Bluehost review: Good performance, integrated dashboard, and solid support
It seems like there are an almost unlimited number of web hosting providers who will serve your website for a monthly fee. In our tested list of the best web hosting services, we spotlighted providers that offer a wide range of plans. When doing a full review of a single hosting provider, I set up the most basic account possible and run the service through a barrage of tests. In this article, I’ll dive into Bluehost’s offerings based on my hands-on testing.
Also: WP Engine review: A solid managed-hosting provider for WordPress
Because there are so many variables among plans and offerings, not only among hosting providers, but within the plans offered by any one provider, it can be difficult to get a good comparison. I’ve found that one of the best ways to see how a provider performs is to look at the least expensive plan they offer. You can expect the least quality, the least attention to detail, and the least performance from such a plan.
Bluehost at a glance
How web hosting provider pricing really works
For this series of hosting reviews, I’m testing the most basic, most entry-level plan a vendor is offering. In the case of Bluehost, it’s their appropriately named Basic plan. To get pricing information, I went to the company’s main site at Bluehost.com.
As with most every hosting provider, Bluehost’s published pricing is somewhat misleading. There is no option to get billed only $2.95 per month.
While it looks like you can get the Single Shared Hosting plan for $2.95 per month, that’s only if you prepay for a full year, which means you’re actually paying $35.40. There’s a gotcha though. When you renew, you’re going to pay more. Four times more.
It is weird, though, because if you sign up for just a year, you’re paying less per month for that first year. But then your price will jump by more than quadruple what you paid when you signed up. I talked a lot about lock-in and switching costs in my How to create a website: The step-by-step guide overview. Read it, because Bluehost (and many other hosting providers) have business models that count on the switching costs being so painful that you’ll suck up a huge upcharge simply to avoid moving your site.
On the other hand, if you pay for three years (and this is not just a commitment, you’re paying that $178.20 upfront), the company implies you’re paying more per month for the first year. Of course, you’re not. You’re either plunking down $178.20 for three years or $35.40 for one year — and then paying big to continue.
Also: The best web hosting services of 2024: Expert tested
Again, this is not unusual — I focus on these pricing gimmicks in my reviews because it can be really unpleasant to suddenly get a bill that’s hundreds or even thousands of dollars (depending on the plan) more than you expected. Second, switching from one hosting provider to another hosting provider can be a very time-consuming and possibly expensive job, fraught with hassles and potential points of failure.
At least half of the hosting vendors I’ve looked at over the years do these promo deals, with big jumps in renewal fees, so Bluehost isn’t alone in this somewhat predatory practice.
In any case, let’s move on.
What the Bluehost Basic plan includes
Most bottom-end plans are for one website, and Bluehost is no different.
Before we move into the details, let’s spend a moment talking about what a base plan really is. All websites are not created equal. While you might be able to pay under three bucks a month to run your website, I pay about a hundred bucks each month to run my small fleet of sites.
A base site is designed for a business or an individual who wants a basic online presence. That’s a bunch of pages, some product or service images, and a lot of text. If you want to run complex web applications, or you expect a lot of traffic, a basic site is not for you.
Also: The best cheap web hosting services
If you’re just trying to establish an online presence, starting simply is a good way to go. In this series, we’re reviewing the least expensive program each hosting provider offers. That’s going to be what the majority of buyers will want, and it will give us a good insight into the company.
Bluehost offers a number of pretty solid features in their Basic plan. The base plan includes 10GB website space, one website, and a basic SSL certificate, and what they describe as unmetered bandwidth. This Help Page provides more details:
Be careful, though. In practice, if you push your account near the limits, or use an excessive amount of bandwidth, it’s likely that the service will throttle you back. Bluehost was one of the earliest providers to institute server throttling when “unlimited” resource usage got to be too much.
There are some wins, most notably that even the basic plan is hosted on SSDs. Even if a site is using caching (which reduces the load on a server), having fast drives is always a plus.
The company does have 24/7 chat and phone support, and Bluehost offers a 30-day money-back guarantee. It’s not as long as some competitors, but it is a fair amount of time for you to get a simple site up and running and see how things work.
