When I got up Thursday morning, I discovered that my blog was “down.” It didn’t load if you wanted to view it, and I couldn’t log on as “administrator” to try and figure out what was wrong.
So I sent a quick note to the support staff at Hostrocket, the hosting service that I’ve used for well over a decade.
The answer that came back was surprising, and less than satisfactory.
In essence, their answer was that my site had been shut down without any notice because it was exceeding certain arbitrary limits set for demands on the server.
Here’s the key paragraph of the reply from Hostrocket:
At this time, all accounts are limited to 1GB of memory across all scripts that they are running. This limit represents a significant portion of the server’s available memory. While I understand that you may not anticipate your account/websites to be particularly resource intensive, in many cases the volume of illegitimate/unwanted traffic to sites can account for much higher resource usage. Regardless of the legitimacy/intention of the traffic, any requests hitting a site generate PHP/MySQL processes which eat away at server CPU/Memory/Disk IO resources so I’m sure you can understand why this becomes a problem even though you may not realize it.
Translated into english, here’s what I think that says:
“Your site is being attacked by a high volume of illegitimate/unwanted hits and our servers aren’t properly designed to fend off external attacks, so you’re on your own. Oh, and by the way, since your site was the victim of such an attack, we shut it down overnight. Our protocol doesn’t include notifying you of this action.”
Okay, Hostrocket. That sucks.
I ran their response past a friend who is far more savvy about such things than I am.
His blunt response:
I use GoDaddy unlimited hosting, and have never gotten a response like that from them. I currently host 83 WordPress sites in that account, along with a bunch of static sites.
He suggested several security plug-ins I could add to augment my installation of WordPress. For those of you who are interested, here’s his list.
State sites use:
— iThemes Security
All my own sites use:
— Wordfence (set to Lockdown, and with Falcon caching enabled)
— Bulletproof Security
— Jetpack (with Photon photo caching enabled, and Protect mode enabled)
But while considering these plug-ins, I thought about what Hostrocket said about those illegitimate outsiders taking up server resources even if my site successfully repels them.
So I’ve ended up trying a short term fix–I signed up for a service that first routes all visitors to this site through a separate screening process designed to reject illegitimate users before allowing direct access to this blog.
That will hopefully keep the draw on Hostrocket resources below their new limits, while keeping my site secure.
But isn’t this something that a major company like Hostrocket should be doing to protect its own servers? Or are they just packing too many users onto each of their shared servers, so that the servers can’t keep up with the load?
After this experience, I guess my intermediate-term fix is to take my business to a different hosting service. But that requires planning and additional work, given the 15 years of history packed into this site. I’ll have to study up on how to make such a move without creating more problems.
In the meantime, I hope this stays up and running. I’m optimistic, but not confident.