Is GoDaddy Actually a “Managed WordPress Host?”

No.

While this could have been the shortest blog post since Amerigo Vespucci discovered fire on the moon, let me elaborate just a bit.

A WordPress host should offer a few things, in my opinion:

  1. More than what a normal host would offer. This should be more than just one-click WP installation, the host should enhance the WordPress hosting experience in some way.
  2. Caching. WordPress, while an exceptional content management system, is not especially performance-minded. Changes over the years to how we expect the web to perform, legacy core code that can’t just be changed in case it breaks the 40 – 60% of the web built on WordPress, poorly written plugins and themes…without proper caching, WP can be very slow. A managed WordPress host needs to manage caching for you, not leave it up to you.
  3. Handle auto-updates gracefully.
  4. Comply with WordPress health standards.

Let’s start with what is arguably the most important, caching.

While GoDaddy boasts that it “has caching features that include a content delivery network (CDN) and object caching to improve load times.” Cool!

But these don’t work out of the box, and to be honest, GoDaddy is a hosting company for people who know nothing about hosting. My argument to back that? If you knew anything about hosting, you’d know to pick just about any host beside them. As a web developer of 20+ years, I’ve worked with a plethora of hosts and I can say that none have been as susceptible to hacking as GoDaddy. They offer a service where I can log into my clients’ accounts via my own account (so no password sharing.) This was great, but then after I asked hundreds of clients to go through the process, a year later they changed it.

Clients don’t want to mess around with hosting. Clients want hosting to just work. GoDaddy doesn’t just work.

So, you end up with a website that isn’t cached. On GoDaddy? Here’s how you can check your site. We’ll do it with GoDaddy’s own website, which they don’t even cache.

  1. Open Chrome and go to the URL you want to visit, in our case we’ll hit godaddy.com
  2. Right click anywhere on the page, and you’ll get a menu with an option to Inspect.
    screenshot of right click to inspect on godaddy's website
  3. In the pane that opens, choose the Network tab:
    screenshot of the network tab in chrome's inspector
  4. I’ve highlighted the bit that shows they aren’t caching their own page. If they don’t bother to cache their own, what would make us think they’d care to cache our own?
  5. At the same time, they blacklist actual caching plugins.

Here’s what a site with caching set up properly looks like, FYI:

screenshot of sayhidurango.com, showing it is cached

Since we’re on that subject, let’s move on to #4 above, WP’s Heath Standards.

Here’s what you should see when going to Tools > Site Health:

screenshot of a perfect status on WordPress' site health screen

Here’s what we get with GoDaddy:

Godaddy fails on several WP health checks

But what does this all mean? Well, it means:

One or more recommended modules are missing. Opening that we see “PHP modules perform most of the tasks on the server that make your site run. Any changes to these must be made by your server administrator.” Emphasis mine. Specifically, GoDaddy has disabled WP’s native ability to implement plugin, theme and WordPress updates. Maybe that’s why I’m watching plugins updates and deletions take 30 – 60 seconds as I write this.

Now, these features still work, and GoDaddy likely has their own systems in place. Who do you trust more, the fatcats in their golden rocking toilets at GoDaddy, or the team of 10s of 1000s of independent WordPress experts to handle how WordPress works?

You should use a persistent object cache. Good luck sorting this out, GoDaddy’s advice is to contact their support. Except their support reps don’t tend to know much about hosting, let alone WordPress and caching. This is, you’ll recall, one of the two features GoDaddy said contributed to how quickly their sites load. It was this, and having a CDN (the CDN isn’t set up automatically either, nor is it easy to find.)

Not all recommended security headers are installed. Maybe this is why GoDaddy sites get hacked 6x more often than my other clients (clients who host with me have never been hacked while on my servers.)

Here’s the list of security failures:

  1. Upgrade Insecure Requests
  2. X-XSS protection
  3. X-Content Type Options
  4. Referrer-Policy
  5. X-Frame-Options
  6. Permissions-Policy
  7. HTTP Strict Transport Security

Now, looking at #3 in our original list, GoDaddy disables auto-updates. So now we either have to do it ourselves (not the worst plan, really) or hope their other systems take care of this. But this also means we have no idea when these plugins will auto-update. No sir, I don’t like it.

Mr. Horse from Ren and Stimpy saying no sir, i don't like it!

That said, what exactly is the more that GoDaddy is offering? They offer bare bones hosting for $2.99 / month with a free domain for a year. Or their WP Managed Hosting is $10.99 / month with a free domain. What does $8 / month buy you at GoDaddy? A $20 / year domain and a vulnerable WordPress site.

Up Next: 100% CSS Hamburger Menus