As a freelancer/consultant, I use freelancer sites like PeoplePerHour or upwork on a regular basis. One of the issues evident in every job I have done is the total disregard for security on these platforms.
Most IT or web-related jobs done on freelance platforms are going to involve the exchange of sensitive data, specifically passwords, which is required in order to do the job. Clients will gladly share everything with multiple freelancers without a second thought, including their logins for control panels, hosting accounts, domain registrars, websites, and everything else.
This unconscious sharing of such details has massive security implications which I will address below and offer better and more secure alternatives.
Security Bad Practices
Firstly and most importantly, you should not post any sensitive information in the job chat/discussion on the freelancer sites (unless they are temporary logins that will be revoked/changed). These conversations are stored in plain text and not encrypted in any way and can be viewed by anyone with access. Certainly, in the case of PeoplePerHour, upwork and Fiverr, I have asked them directly and they have confirmed this is the case.
In fact Fiverr support even said outright to me that they do not recommend sharing passwords on their platform, even though it doesn’t state this anywhere on their site, they do nothing to discourage it and this is exactly what everyone does.
Secondly, your login details are for your own use, and everything that is done with your login credentials links back to you. If you share these credentials with multiple people and there is a security breach, you will have no idea who is responsible. If you are an employee and have a boss, then you will most certainly be blamed for the security breach, which could cost your company dearly.
Thousands of sites get hacked and data is stolen every single day. Most of them are unaware they have even been hacked and the breach can go unnoticed for months or even years in some cases.
If any of the freelancer sites suffer a security breach, the hackers will have access to any data which is not encrypted, which includes all those login details that clients have entered in the chat with their freelancers. Not forgetting that the support staff can also read all your discussions as well, so any dishonest support agent could simply lift your login details and use them for illicit purposes.
Sadly there are also a lot of unscrupulous freelancers out there too, who will intentionally do damage to your systems in order to generate more work for themselves, or may seek revenge in the event of a dispute or disagreement.
I have had many jobs cleaning up after such situations and have found all kinds of back doors, insecure plugins, malware and extraneous logins that presumably had been created by other freelancers.
SECURITY GOOD PRACTICES
Ideally, you should find a single reliable freelancer/company who you are happy with and stick with them, rather than hiring a different freelancer each time. Not only is this better for security, but using multiple freelancers can also cause other problems as they are oblivious to what work their predecessor has done, and so will often break or undo each other’s work.
Sticking with the same person/company creates a relationship as well as a recurring income, which will, in turn, result in a better quality of work, fewer issues and less expense as they will know your systems and the work they have done before and be more inclined to keep you happy.
Plus any decent freelancer/contractor will use a task/project manager and will keep notes on the work he does for ongoing clients which also improves communication and project management.
Do not post sensitive information in the workstream/chat. An exception would be if you are providing a temp login which will be revoked once the job is done.
If you do need to give a freelancer (or anyone) temporary access to your accounts or website, then ideally you should provide them with their own login, not give them yours, which you should revoke (delete) once the job is done. You should also give restricted access where possible so the freelancer only has access to what is required to do the job.
If it is not possible to create a separate login for your freelancer, then you should always change your passwords after the job has been completed.
HOW TO SECURELY SHARE YOUR DATA
Create a Secret Link
There are a number of online tools which will allow you to share information with someone securely via a special secret link that is randomly generated just for you and only works once. As soon as the recipient clicks on the link to view the information, that link and all the information is destroyed.
This makes it safe to share that link via email or on freelancer sites, because the link only works once, so is useless to anyone else that finds it after it has been used.
This tool allows gives to a large text area, allowing you to share any amount of information in one go. It also allows you to put an optional time limit on the link (how long it will stay active for) and also an optional passphrase to protect the link as well. So you could then provide the password via phone or SMS to make it extra secure in case the recipient won’t be checking the link immediately or there is any chance of it being intercepted.
Everyone has access to cloud storage and the ability to share files and documents FOR FREE.
I come across a surprising number of people who are unaware of this, but every single Windows user has access to OneDrive by default. It is part of the Windows operating system and allows you to sync up to 5GB of files to the cloud for free. You can then share these files with anyone simply by sending them a link.
Even if you do not use Windows, you can still get a free Microsoft / OneDrive account.
So you could temporarily put all the info you need to share into a text file or word doc, and share that link with your freelancer. Once the job is done, unshare that file and delete it. You can also password protect the share for added security.
You can also do the same with Google Drive, which you also already have access to if you have a free Gmail account or use Google Workspace.
