somebody who doesn’t know about this stuff would probably say “oh ok, well let’s do it then. How much?”
But the only DNS records that matter in this instance are the A Record and the CNAME, which were both pointed to our CloudWays account.
The other DNS records were legacy records that can in no way cause or permit a hack to occur.
Sitelock was straight up lying to my customer to try to sell her their bullcrap service.
She asked to cancel and they demanded a $500 cancellation fee because she’d paid for a year up front.
I had our malware removal specialist Cristian look at the notification from Sitelock and he told me that the cross-scripting “vulnerability” is not even a real vulnerability.
Sure sounds real though, doesn’t it?
Sitelock then graciously suggested that we install their app on MY servers…
I’m grateful to the universe that I happened to have the perfect GIF with which to communicate my reply:
Credit: Jockopodcast.com – my favorite podcast these days.
The truth about WordPress website security
WordPress website security is in fact a rather simple matter (for the end user anyway) that consists of a few fundamental truths:
1. It’s impossible to completely prevent malware / hacks.
2. Make sure to update your plugins and themes and WordPress version regularly (I do this for my SpeedKills.io customers on a weekly basis).
Un-updated apps represent one of the largest security vulnerabilities in WordPress, even if they’re deactivated.
In fact, deactivate and delete all plugins and themes that you aren’t using.
3. Follow WordPress security best practices.
Here are three resources directly from our internal documentation for customer security.
You can copy these directly into your company’s security documentation, or hand it off to a contractor to help you secure and harden your domains.
Best Membership Site Hosting: The Final Verdict
I have 3 recommendations depending on where you’re at…
If you’re just starting out
If you’re just getting started with your membership site, don’t have paying members, or you just don’t know if you have a winning business concept yet, I’d go with MediaTemple.
They have an affordable, high quality product and I’ve had a stellar experience with them across the board.
If you already have a membership site (tech savvy)
If you’re somewhat technically savvy in the area of systems administration, or have a team member to whom you can delegate server issues, I’d go with CloudWays.
They have the best product I’ve seen in this space.
In fact, my entire “hosting with a service” business, SpeedKills.io, is powered by CloudWays and my experience has been very positive (with the occasional, inevitable hiccups of course).
CloudWays essentially provides a user-friendly bridge between the top, high-performance cloud hosting providers in the word – like Amazon, Vultr, and Digital Ocean, et al – and average (i.e. NON sys admin) end users like you and me.
But be warned that CloudWays doesn’t offer you the same experience you may be used to with other hosting providers…
While their support is fantastic and always eager to help you out of a jam, the product itself is closer to the metal so you’ll need to be more technically proficient than if you were hosted with say, Bluehost.
Unlike “generic” hosting products which cater to (and sadly often exploit) the much larger segment of less technically knowledgable consumers, CloudWays leaves things more in your hands.
With more power and flexibility comes more responsibility.
Why do you think big companies hire dedicated systems administrators?
They’re not hosting their business websites on GoDaddy, I can guarantee you that!
CloudWays has no cPanel, no email server, no SMTP email (I use AuthSMTP), no file manager, no DNS manager – none of that stuff!
If you already have a site (not tech savvy or prefer to delegate)
If the thought of not having a cPanel scares the crap out of you, then I would suggest my hosting company, SpeedKills.io.
I offer insanely fast WordPress hosting that is 100% managed-for-you.
I use CloudWays to deploy the optimal server infrastructure, location and configuration for your sites.
PLUS I add a proactive maintenance service on top that ensures your site actually becomes faster, more secure, and more user friendly as time goes by.
And of course, because I’m handling it, you don’t need to worry about any of the technical details.
As I explained in an interview with Richard Patey, I don’t think busy business owners should be dealing with hosting “stuff” at all.
I mean, don’t you have better things to do than to configure DNS, email, FTP, and whatever else?
Of course you do!
You just need a site that runs and runs well AND – in line with my crazy but actually not-so-crazy vision of hosting – actually gives you a competitive advantage because your site is faster and more secure than your competitors’.
Faster site = better rankings in Google, improved conversions, better user experience.
More secure site = much lower chance that something catastrophic happens to the “home” where your business ‘lives’ online.
Managed-for-you = you can focus on the “Deep Work” that actually moves the needle for your business and forget about hosting concerns knowing that professionals are handling it.
Membership site hosting that doesn’t suck
One thing I forgot to mention is that before starting SpeedKills.io my primary business was (and still is to this day) setting up and supporting WordPress membership sites (primarily through my MemberFix service).
Thanks to years of working with membership sites, I’ve gained insights into the intricacies of this space (both technical and marketing-oriented insights) that perhaps only a few hundred people in the entire world possess.
This means that if you choose to host a membership site with me you get the additional benefit of my unique expertise in this area.
I’ve mentioned many times before that when Josh Denning and I conceived the idea for SpeedKills.io it was to give our own websites a competitive advantage.
We didn’t intend for it to be a commercial endeavor.
But we quickly realized that we could offer our customers a tremendous amount of value if we could give their websites the same meticulous attention that we paid to our own online properties.
This intention has permeated our company ethos from day one.
We treat our customers’ websites as if they were our own, and we consider our customers to be part of our family.
This approach has so far served us and our customers well.
While I didn’t intend for this article to be a critique of “those other” hosting companies and an endorsement of my own I guess it turned out that way haha.
Oh well, I’ve never been one to shy away from calling BS on professional BSers and I feel I’ve made my case objectively.
You can make up your own mind about the rest. 🙂