Just, please, host that site anywhere but here.
— email received from Nearly Free Speech support staff
Well, if you insist…
For about three days, I hosted several of my Web sites with “Nearly Free Speech.” NFS advertises themselves as a hosting company with usage-based billing (like AWS, but predating them by years), and a DIY customer ethic.
I really liked the idea of NFS. I’ve long liked the notion of usage-based billing, even though it’s often not cost-effective at the lowest end of the scale. (Costing is complicated.) Similarly, I like the notion of a low-touch, do-it-yourself hosting service. A large part of what you’re paying for, whether you’re using AWS or another, more traditional hosting service, is for the vendor to do all the different parts of “being a sysadmin” that aren’t directly relevant to your application. I do all that stuff at my day job and I was hoping to get out of doing it as a “hobby.”
So, I signed up for NFS’ service and deposited a few dollars to get things started. Moved my sites and databases over with no fuss, and things worked fine.
For about an hour.
Then an automatic system of theirs emailed me, letting me know they’ve disabled the login form on one of my sites. The Bureau has been around for over twenty years, predating even the WordPress software that currently runs the site by several years. (It started on a home-brew “CMS” I wrote as a summer project in 2000, and I migrated its data over to WP in 2009.) Having been doing WordPress stuff for most of a decade, and having worked on that specific site for literally two decades, and having never had a compromise in all that time, I’d like to think I sorta know what I’m doing.
I get it, though. If you don’t keep WordPress and its plugins up to date, you risk having your site compromised. WordPress is the software behind roughly a third of the Internet, so it’s a very popular target for all manner of bad actors. I’m a new customer, they have no way of knowing that I know what I’m doing. So I reverted their change, and opened a ticket asking if this mechanism could be disabled. (They actually provide instructions on how to correct the action they take, which is nice.) Between when I opened the ticket and they responded to the ticket, they shut off the login form several more times.
Their one-word response to my query was “No.”
At about the same time, I noticed that it was no longer possible for users to upload files, or for any of WordPress’ built-in update features to work, and asked about that as well. To be fair, the fault for the upload/update problem was largely mine — the file permissions on their Web server were not set correctly for those features to work. (One could argue that a host’s default settings should allow the Web’s most popular hosting and CMS software to work out-of-the-box, but that’s another discussion entirely.)
There were a few back-and-forth messages, which boiled down to “I’d like WordPress’ built-in features to work,” and them saying that they intend to protect me from myself, even though I’m pretty sure I don’t need to be protected from myself in this case. They noted that the file system settings I had to use to get the WordPress auto-updater to work, would technically allow the Web server to modify any file on the site. Which, duh, the updater has to be able to update all the files. It culminated in the message I quoted at the top of this post.
Based on this experience, I’m not really sure who NFS’ target customer might be. People whose Web sites are highly custom code, that won’t trigger their somewhat over-zealous security systems? People whose Web sites are still written in flat HTML, and have sufficiently low traffic that they can deposit ten dollars and keep the site up for the next year or two? It’s definitely not people who want to use WordPress as a Web-based content platform. Their recommended settings prevent site owners from performing automatic updates, which feels like it will ultimately make sites hosted there less secure, defeating the whole purpose.