Use a password manager
Using a password manager is something I recommend to everyone. It will remember all your passwords and other personal info for you, software licenses, bank details etc. It will automatically log you into websites, fill in forms, generate strong passwords for you and more.
Password managers are also the most secure way to share logins and other sensitive information with your freelancer and then revoke the share once the job is done. You simply choose to share a login, enter the freelancer’s email address, and it will send them a share request. If they already use the same password manager, then job done, otherwise, they simply need to register for the free version in order to accept your share request.
As a result the login details are never shared in plain text, as the freelancer will only use the password manager.
I am going to mention WordPress specifically because this is something I deal with a lot, since I build, support and manage WordPress websites.
In almost every WordPress job I do, clients will send me their own admin login, which they have sent to every freelancer before me, who still has access as the password has never been changed.
If you need to give someone permanent access, then create a new admin user just for them, if just need to provide temp access, then I suggest using the “temporary login without password” plugin, which will allow you to provide a temporary login which will automatically expire after x number of days.
If you’re a customer of Adobe Business Catalyst, you may be surprised and concerned at their recent announcement that the all-in-one CMS will be discontinued on 26th March 2020, along with Adobe Muse. While Adobe revised the closure date to 26th March 2021 after feedback from businesses to allow more time for the changeover, the fact remains that those using the platform need to start making plans soon to ensure a smooth transition without disruption to their online businesses.
Whilst Adobe has given a 3 year migration period, I know from many years experience, no matter how much advance warning is given and how many reminders are sent, that most people tend to leave these things until the last minute, and then struggle to get it completed by the deadline. With companies like Adobe, you will get no sympathy or support if this happens.
So I strongly recommend that if you are currently using business catalyst, that you plan your migration sooner rather than later. Feel free to contact me if you need assistance.
Which CMS to use
The Adobe Business Catalyst end-of-life decision exemplifies the risks of using a ‘closed source’ solution, especially one hosted by the provider. This leaves you with neither ownership nor control over your sites, should the provider make the decision to terminate the platform.
There are many different CMS systems available, which range from very simple to very complex, depending on the features you need. Below are some of the most popular CMS’s, although there are hundreds more, many of which may be more suitable for your needs than the popular ones.
Data from: BuiltWith.com, W3tech.com, SimilarTech, Google Trends.
While I have only tried a small number of all the available CMS’s, my personal preference is WordPress. I find it simple and intuitive to use, easier to maintain than the likes of Drupal or Joomla and caters for the majority of website requirements.
WordPress is the most widely used and fastest growing CMS in the world, accounting for almost 30% of the entire internet. It’s free, easy to use, and offers a host of free and paid plugins so you can customise the site to your exact requirements. It also offers excellent integration with a host of digital marketing tools. Plus, with WooCommerce, your site can be easily transformed into a full e-commerce business.
What’s more, with the rise of excellent value Managed WordPress hosting companies such as GetFlyWheel, it’s a lot easier to keep on top of maintenance and security updates yourself if you are technically minded. And should the hosting company let you down or go out of business, it’s quick and simple to move WordPress to another host.
I have had several websites hosted with flywheel for over 1 year now, and I literally have no complaints about this provider. I have not had a single problem with the sites or the service or the support.
The only issue I ever had was that the speed was not as good as it should have been, and when I queried this I discovered that some performance settings were not enabled for some reason. So what I have learnt over this last year is that you do need to have some technical knowledge to ensure you are getting the best out of the service, as you need to know what tests to run and what questions to ask, even with a host as good as flywheel .
Because flywheel is a dedicated WordPress host, they do not have any hosting control panel since they do not do anything except WordPress. Therefore they provide a set of simple tools just for your WordPress site, such as setting up staging sites, enabling password access etc. To be frank, it is pretty idiot proof and is obviously aimed at non-technical folks.
They also do not support or allow anything other than WordPress. This can obviously be very annoying and inconvenient if you wanted to install another app on your domain, like WHMCS or PHPBB, instead, you have to get more hosting elsewhere and use a sub-domain.
You also have to get your email hosting elsewhere as well, but I suspect that if you are using flywheel then you probably want a more robust email solution as well, such as GSuite or office365. The bundled email that you get from hosting providers really is very basic and provides no business continuity.
Last year Flywheel acquired Pressmastic (now called LOCAL by Flywheel), which creates a local WordPress dev environment (using virtualbox) and syncs it with your live Flywheel sites. You can pull your live sites down to local and vice versa. This obviously makes it very simple to maintain a separate dev and live environment.
Excellent support and customer service
Excellent speed with no plugins or configuration required.
You can easily generate a staging site from your live site, although you only get this on the $28 and above plans.
