HostGator review: Good performance, bad security web hosting

If you are on the lookout for a web hosting supplier, you’ve got an amazing variety of selections. In my Best web hosting providers for 2021, I checked out 15 suppliers who supply a variety of plans.

To get a greater really feel for every particular person supplier, I arrange essentially the most primary account doable and carried out a collection of checks. In this text, we’ll dive into HostGator’s choices. Stay tuned for in-depth seems to be at different suppliers in future articles.

HostGator at a look

HostGator was based in 2002 by a scholar at Florida Atlantic University (therefore the “gator” in HostGator). Today, HostGator is considered one of almost 100 web hosting manufacturers owned by Endurance International Group (EIG).

EIG was within the information in 2018, when the Times of India reported that its former CEO and CFO had been charged by the US Securities and Exchange Commission for “overstating the corporate’s subscriber base.” The firm agreed to pay an $8 million penalty with out admitting fault.

UPDATE: HostGator reached out to us requesting modifications to the Quick Security Checks part of this text. Their feedback and our responses are included inline in that part.


Because there’s such variability amongst plans and choices amongst hosting suppliers, it is laborious to get a very good comparability. I’ve discovered that the most effective methods to see how a supplier performs is to have a look at the least costly plan they provide. You can count on the least high quality, the least consideration to element, and the least efficiency from such a plan.

If the seller offers good service for the bottom-shelf plans, you possibly can typically assume the higher plans may also profit from comparable high quality. In the case of HostGator, there have been some shiny spots, some annoyances, and a few critical security considerations.

For the collection of hosting evaluations I’m doing now, I’m testing essentially the most primary, most entry-level plan a vendor is providing. In the case of HostGator, that is what they name their Hatchling plan. To get pricing, I merely went to the corporate’s primary web site at If you wish to avoid wasting cash, although, learn to the tip of this part.

Like almost each hosting supplier within the enterprise, their providing is considerably deceptive. There is not any choice to simply get billed $2.75 per 30 days. Notice the omnipotent asterisk subsequent to the value.

While it seems to be like you will get the Hatchling plan for $2.75 per 30 days, that is provided that you prepay for 3 full years, which suggests you are truly paying $105.35. If you need just one yr, you are charging $76.11 to your card (which is $5.95 per 30 days). If you wish to purchase the service on a month-by-month foundation, you are paying $10.95 per 30 days.

When you hit the Buy Now button, the corporate pre-populates a one yr subscription with optionally available add-ons for web site monitoring and backup, including $43.94 to the invoice (however you possibly can uncheck these choices).

There’s a painful gotcha to those “beginning at” costs. When you renew, you are going to pay extra. This, too, is just not unusual for hosting plans and is a observe I strongly want the hosting trade would cease. Instead of paying $105.35 for 3 years, upon renewal you will be paying a whopping $250.20 on a single bank card cost, a worth improve that is greater than double the unique worth.

View Now at HostGator

What the bottom plan consists of

As with most hosting distributors as of late, HostGator claims limitless disk house, limitless bandwidth, and limitless e-mail. In observe, these limitless values are restricted within the phrases of service. You cannot use your limitless storage as an enormous backup tank the place you dump gigabytes of video, for instance. They additionally state, “ HostGator expressly reserves the precise to evaluate each shared account for extreme utilization of CPU, disk house and different assets that could be attributable to a violation of this Agreement or the Acceptable Use Policy.”

In different phrases, do not abuse the assets you are shopping for, and purchase the extent of plan moderately commensurate along with your anticipated utilization. If you are about to run a giant, nationwide promotion the place you count on plenty of visitors, you may not wish to use the Hatchling plan. If you get an excessive amount of visitors, HostGator may shut you down or invoice you much more.

Their terms of service proceed, “ HostGator might, in our sole discretion, terminate entry to the Services, apply extra charges, or take away or delete User Content for these accounts which might be discovered to be in violation of HostGator’s phrases and circumstances.”

The base-level plan has some compelling options. First, and that is vital as we transfer ahead in a quest for a safer web, is the provision of free SSL on your web site. This provides that little lock icon to your browser’s handle bar and makes certain visitors between your web site and your guests is encrypted.

The firm additionally affords 24/7/365 assist which not solely consists of ticket and chat however telephone assist as nicely. While you are solely in a position to make use of one area, you need to use as many subdomains as you would like. The firm additionally offers a coupon for $100 in Google advertisements and one other $100 in Bing advertisements. While you in all probability will not get sufficient advert hits to cowl your value of hosting, it should assist you to get your ft moist on the earth of Google and Bing promoting.

