I have quite a few hosting accounts, from shared to dedicated, and host my sites based on the needs. Some require a lot of cpu processing, some more emails per hour, some more bandwidth, etc. I have always recommended bluehost before. The first 2 years with them was just incredible. I never had ANY issues at all. My first problem came along about two years ago and it is still present. All of the sudden, I started to get “CPU exceeded quota” errors. I called in, and they told me that my sites have too much load on the processor, asked me to check my queries, code, etc… I was running phpld and was really surprised that just 1 site based on very popular phpld script would cause the problem. I was getting decent traffic, but it still was a small site… I moved the sites around, left just a few smaller ones on the account and it was fine for another year until this week. As I wrote before, I am running some affiliate campaigns now. Running affiliate sites usually requires some investment and I had quite a bit of traffic coming from adwords at that point, paying for each click.
When I woke up in the morning, I logged into my affiliate account to see how much was made on a new offer that I was running. It was 0. I was surprised and thought that perhaps my adwords campaign was not running for some reason. Logged in my adwords next and saw that it was still sending all the traffic and campaign was still running. Then I went to my email and there it was… I had a notice that they were migrating my account to a new server. It was sent in the evening a few hours before the actual migration. I expected better from them, at least a full day to a week of notice. Oh well, I lost some money, no big deal, paused the campaign and decided to check on the sites.
This is where I got really pissed off. I entered on of my urls in the browser bar and pressed enter. It asked me to download my php file. WOW, Really? Are the techs at BlueHost really that stupid? They left my apache server running and killed the php process. I am not a server technician and barely have any experience configuring the servers, but I know how not to give away free code. I know how to test after I do something. I had over 1,000 webmaster/seo visitors coming to see my sites, I wonder how many got my code and database information.
This is when I contacted them. I saved the conversation and listing it below (changed names and urls):
me [4:08:31 PM]: www.URLNAMEREMOVED.com – seriously, anybody can just get a custom code with full database access info for free? 
them [4:09:04 PM]: What do you mean?
me [4:09:23 PM]: can you go to the site? its been like that the whole day
[4:09:35 PM]: apache is running while php is not
[4:09:52 PM]: so it just lets people download my source code
[4:10:35 PM]: for example, go to www.URLNAMEREMOVED.com/header.php – it asks you to download the file, which has all the database access information.
[4:11:28 PM]: the first hacker-wanna-be will empty my database when he gets a chance on all of the sites that I host on that account
[4:11:57 PM]: I get over 1,000 unique visitors a day there
[4:12:01 PM]:
them [4:12:01 PM]: It doesn’t have the database access information. It has header body and footer
me [4:12:46 PM]: well, download www.URLNAMEREMOVED.com/header.php , since it is a database driven web-application, it has a connection string there
[4:13:14 PM]: line 19-24
them [4:13:18 PM]: php is running, but I will have an administrator restart the server. Ultimately this process could take 15-30 minutes for everything to come back up to it’s optimal performance level. I’m sincerely sorry for the delay in service.
me [4:14:05 PM]: ok, thank you. thats what I was told about 4 hours ago though
[4:14:27 PM]: this is the second conversation I am having today…
[4:14:42 PM]: thank you. I will check back in an hour…
them [4:14:49 PM]: No problem. If you need any further assistance in the future, please feel free to contact us back. Thank you very much for contacting live support. Have a great day!
Ok, so I waited for over an hour, still the same issue. So I contacted them again:
me [5:28:54 PM]: My sites are still giving away free code. :-/
[5:29:11 PM]: Hi, please see www.URLNAMEREMOVED.com/header.php
[5:29:18 PM]: or any other site/page on my account
them [5:29:24 PM]: One moment please while I take a look
me [5:29:35 PM]: This is the third time I am contacting support today.
[5:30:10 PM]: My sites are down for 20 hours, which is not a big deal, but what big deal is – that they are giving away free code :-/
[5:30:17 PM]: along with all the connection information
[5:30:56 PM]: I can’t believe that your guys admins can’t figure out how to stop apache at least, this is a big security issue… :-/
[5:31:56 PM]: database can be accessed pretty easy with the connection information from php files like www.URLNAMEREMOVED.com/header.php and user information can be stolen…
[5:33:21 PM]: this is the third time I am contacting support today, every time I get a responce that the sites will be up in 20-30 minutes. I wait for 2-3 hours and still the same. Can you at least turn the apache off. I have a few sites there with some getting 1000 unique visitors a day, mostly webmasters…
them [5:33:23 PM]: your account is being migrated from one server to another. the php download that you’re seeing is most likely a result of this migration.
me [5:33:54 PM]: I know that somebody already has all the source code which I paid a good amount, for free. :-/
them [5:34:01 PM]: we can’t turn apache off on the server because there are hundreds of other customers on your server that would lose their website.
me [5:34:17 PM]: I know, I am not an administrator and can figure out how to turn off apache or turn on php and configure
[5:34:34 PM]: most likely their sites are having the same issues
them [5:34:48 PM]: no. it is only your account that is being moved between servers.
me [5:34:57 PM]: since php is just like apache – a service that is server-wide
[5:35:45 PM]: so, does it mean it’s ok to give my code to the world for free and have full access to the databases with a ton of user information?