You can get a 1 click backup of your entire site (minus core files), which will send you an email with a link once it is complete.
You can setup free staging sites for your clients for 1 month.
You can change your primary domain, and your entire site and all links and references get automatically updated.
Ability to assign collaborators. So if you are the website owner, you can temporarily give access to designers and developers to work on your site or staging site.
LOCAL by Flywheel
You cannot host anything other than WordPress.
No 24/7 support. Although you can escalate tickets and get someone out of bed. They now have 24/7 support and are aprt of wpengine
Price. As with all the dedicated WordPress hosts, it seems quite expensive with limiting quotas on bandwidth and disk space. Plus you have the added cost of needing to get your email hosted elsewhere too.
You can only use multisite on the personal plan or above and it costs an extra $10
I have prior experience with Siteground and it was not a pleasant one. They screwed everything up to the point where I would probably have lost all my clients had I actually transferred everything over to their servers.
As I continue to see articles everywhere praising SiteGround and how great they are, I thought I would give them another try. Everyone deserves a 2nd chance and maybe I just had some very bad luck last time.
SiteGround are a generic host and are considerably cheaper than the likes of Flywheel or WPengine, and run cpanel like every other host. They do however optimise their servers for WordPress and also have a few custom features available in their control panel, such as git controls, staging sites, site move, domain name change, which you do not get with other hosts at this price range, so I really want them to not screw up this time as I want to like them.
So I signed up with SiteGround for a GrowBig account and kept my fingers crossed, but had an immediate issue. I was not able to access my account, it seemed to be stuck in some perpetual setup mode, telling me I could not set it up or manage it because my domain already existed. So I left it a few hours to see if it would complete, but alas the issue was still there. So I had to contact support even just to get my account activated. Not a good start so far.
They also still have that incredibly irritating support ticketing system where they do not actually send you a reply, they just send you a notification that they have replied, and you have to log in to your account to view it. This is so incredibly annoying, inconvenient and time-consuming and I hate it when companies do this.
If you are out and about on your phone, then it means you cannot read the reply until you are back in front of a real pc, at least not without a lot of hassle. As a result. this type of system also encourages the use of weak passwords, as customers will resort to using a password that is easy to type and remember so that they can login via their phones to read tickets.
Once activated, I setup my spare domain and replicated the site over. I performed multiple gtmetrix tests on the site with various caching and performance enhancements enabled, and compared them to flywheel. The results of these tests are below.
Obviously, I cannot give any opinion on long-term performance, reliability and support yet, but I do plan to transfer at least one site over to them for a long-term test and will update this article accordingly in a few months. I have so far had a site running for a couple of weeks without any issues.
I kept a site hosted with flywheel for almost 1 year. Checkout my full siteground review for the full horror story.
Price. Considering the performance is better than any other host I have tried, they are pretty good value for money.
Supercacher Their own in-house caching system, which clearly makes a big difference based on my tests.
1 click staging As with flywheel, a simple solution to setup a staging site for testing. Although it is only available on the most expensive plan, which at £7.95 is still less than 1/2 the cost of flywheel.
Can use Multisite on any plan
SG-Git – Create a git repository from your site, very handy if you are getting custom work done.
Auto Updates Every decent managed WordPress host will auto update your WordPress core. Even though this option is built right into WordPress itself these days. SiteGround also has the option to auto-update your plugins as well. I haven’t seen this option anywhere else.
Being a traditional host, you can host more than just WordPress.
Multiple sites/domains allowed on same plan.
The endless stream of rehearsed and ostensibly polite canned responses for me just comes across as very apathetic and disingenuous. They also have that typical problem with not reading communications properly before replying and have a tendency to be condescending and give completely wrong advice.
Potentially low resources This 1 simple site caused my inode usage to go up to 20%. So despite the fact that you can host unlimited websites, in reality, I don’t think you could host many before you have consumed your inode quota.
An irritating and time wasting ticketing system
Cheap pricing is promotional and is only for first year. After this it quadruples and is not such a good deal anymore.
For the purpose of this test, I used the site zenmsp.uk, which is the most resource intensive theme (the Fox) and is the slowest loading of all my sites and took the most tweaking to get it to load quickly. This site takes 6-10 seconds to fully load on a regular server/host.
As you can see from the results, on pure performance alone, SiteGround does actually manage to win the challenge by a hair and beats flywheel by shaving about 0.4 seconds off the loading time. Bear in mind though that with flywheel everything is out of the box and done by them automatically on the server, and doesn’t require any plugins or any other caching or performance tricks.
In the case of SiteGround I did have to manually enable all their caching features, install a special SG plugin and enable their supercacher options, and the fact that you have to do this in order for the caching to work was not clearly documented.