Dashboard entry

The very first thing I love to do when a brand new hosting supplier is discover their dashboard. Is it an outdated good friend, like cPanel? Is it some kind of cobbled-together home-grown mess? Or is it a rigorously crafted customized dashboard? These are sometimes those that fear me essentially the most as a result of they nearly all the time disguise restrictions that I’m going to need to work round by some means.

When you first log into HostGator’s dashboard, you are greeted with their buyer portal. Here you possibly can handle your bank card data, get assist, and — most vital, apparently — purchase the upsell choices they provide.


This is just not the one dashboard you will be utilizing. The primary dashboard is cPanel, which is frequent to many, many websites throughout the Web. While cPanel might be irritating at occasions, it is a very succesful interface that allows you to handle all facets of your web site.

It took a surprisingly very long time for cPanel to launch, nearly a full minute. What’s a little bit extra bothersome, although, is the vary of extra upsells in the course of cPanel. cPanel is often fairly predictable and seeing nearly as many advertisements and upsells as administration choices had been tedious.


Installing WordPress

There are definitely different content material administration and running a blog purposes you need to use apart from WordPress. That stated, since 32 percent of the entire Web uses WordPress, it is a good place to begin. WordPress websites might be moved from hosting supplier to hosting supplier, so there isn’t any lock-in. And by testing a web site constructed with WordPress, we will get some consistency in our testing between hosting suppliers.

I went forward and clicked the Build a New WordPress Site button on the principle cPanel web page… and bought hit with one other web page of upsell promotions:


At $399, costs had been actually beginning to climb from that tasty little $2.75 supply the corporate promoted. The promos on this setup web page did not say what theme they’d be putting in. WordPress does include a pleasant set of free themes, and most themes are comparatively cheap. I attempted to determine what the $399 program was for, however so far as I can inform, it is merely organising WordPress, which is often a few five-minute course of.

The distinction between the $199 and $399 program was the addition of website positioning and WordPress web site security. To be honest, most WordPress security plugins and add-ons value a few hundred bucks a yr, and there are premium website positioning plugins that may value an analogous quantity. But with out going all through the checkout, it wasn’t clear what instruments HostGator was offering in return for its nearly $400 of upsell.

My recommendation is to skip these upsells. Simply set up WordPress, get to know your web site, after which begin with a device like Wordfence or Sucuri to maintain your web site protected.

Once I entered my consumer identify and area, I used to be… await it… introduced with one other upsell:


I went forward and hit the login button, and… it failed:


I took a fast have a look at the File Manager and decided that the WordPress set up gave the impression to be in place. So, as an alternative of utilizing HostGator’s login button, I simply used the usual WordPress admin URL, which is This labored.

I used to be, nevertheless, now not stunned to seek out extra upsells. In this case, your complete primary dashboard web page — going nicely beneath the scroll of the web page — had upsells.


There appears to be a giant push for utilizing various plugins which might be both freemium or affiliate-based. Jetpack is produced by Automattic, the corporate behind WordPress. It additionally has an associates program.

My guess is that HostGator is pre-installing plugins the place they get some affiliate income. There’s nothing notably mistaken with that, however plastering these upsells in the course of configuration screens is getting outdated.

HostGator additionally dropped in a plugin for one thing referred to as Mojo Marketplace. This, too, had pages and pages of upsells, this time for themes.


With all of the added plugins, junk, and upsell, it is no surprise that the positioning initially failed after I hit the positioning login button from the HostGator dashboard.

Let me be clear. There is nothing mistaken with utilizing plenty of plugins on a WordPress web site. That’s considered one of WordPress’s largest strengths. But filling a web site with crapware earlier than it is even dwell is nothing however a distraction, can add a substantial quantity of confusion to new customers, and will trigger potential issues when it comes to performance. Plus, it is simply impolite.

Quick security checks

Security is likely one of the largest points in relation to working a web site. You wish to make certain your web site is secure from hackers, does not flag Google, and might join securely to cost engines for those who’re operating an e-commerce web site of any type. You additionally do not wish to distribute malware to your guests. That’s bad.

While the scope of this text does not permit for exhaustive security testing, there are just a few fast checks that may assist point out whether or not HostGator’s most cheap platform is beginning with a safe basis. Here’s the tl;dr: it isn’t. This factor is dangerously insecure.

