

3 Reasons not to choose Bluehost - marcusEting

I debated about a few hosting companies to use for a local organization. Bluehost seemed like a good option and I had worked with them before via other clients. They claim that they don't source anything and that their servers are fast and they limit them to 2000 users/sites per server.<p>However, I realized a few things after signing up with Bluehost and wanting to get cracking on a new site:<p>1) they have to "verify" your account before you get access to SSH. Don't do it if you're pressed for time.<p>2) you can't create addon domains and place them above the web root for the main site. This kind of sucks because you really don't want some stuff living inside of another site's web accessible files.<p>3) you have to "verify" addon domains which is a pain.<p>========================================================<p>Here is the conversation, special attention to the last two lines :)<p>========================================================<p>Gordon: [10:04:52 PM] Thank you for contacting our Support Live Chat! My name is Gordon. If you haven't already provided your primary domain name and validation such as last 4 of the password or last 4 of the credit card, please do so now. Also, please be patient as I am often on several different chats at once. Thank you!<p>mark: [10:04:52 PM] i need ssh enabled for mysite.com<p>Gordon: [10:05:15 PM] Can I get the last 4 of the password please?<p>mark: [10:05:22 PM] abcd1<p>Gordon: [10:06:23 PM] ok, I see here the account is not yet verified by our verification department. You will need to contact them tomorrow. They are not here right now since it is 10:06pm our time. Then once it is verified, follow these directions<p>[10:06:29 PM] In order to enable SSH on your account, log in to the cPanel, go down to the Security section, and click on the SSH/Shell Access. Click on the Manage SSH Access button, and you will be able to select "SSH access enabled". The username is your 8-character cPanel username. The password is your cPanel password you use to log in to the cPanel.<p>mark: [10:12:13 PM] hmm<p>[10:12:19 PM] what do they have to do to verify the account<p>Gordon: [10:13:17 PM] I think they just confirm the last 4 of the credit card and phone number and who you are to protect against fraud<p>mark: [10:13:45 PM] ok<p>[10:13:48 PM] one more question<p>[10:13:54 PM] im trying to add an addon domain<p>Gordon: [10:14:12 PM] ok<p>[10:14:52 PM] Do you get a message when you try to add it? DO you already have the domain purchased elsewhere?<p>[10:15:11 PM] or were you trying to register it with us as a new domain?<p>mark: [10:15:19 PM] well two problems<p>Gordon: [10:15:27 PM] ok<p>mark: [10:15:30 PM] first it asks me to verify the domain<p>[10:15:56 PM] You may also verify ownership of the domain "myaddonsite.com" by creating a page at http://myaddonsite.com/9d351b11.html or http://www.myaddonsite.com/9d351b11.html which contains the text "42688b8a" (retry assigning once the page has been created).<p>[10:16:03 PM] i created that file<p>Gordon: [10:16:05 PM] yes<p>[10:16:07 PM] ok<p>mark: [10:16:13 PM] but it wont let me verify<p>Gordon: [10:16:25 PM] hmm<p>[10:16:27 PM] let me try<p>mark: [10:17:11 PM] secondly it wants me to point the addon domain to public_html/myaddonsite.com/ but i dont want it inside the ~/public_html directory - I want it inside a different folder like ~/myaddonsite.com/public_html<p>[10:18:59 PM] it sucks that i can't get ssh access tonight. i wanted to rsync files to the server<p>Gordon: [10:19:38 PM] There is not a way to have it outside of the public_html folder, the public_html folder is where all website related folders go so it would have to be something like public_html/whateverfolder<p>mark: [10:19:54 PM] ok can you help me cancel my account please<p>Gordon: [10:19:54 PM] I am seeing if we can force add the domain on the account for you<p>mark: [10:20:09 PM] don't worry about that i just want to cancel<p>Gordon: [10:20:15 PM] ok<p>mark: [10:20:15 PM] i'm going with a different hosting company<p>Gordon: [10:21:21 PM] You would have to contact billing tomorrow during the time they are here or submit a ticket to them. I do not have a way to close the account for you.<p>mark: [10:21:43 PM] great. another reason to cancel. thanks<p>Gordon: [10:22:58 PM] You are welcome. let us know if there is anything else
======
shiftpgdn
I don't work for BlueHost but do run my own Hosting company. I'd like to offer
you some counter points:

1\. Web hosting industry is RIFE with fraud and are huge targets for hackers
who want to test credit cards/spread warez/etc. They're not asking you to
verify before giving you SSH, they're asking you to confirm you made a
legitimate order.

2\. This is unfortunately a limitation of cPanel add-on domains. If you don't
want sites to "live inside eachother" but you want cPanel hosting I'd
recommend getting a reseller account from somewhere or a VPS that'll give you
full root.

3\. This is for security as cPanel/exim (I assume they're using exim) route
mail locally. This means on a cPanel based shared host I could go setup
"gmail.com" as an add-on domain, setup a catchall e-mail account and then any
e-mail the server is trying to send out to Gmail will get forwarded into my
catch-all mailbox. This is a pretty big security hole but unfortunately it's
part of most mailservers. BlueHost is making you verify ownership of the
domain in order to prevent from exploiting this security flaw. Same vein as
Google making you verify domain ownership.

I understand you're frustrated but I don't really feel you're giving BlueHost
a fair shot. On the other hand they ARE my competition and if you want to try
out another cPanel based webhost I'd be happy to set you up with a coupon for
some freebies. :)

~~~
pdelgallego
I think you should post your company in your profile. I am looking for a
webhost for a couple of wordpress blogs for some customers and I immediately
checked your profile looking for the name of your company.

------
3dFlatLander
> Gordon: [10:05:15 PM] Can I get the last 4 of the password please?

That's a pretty good reason on its own.

~~~
dmm
It's conceivable that they don't store passwords in plaintext. They could be
hashing the last 4 digits separately... but they are probably store passwords
in plaintext.

~~~
pavel_lishin
That's still terrifying. How difficult could it be to crack a hash if you KNOW
it's only 4 characters?

On the other hand, if your password is seventy characters long, knowing the
last 4 doesn't help much.