Still I must say I was quite surprised by the results, considering that Flywheel is a dedicated WordPress host and SiteGround is generic host who will have many hundreds of customers per server, I was not expecting them to win.
When enabling CloudFlare via the SiteGround console, it only redirects the www subdomain through Cloudflare and not the primary domain due to the way they integrate with cloudflare. I also noticed, as you can see in the results, that the speed was actually slower with Cloudflare enabled, the same is true with flywheel as well. So obviously CloudFlare cannot improve on the caching provided by the hosts.
If the price is your deciding factor, or keeping everything in one place (multiple sites, domain names, email etc) then SiteGround wins hands down.
If customer service/support & reliability is more important, and you have the budget to pay for it, then flywheel wins, as the performance difference is negligible enough not to be noticeable based on these tests.
GT Metrix Reports
No other changes or tweaking has been made to the site other than to enable the available speed/caching features. So we are literally only looking at overall performance achieved by the caching/options provided by the host.
Since Cloudflare did not offer any improvements, there is not really and file minimising applied to this site. For the record, I have tried W3TC and other plugins, but this theme tends to break when CSS and JS files are minimised or combined.
Siteground + google pagespeed
Siteground Plus Google Pagespeed caching enabled. All other options must be disabled.
Siteground + Supercacher
Siteground with Supercacher plugin enabled and all caching options switched on
Siteground, default setup, simple and dynamic caching enabled.
For websites and clients that need the best possible speed and performance for WordPress and are prepared to pay extra for it, I tend use FlyWheel, who are up there with the best of the best when it comes to WordPress hosting. But for those small, simple, low traffic sites this can be a bit pricey, so I have been on the hunt for another hosting provider that had decent performance for WordPress without costing an arm and a leg.
I was originally running my WordPress multisite installation on my Windows server hosted with Hostek, and while I generally got pretty decent performance and gtmetrix scores, I knew it could be better due to the fact that PHP and WordPress do not run as well on Windows, and need the likes of Litespeed on Linux to get the best performance.
Here I will be posting my results with the various hosting providers I have tried. Bear in mind that I have played dumb for the most part in order to test out their skills, support and knowledge, I have not told them I am an ex-hosting provider or have 30 years IT experience
One thing to note, which I have found to be true of every single host I have tried who claims “Managed WordPress”, it is nothing of the sort. At best all they do is set WordPress to auto-update, which is a feature now built into WordPress anyway, and if you are lucky also have some intrusion detection with some WordPress specific rules. The likes of WPEngine and FlyWheel do provide more features and security, but I would still not really call it managed.
Proper managed WordPress, is the service I provide, where your entire website is managed and maintained, plugins, themes, security, backups and monitoring.
I used to have my own site hosted with GoDaddy back in 2016 when I was first converted from CFML to WordPress, and while it was OK, the performance, in general, was no better than my Windows server, and often worse. I also had various recurring issues with not being able to upload files via the WordPress admin or via FTP. I can only assume that this was due to GoDaddy’s intrusion detection being overzealous and blocking legitimate activity.
This then brings me to the other major issue, GoDaddy support. Whatever problem I had, they would always default to the conclusion that the problem was at my end, and getting them to even look into a problem was a painful process, and getting them to accept the issue was at their end even harder still. Getting through to support was time-consuming. They got rid of ticket support and switched to phone only support, which meant sitting on the phone for ages in a queue, and some things are impossible to do over the phone, such as provide long complex URLs, or screenshots of your issue. They did eventually introduce live chat, and brought back ticket support for Pro members, but It was quite normal to have to chase them and wait days or even weeks for a response.
I wouldn’t exactly say that GoDaddy is cheap compared to a lot of other hosts who offer the same, and for what you get it just doesn’t seem like good value for money. Their so-called Managed WordPress hosting really isn’t anything of the sort. As with all the other hosts who claim to offer “managed WordPress”, all they actually do is automatically update the WordPress core and nothing else, the WordPress knowledge and support seemed very limited.
Those issues aside, there are some good things with the GoDaddy system. They have a very neat Pro member system which allows existing GoDaddy client to assign control of their hosting and domain names over to you for management. As far as registering and managing domain names goes, I cannot really fault them, all that side of things seems to work fine.
Overall I would only recommend GoDaddy for very basic sites, with low resource usage, where performance and speed is not critical. If you have a resource heavy these that needs serious caching and speed enhancements to make it load quickly, then GoDaddy is not for you.
