WP Engine is marketing to clients concerned with Internet security. Perhaps you’ve already been hacked (like we were!) or you have a friend who’s just gone through this and lost their entire site, and had to start all over again from scratch (also happened!).
Because WordPress is open source software (the code is available to everyone) AND so many sites are based on WordPress, it’s an attractive way for hackers to do a lot damage. When our site ListenToYourGut.com was hacked back in 2012, the PHP part of our site was secure, but they got in through the WordPress blog. At the time, we did not have a Dedicated Server, we were simply on the Deluxe Hosting plan with GoDaddy, but they immediately put their top techies on it and they worked through the night to help us – at no additional charge.
When a Freedomite recently asked me about WP Engine, I threw it over to my tech manager for a proper assessment and here’s what he wrote:
WP Engine is trying build market share in a new niche created by companies seeking to capitalize on the fact that a large percentage of people running WordPress sites aren’t techies. These non-techie people run WordPress because it’s easy and, in turn, they are inclined to believe it if someone tells them they need a specialized wordpress hosting company instead of one of the various full-service hosting companies. As a sidenote, WordPress.com is also offering a very similar service (but they are more transparent, feature by feature).
The fact is, most of the stuff listed at WP Engine is considered “a given” for any hosting agreement. Companies like GoDaddy provide the same level of security (maybe more) on the server side. And GoDaddy backs up all of our files on different physical servers elsewhere, so that they can be recovered if the machine on which our dedicated server resides ever goes boom.
WP Engine does the same thing but probably has far less hardware and redundancy than the big guys. These guys want you to pay a premium to have them keep WordPress up to date which is something I can do in 10 seconds if I see an available update when I go in to check blog comments daily. WP is actually pretty good about addressing security vulnerabilities… Some people just aren’t very good about keeping WP up to date.
Regarding disaster recovery, all of our stuff is automatically backed up by GoDaddy daily as a matter of course.
Bottom line: We aren’t WP Engine’s target customer because we are far too savvy but I imagine that their thinly veiled scare tactic marketing strategy is probably bringing in a lot of business from people who aren’t interested in the details and just want to trade cash for peace of mind.
CONCLUSION: As long as you keep your WordPress software and plugins up to date – click the Update Now button whenever it appears, or set your site up for automatic WP upgrades – along with regular site backups to a location that is NOT your site server (once a month is usually sufficient unless you’re a blogging fiend), you should be fine from a security standpoint.
At the time I’m writing this, HostGator also has a nasty little glitch in their site back-up protocol. Here’s the story about it from another Freedomite whose site was hacked into and completely deleted from HostGator:
One interesting side note about HostGator: They stop doing any backups once your cPanel has over 100,000 inodes. Normally, this should not be an issue (even with multiple websites hosted with them). However, in the weeks prior to our site being deleted, the hackers must have spoofed our email address for a spam operation. The undeliverables were then returned to our cPanel inbox (without us realizing this because we did not check our cPanel email). Each email is an inode. There were nearly 110,000 of these undeliverables.
Boom. No automatic backup.
They deleted the files the next day.
It appears the hackers knew HostGator’s backup policy and manipulated it to make sure no backups were made.
When I spoke to GoDaddy about this, the manager was shocked to hear HostGator would have such a policy. HG doesn’t even send a warning email if you have reached this magical 100,000 inode number. This – to me – is a real trust breaker with the company.
HostGator should be more clear about this to their customers – especially with it being so easy to spoof/spam an email address these days.
GD has no such inode policy. It’s all about actual disk space, which is easy to monitor.
Ouch. Talk about finding out the hard way!
And no, you do not have to handle your site back-ups yourself, you can easily hire someone from Elance or Odesk to do this for you, for far less than WP Engine is charging. We also store another monthly site back-up for all our sites on Amazon Cloud. I show you how to do all of these things in Listen To Your Freedom. But if you’re not a Freedomite, then just Ask Google!