The first of those fast checks is multifactor authentication. It’s means too straightforward for hackers to simply bang away at a web site’s login display screen and brute-force a password. One of my websites has been pounded on for weeks by some hacker or one other, however as a result of I’ve some comparatively robust protections in place, the bad actor hasn’t been in a position to get in.

Unfortunately, I’ve to ding HostGator for what I contemplate a reasonably critical security flaw. When you log into their buyer portal, all you could present is a username and password. However, if you wish to ask assist questions and get solutions, you do have to arrange a assist PIN. This is a partial step ahead. The downside is that for those who’re in a position to log into the principle administration account, you possibly can change the e-mail handle related to it, after which have a brand new assist PIN despatched out. The backside line is with no second issue for login authentication, the PIN is actually nugatory.

Secondly, in line with the assist particular person I reached out to on chat, HostGator’s cPanel implementation additionally doesn’t assist multi-factor authentication, not less than within the lower-end accounts.


Multi-factor authentication ought to by no means be an upsell choice or offered just for premium accounts. It takes little or no effort for a hosting supplier to allow it. Not solely does it defend the person clients utilizing the function, but it surely additionally protects all the shoppers of the hosting supplier. That’s as a result of most shared hosting servers share IP addresses. If a spammer or scammer hijacks a shared hosting account and that account is blocked, it is completely doable that every one the accounts sharing that IP or that IP’s bigger block of numbers will likely be blocked as nicely.

I strongly advocate that HostGator implement MFA for all accounts instantly, for his or her profit in addition to that of their clients.

I discussed earlier that HostGator offers a free SSL certificates. They’re utilizing Let’s Encrypt, a program that gives free, automated SSL certificates. Let’s Encrypt is enabled by default, so when you arrange a web site, all you could do is use your https:// in your URL to supply encrypted URLs on your guests.

As my final fast security test, I like to have a look at the variations of a few of the primary system parts that run web purposes. To make issues straightforward, I selected 4 parts essential to secure WordPress operation. While different apps might use different parts, I’ve discovered that if parts are up-to-date for one set of wants, they’re often updated throughout the board.

Here are my findings derived from the HostGator versions page and a pleasing tech assist dialog, as of the day I examined [in July 2019], for HostGator’s Hatchling plan:


Version Provided

Current Version

How Old



7.4.14 (8.0 remains to be a bit new)

moderately present 




8 years / 2904 days (finish of assist is Feb 21)




11.3 years / 4124 days


 1.0.1e-fips 11

1.0.2t (and 1.1.1)

7.1 years / 2592 days

The cURL library, which is supposed for knowledge switch, notably of safe data, is vastly and woefully outdated. A fast have a look at the cURL release table reveals there have been hundreds of bugs mounted and tons of of vulnerabilities resolved because the model of cURL being offered by HostGator was launched again in 2009. That’s greater than a decade outdated. That can be like strolling round right now with an iPhone 3GS and operating Windows Vista in your PC!

UPDATE: HostGator advised us, “cURL does listing an older uncooked model, however RedHat/CentOS backport security patches and we replace all servers not less than each day. This is customary for RedHat/CentOS and anticipated conduct.” This is definitely a really attention-grabbing course of. Red Hat does go back to older versions of standard Linux software and port security fixes, as HostGator acknowledged. However, even with security fixes utilized, providing a virtually 10-year-old model of cURL will present web site homeowners with ongoing compatibility challenges, notably with cost gateways.

The firm helps OpenSSL 1.0.1e-fips 11, the place the completely most present model is 1.1.1. The gotcha is that when OpenSSL went to 1.1, it broke quite a lot of code. As a consequence, the OpenSSL venture is updating each the 1.0.2 department and the 1.1 department. I do know, it is sufficient to present you a headache. Here, regardless of all of the model quantity confusion, there’s one reality you could know: the model of OpenSSL HostGator is supplying can also be vastly outdated.

UPDATE: HostGator advised us, “OpenSSL additionally lists an older uncooked model, however once more RedHat backports security patches and we guarantee each day updates.” This is identical backporting course of Red Hat makes use of for cURL. It signifies that whereas security flaws have been up to date, the model and its compatibility remains to be almost a decade outdated.

HostGator is utilizing model 5.6 of MySQL. While MySQL helps many variations, the most recent is 8.0. HostGator’s MySQL implementation is eight years outdated.