Simple Interface for WordPress hosting, good for non-technical folks
GD Integration with WordPress is nice
GoDaddy now own and integrate with ManageWP
GoDaddy Pro account is useful for managing clients
HostMedia are one of those El-cheapo, seems too good to be true hosts with hosting that costs only £1. They are quite well known in my old ColdFusion/Lucee circles, and I already had an account with them that I had used to test out their Lucee hosting a while, so I thought I would give them a try with WordPress. Sadly my experience with this company to date has been less than brilliant. Nothing really worked properly from the outset, and I always had to open tickets right from the get-go to get anything working.
What should have been a simple 5 minute job of resetting a password, turned into a 2 day fiasco of wrong passwords being reset locking me out of my account. Issues with the control panel not working as expected to whitelist IP’s, not being able to remotely access databases and having to explain to support staff how tcp/ip and telnet work and that if you cannot connect via telnet then any amount of password resets are not going to help. Even worse when they do not know the issue is actually caused by one of their own standard operating procedures.
Almost every time I used live chat I was asked to open a ticket, so that seems pretty pointless.
A lot of companies, especially hosts these days outsource their support to India, especially the cheap ones, as it is the only way they can afford to have a 24/7 helpdesk. Which is fair enough, I have done the same thing myself, but the key when doing this is ongoing performance reviews and quality control, which is clearly where HostMedia needs to invest some time based on my experiences.
I can certainly see that that for a non-technical customer who is not able to diagnose issues themselves or understand when they are being given wrong advice, simple problems could drag on for days while you get sent on a wild goose case and end up having to pay someone else (like me) to fix the problems for you.
I did finally manage to get a copy of my site running, and upon testing the performance, it was intermittent. Sometimes it was better than my Windows server, sometimes it was worse. Again their so-called “Fully Managed WordPress Hosting” was nothing of the sort, there was very little WordPress knowledge and not a lot of support and nothing being managed.
I gave up after 1 week.
I would put HostMedia up there with 1&1 Internet. they are cheap as chips, and you get what you pay for. Ideal for folks that only have a token website, but really do not care about their website uptime or support, and just want it as cheap as possible.
Support is quite fast and responsive at least
Pointless Live Chat support
Sub-par email support
Too many things broken by default
Intermittent performance and reliability
My SiteGround review turned out to be far more indepth, so I have turned it into a separate post HERE.
I had high hopes with Krystal as they have very good reviews and I have seen several recommendations in forums I use, but sadly things did not go too well.
I signed up for their AMETHYST plan, which should have been sufficient as this is more resources than my site currently uses.
When I tried to setup a WordPress site, there was no option to have a temporary URL for testing prior to migrating DNS. The only option is to use your hosts file for local testing, but their installer is not able to setup WordPress if your domain name is not already pointing at their server. So the only way to install WordPress is manually via FTP.
I noticed they offered free migration, so I thought I would test out their migration skills and get them to migrate my site for me. They failed miserably at this and all they managed to do was to setup a default WordPress install, the rest I had to do myself.
As far as the performance goes, things did improve on that front. On testing my site with GTMetrix I was getting slightly better performance even without using Cloudflare. By tweaking the settings and enabling Cloudflare I managed to increase the score a few percentages and also shave 3 seconds off the load time.
Sadly this is where the benefits stopped. I had nothing but problems on the WordPress backend with Divi builder timeouts and 503 errors. So rather than diagnose it myself, I decided to test out Krystal’s troubleshooting skills. Krystal support told me it was because resources were maxed out and I needed to upgrade to a plan with more resources and that this was a common problem with DIVI. Now I know this is not true since DIVI runs quite happily on 128MB, and I have been running with a max setting of 256MB for the last year with no problems, on multiple DIVI sites. The AMETHYST plan has 384MB, so should be more than enough.
I did, however, go through the motions, and upgraded to the Topaz plan which gives 768MB RAM. But surprise surprise, it made no difference, and I still had the same problems.
This was not the end and Krystal continued to try and push me down the upgrade path, telling me that my site still needed more resources. I suspected they would have pushed this until I had my own dedicated server, so I decided to quit while I was ahead.
I checked the resource usage stats, which clearly showed my site was not maxing out at all.
I then did my own troubleshooting and found the cause of the problem, it was, in fact, the minify setting in W3TC, which was causing problems on this server for some reason. Disabling this got rid of the 503 errors and timeouts.
Better than average server performance
60 days money back guarantee
Poor migration skills
No temp URL for testing
WordPress installer did not work
No PHP.ini editor
Poor Troubleshooting skills
Pushy upgrade tactics
Quite lowly resource limits
I am currently with GURU, whom I have been very happy with so far. Hosting is fast and the customer service/support is brilliant.