Getting started with Bluehost
Once your account is created and you log in, you’re immediately presented with an upsell:
After that, I was presented with this installation status window:
I went ahead and clicked Log In To WordPress. I got the following screen.
I have to admit that I’m getting a little impatient. I want to see the dashboard so I can see what I can do with this service. Since there is no option to simply go to the dashboard, I guessed that “I’m following a tutorial” might imply that Bluehost was going to let me do something not pre-scripted.
Strangely enough, I now have two tabs open, with two dashboards. Here’s the first, which is a panel inside the actual WordPress site dashboard:
And here’s the second:
There does not appear to be anything that allows full site customization through something like cPanel. The cPanel email option shown above is for setting up email. But there’s not full cPanel interface, which is disappointing. However, I did eventually find a more advanced dashboard. You get to it in the second dashboard shown above, by hitting Settings under the Welcome statement:
Basic WordPress access with Bluehost
I decided to work in the version of the Bluehost dashboard presented inside the WordPress dashboard. There are options to… wait… nope. Can’t look at them yet. Another upsell just popped up and blocked my access to the dashboard:
That’s actually driven by a WordPress plugin, so that means there are probably a ton of unnecessary WordPress plugins preinstalled. I’ll check on that in a bit.
Back in settings, there’s an option to install WooCommerce to add an online store. There’s a $9.95 a month Online Store plan, so I’m guessing that somewhere along the installation and configuration process for WooCommerce, there will be an option to upgrade the plan. There’s a performance tab, which basically allows you to turn on and off site-wide caching.
Also: AI taking on more work doesn’t mean it replaces you. Here are 12 reasons to worry less
There’s a very simple settings option, where you can turn off the Coming Soon page status, enable automatic WordPress updates, specify the number of revisions to save, and manage comments. Most of these can also be managed from the WordPress dashboard, so this seems like just another way to control the same thing.
Ooh, this is interesting. Bluehost provides a staging site, even in the base plan. They get some big points for that. It’s always nice to having a staging site, and many more expensive plans don’t come with one. Granted, this is a staging site managed inside the main WordPress install (which can be a bit dicey when things go waaaay bad), but it’s still a great feature for a bottom-level plan.
Now, let’s switch over to the WordPress Plugins dashboard. There’s a lot installed here. Many of these are popular WordPress plugins, all offer upsells, and many of them add a lot of overhead to a WordPress installation. Many plugins, once installed, leave a lot of cruft in the WordPress database, so even if they’re unistalled, the database winds up with a lot of former plugin pollution. Fortunately, in that hidden advanced settings panel I found above, there is an option to delete the entire site and start over.
Here is a partial list of everything that’s preinstalled:
Many of them are also flashing red notifications, begging for attention.
Quick security checks with Bluehost
Security is one of the biggest issues when it comes to operating a website. You want to make sure your site is safe from hackers, doesn’t flag Google, and can connect securely to payment engines if you’re running an e-commerce site of any kind.
While the scope of this article doesn’t allow for exhaustive security testing, there are a few quick checks that can help indicate whether Bluehost’s most inexpensive platform is starting with a secure foundation.
The first of these is multifactor authentication (MFA). It’s way too easy for hackers to just bang away at a website’s login screen and brute-force a password. In the past, many of my sites have been pounded on by some hacker or another, but because I have some relatively strong protections in place, the bad actor hasn’t been able to get in.
Also: Saving hours of work with AI: How ChatGPT became my virtual assistant for a data project
Unfortunately, the basic Bluehost plan doesn’t appear to support multifactor authentication at the dashboard level. Any WordPress site can add an MFA plugin to support authentication at the website level, but it would be nice for Bluehost to offer MFA at the hosting level. They do allow you to set a PIN code, so if you’re contacting support for help, they can verify that you’re you. But that’s not the same as real MFA.
Bluehost includes a free AutoSSL certificate, which is configured and enabled by default.