[5:36:53 PM]: I get over 100,000 email addresses, user information in the database, just want to make sure that I am not the one being liable for the data in case something happens
[5:38:08 PM]: sinec I can’t even access my account to edit .htaccess to hide my pages until the migration is over
[5:38:52 PM]: and btw, good three hour notice on the migration. :-/ I didn’t get it until this morning when all my sites were already giving away free code. :-
[5:39:56 PM]: Also, I hope you guys don’t mind me sharing the chat logs on my hosting review posts…
them [5:40:48 PM]: If you wish to do so, feel free… we can’t stop you
me [5:41:10 PM]: I was your customer for about 4 years if not more, there were issues, but I can’t believe bluehost would just give my source code and data away like that…
[5:42:02 PM]: Thank you for not helping and giving empty promises all day. Have a good day. I know its probably not your fault, so I apologize for being a bit rude. I am just really frustrated.
them [5:42:32 PM]: I understand your frustration. I checked with a senior tech and they’re telling me:
[5:42:41 PM]: currently transfered 7.7G of 8.7G so approx. 1 hour remains along with any residual DNS propagation of course
[5:42:48 PM]: for remaining migration time.
me [5:43:20 PM]: ok, thanks for letting me know, I just wish the apache would not be running until the data is transferred
them [5:44:42 PM]: you’re welcome. I’m sorry I can’t be of more assistance. the migration processes are automated and can’t be stopped once started
me [5:45:20 PM]: ok, thanks. have a good day.
them [5:45:27 PM]: You’re welcome! I apologize for all the trouble. Have a great day! Au revoir
From what I understand, user information is free at bluehost. As I mentioned to the techs above, once you download index.php, you can see all the includes and go through those. In my case for one of the sites, database access information was included in header.php. Anybody could have grabbed that information and get all the data. Some of my bigger sites have info on 50,000 user emails and if I don’t send spam it doesn’t mean that the hosting should give away the database access information to those who would. So, if you are planning to store any user information or open up an e-commerce site, go with a more responsible company, unless you think it’s ok to share your database with the world.
I don’t know about you, but I like to keep my code to myself. I paid a lot of money for some of my code and NEVER wanted to give it away for free. Well, in this case the server would ASK you if you would like to download index.php whenever you try to access the page. From there your visitors can see and download all of the include files along with the database and have a clone of your site in minutes.
I used to host EasySubmits with bluehost back when I just started. A lot of “Exceeded cpu quota” pushed me to move it to a dedicated server along with other bigger sites. Search elance and rentacoder, you can see that people are willing to pay thouthands to have tools like Easysubmits and exact clones built.
Anyways, 3 years ago I would recommend bluehost to anybody. I recommended it as well as hostmonster until this week and had a few people sign up with them. In case you don’t know, as far as I know from the online research, hostmonster is operated by the same people as bluehost. As far as I noticed, it is pretty much the same package as bluehost, only $1 cheaper. I assume that since the server costs went down, bluehost wanted to offer competitive prices and didn’t want to charge a huge number of existing customers for $1/month less. They opened up the same service for less under a different brand name, but there may have been other issues.
I also noticed that bluehost has been cutting some features. I have a big email sending limit on my account, 500 an hour. As far as I know from reading some of the forums, they cut that number to 50 an hour for new accounts.
My conclusion – if you dont care for your code or the data, bluehost is good for the uptime, but when they would migrate you to a different account, don’t ask them to start php or stop apache, they wouldn’t do it. As far as I understood from the second conversation, bluehost technicians use automated migration process and can’t really do anything about it. I still like bluehost more than godaddy, but I think there are other service for under $2 a month that would be more responsible with the data and provide similar package. I think I am going to try webhostingpad when I will need another shared account, they have a $1.99 special going. I also used startlogic, different admin panel, but great service for a cheaper price. Never had problems with them.
I like dedicated servers more, and you can actually pick a lower end server for around $30 if you know how to configure it. I have one at ServerPronto for example, but I read quite a bit of bad reviews of them. I had them for over a year and can’t complain. Had to raise a ticked one time to restart a server since I could not ssh into the server, but that’s about it.
If you invest in traffic, it is important to be as sure as possible that the server is not going to be down when you send people there. Making a good hosting decision is important.
By the way, I was going through forums about bluehost while writing this post. It seems that they are having a promotion for $3.95 now. Just go to google and search for “bluehost 3.95″ if you need one. I think that’s about 3.95$ more than what they should charge for the service they provide, but if you want to try them, 3.95 is still better than 6.95.
Please let me know your experience with different hosting providers in the comments.