UPDATE: HostGator advised us, “All HG containers have MySQL 5.6 or larger. The article experiences 5.5, which hasn’t been in place for a very long time.” While this was the model proven on HostGator’s personal variations web page when the article was written, we’re glad to see MySQL has been up to date.

What’s worse, every of the variations of those packages are beneath WordPress’s minimum requirements

Because MFA is just not obtainable and since many of those variations (even with backported security updates) will trigger fashionable software program to fail, we contemplate HostGator a lower than optimum selection for e-commerce or any security-related web site.

Performance testing

Next, I needed to see how the positioning carried out utilizing some on-line efficiency testing instruments. It’s vital to not take these checks too severely. We’re purposely trying on the most low-end choices of hosting distributors, so the websites they produce are anticipated to be comparatively gradual.

That stated, it is good to have an concept of what to anticipate, and that is what we’re doing right here. The means I check is to make use of the contemporary set up of WordPress after which check the “Hello, world” web page, which is usually textual content, with simply a picture header. That means, we’re in a position to concentrate on the responsiveness of a primary web page with out being too involved about media overhead.

One be aware: usually I would not check a web site with all of the crapware plugins put in. But since most customers who purchase these plans in all probability will not know learn how to take away the plugins or which plugins are secure to take away, I examined efficiency with these plugins put in. I absolutely anticipated efficiency numbers to take a success from all that added cruft, however I used to be mistaken. The efficiency wasn’t bad in any respect.

First, I ran two Pingdom Tools checks, one hitting the positioning from San Francisco and the second from Germany. Here’s the San Francisco check score:


And here is the identical web site from Germany:


Next, I ran an analogous check utilizing the Bitchatcha service:


Finally, I hit the positioning with Load Impact, which sends 25 digital customers over the course of three minutes to the positioning after which measures the responsiveness.


The Load Impact check was additionally considerably surprising. At the start of the check, some web page load occasions took longer than they need to. But because the variety of digital customers climbed, responsiveness settled into a pleasant rhythm.

While lower-end hosting plans typically have spotty efficiency, this was a very good exhibiting. Most lower-end plans, together with the one we’re testing, share server assets with different clients. So, at occasions of heavy exercise, if one web site is seeing heavy utilization, the opposite websites might undergo. I’m testing this web site on a Sunday afternoon, which is a comparatively gradual interval in web hosting phrases, besides, the efficiency for this bottom-end web site was unexpectedly affordable.

Support responsiveness

I solely wanted to contact assist as soon as, by means of the chat interface. I used to be linked to somebody inside about 5 minutes. It took just a few extra minutes to ascertain a assist PIN, however then I bought my reply shortly.

For a Sunday afternoon, it was an entire, moderately educated reply. I’ve definitely skilled far worse assist.

Overall conclusion

You by no means wish to get your expectations too excessive for a bottom-end plan. The economics of operating such a super-cheap providing is that the supplier has to make it up on quantity. Professional and enterprise hosting plans with plenty of visitors and efficiency should, out of necessity, value extra.

The solely option to really know what it is like to make use of a service is to run a dwell web site on it for just a few years. That stated, I used to be each happy and disillusioned with HostGator’s exhibiting.

I discovered my interactions with HostGator’s buyer portal and cPanel to be sluggish. It typically took 30 seconds to a minute for a click on to course of by means of to a consequence.

On the opposite hand, the efficiency of the positioning being hosted by HostGator, the positioning you are paying for and wish to be extremely performant, was fairly good.

HostGator’s comparatively fixed upsell, particularly throughout the configuration and operational facets of the management panel proved intrusive. The firm put in means too many plugins within the default WordPress set up, which not solely brought about the preliminary login to fail, however may make it way more complicated for brand spanking new customers.

Finally, the corporate’s lack of assist for contemporary security protocols and login security is deeply disturbing. They’re letting tons of of hundreds of shoppers launch web sites with woefully out-of-date security software program. Given that the security libraries are free and open supply, there’s simply no supportable motive for HostGator to be lax on this most vital side of Web security.

The firm affords a 45-day money-back assure, which is cheap.

The backside line is that this: if you wish to arrange a easy web site as an internet brochure, HostGator must be fantastic. But if you need customers to log in to or pay for one thing by means of your web site, do not use this plan.

You can comply with my day-to-day venture updates on social media. Be certain to comply with me on Twitter at @DavidGewirtz, on Facebook at, on Instagram at, and on YouTube at

Related Posts