As my last quick security check, I like to look at the versions of some of the main system components that run web applications. To make things easy, I chose four components necessary to safe WordPress operation. While other apps may use other components, I’ve found that if components are up-to-date for one set of needs, they’re usually up to date across the board.
Here are my findings (using the Health Check & Troubleshooting plugin), as of the day I tested, for Bluehost’s Basic plan:
Component |
Version Provided |
Current Version |
How Old |
PHP |
8.3.4 |
8.3.4 |
Current |
MySQL |
5.7.23-23 |
5.7.44 |
68 months |
cURL |
8.7.1 |
8.7.1 |
Current |
OpenSSL |
1.1.1w |
3.2.1 |
Unsupported |
In general, these results are fairly good — especially considering how out of date some of Bluehost’s competitors have been when I checked their versions. That said, you kind of need to know the component to know how to read these results. Bluehost has current versions of PHP (the language that runs WordPress) and cURL, a library used for many supporting services.
MySQL can be confusing. The current version of MySQL is 8.0.23, but the production MySQL release process jumped from 5.7 to 8.0. While the MySQL 8.x branch is being updated, so is the MySQL 5.7.x branch. In that branch, at 68 months out of date, Bluehost’s MySQL is getting a quite long in the tooth.
SSL is far worse. This is the security environment that provides encrypted communications to your website. It’s what’s indicated by that little lock in your browser’s address bar. Bluehost is running an unsupported and obsolete version of OpenSSL. This is not new news. It’s now seven months since the entire OpenSSL 1.1.1 track has been end-of-lifed.
Bluehost says that it’s not really a problem, because they backport security code into their implementation. Brent Lundell, senior director of hosting infrastructure at Bluehost told me this:
OpenSSL is commonly backported by various software packages and operating systems, leveraging an older version (such as 1.1.1) while backporting the security patches to prevent regular rewrites of other portions of the software base. In Bluehost’s case, OpenSSL 1.1.1 is compiled upstream by WebPros, which will backport security patches into v1.1.1 and ensure we’re running a fully secured version.
That’s a credible statement, but I still don’t like it. If a security product has been obsoleted, it just raises the hairs on the back of my neck to still keep running it, even if a separate team is keeping it secure. I’d be far more comfortable moving to the actively supported code. Based on Lundell’s response and some reading I did on the topic, it’s quite likely their implementation is safe. Still, it seems wrong somehow.
Bluehost performance testing
Next, I wanted to see how the site performed using some online performance testing tools. It’s important not to take these tests too seriously. We’re purposely looking at the most low-end offerings of hosting vendors, so the sites they produce are expected to be relatively slow.
Also: I used ChatGPT to write the same routine in 12 top programming languages. Here’s how it did
That said, it’s nice to have an idea of what to expect. The way I test is to use the fresh install of WordPress with the standard theme TwentyTwenty. I then performance test the “Hello, world” page, which is mostly text, with just an image header. That way, we’re able to focus on the responsiveness of a basic page without being too concerned about media overhead.
First, I ran two Pingdom Tools tests, one hitting the site from San Francisco and the second from Germany. Here’s the San Francisco test rating:
It’s not stellar, but a good solid B rating is all you can really expect from a bottom-of-the-barrel plan. It’s certainly workable and shouldn’t incur any Google juice SEO penalties. Here’s the same from Germany:
Also, definitely good enough for a small site.
Support responsiveness
There’s not much to say here. I had only one interaction, late on a Sunday night. I did get connected with human via chat within about five minutes. The individual was nice and clearly wanted to help. I particularly liked how they let me know that some of the information would take a few minutes to dig up, so I wasn’t left hanging, wondering if they’d gone home for the night.
ZDNET’s buying advice
Bluehost is a workable web hosting provider, but certainly not spectacular. Having out-of-date and discontinued security libraries, even for a basic plan, even if it’s been kept secure by a different team, makes me nervous. The offering of two different dashboards, opened at just about the same time, was confusing. The packing of the site with a ton of upsell plugins was just plain annoying. But performance was good enough, especially for the base price.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.