WP Engine review: A solid managed-hosting provider for WordPress

0
11


wp-engine-review.png

WP Engine

If you’re looking for a web hosting provider, you have a tremendous number of choices. In our web hosting provider comparison guide — best web hosting providers — we looked at several providers that offer a wide range of plans.

In this review, we’re going to dive into WP Engine’s offerings

Normally, to get a better feel for each individual provider, I set up the most basic account possible and performed a series of tests. But WP Engine is a more specialized host, primarily offering managed WordPress hosting.


WP Engine at a glance


As such, WP Engine’s basic plan starts at $20 per month (when a year is prepaid), where most of the other hosting providers we’ve reviewed offer plans under $5 per month. Note that this isn’t because WP Engine is overpriced. Instead, it’s offering a more advanced level of service for sites that require more resources.

As you transition from a site with a few pages to a site like mine with a lot of complexity but that’s still relatively small, to huge sites like ZDNET, the cost of hosting goes up considerably. WP Engine targets small businesses up through enterprise needs, so its pricing reflects the resources those customers need to be able to use.

For our review, I’ve chosen the $20 per month Startup Plan. Keep in mind that when you sign up for this plan, you’re not paying $20 each month, doled out over the course of the year. You’re expected to pay $240 when you sign up. Also note that when you renew, the price will jump. You’ll be paying $360 per year thereafter.

How to install WordPress with WP Engine

When you first log into WP Engine’s dashboard, you’re greeted with a survey screen. Presumably, these questions are used for marketing purposes.

user-portal-wp-engine-2021-08-14-20-27-16.jpg

Once you dig through those screens, you’re given the opportunity to set up other user accounts. These are dashboard users. Setting up your WordPress users will be done in WordPress.

user-portal-wp-engine-2021-08-14-20-28-07.jpg

And, finally, you’re in the dashboard.

user-portal-wp-engine-2021-08-15-01-06-13.jpg

Let’s add a new site:

user-portal-wp-engine-2021-08-15-01-08-38.jpg

This step is actually very interesting and requires some unpacking. When you buy your plan, you’re given a certain number of sites you’re allowed. The plan I’m on allows one site.

But WP Engine has this concept of a “transferable site.” You can’t switch a site from non-transferable to transferable, so decide this up front. A transferable site is one where you build the site, then you transfer it to a client who also has a WP Engine account. You’re allowed as many transferable sites as you want since the only way outside traffic can get in is via a password-protected portal.

Next up comes a grid of four choices. You can start with a (mostly) blank site, get some handholding as you build your site, or transfer sites.

I always like to go with as much control as I can, so I’m starting with a basic site. Then I clicked Next.

user-portal-wp-engine-2021-08-15-01-14-21.jpg

I thought this was kind of interesting. First, you need to name your “environment.” Initially, you can use a subdomain, but you can later move it to a domain of your choosing.

It’s this environment thing that’s interesting. In addition to the transferable sites, you can set up three “environment” sites: production, staging, and testing. This means you can work on your site while your production site is live, and then switch environments. I like that… a lot.

I’m going to go straight to production because I’m just running some basic tests. I’m also turning off automatic plugin updates because I like to be aware of when my plugins update.

Then I clicked Add Site. At this point, the following Site list shows up. 

user-portal-wp-engine-2021-08-15-01-18-50.jpg

You can’t do much yet, other than delete the site. After about five minutes, I got an email telling me my site was ready.

your-wp-engine-site-is-ready-davidgewirtzgmail-com-gmail-2021-08-15-01-20-23.jpg

I clicked the URL, and there you go:

david-gewirtz-site-your-super-powered-wp-engine-site-2021-08-15-01-21-09.jpg

Screenshot by David Gewirtz/ZDNET

Next, I configured an admin password. This takes you to the normal WordPress admin reset screen, where you enter your email address and a new password is mailed out. Nothing surprising here.

The main WordPress dashboard page was surprisingly junk-free. That’s definitely a breath of fresh air after encountering all the upsells and crapware of other services. There is a “WP Engine has your back” widget, but all it does is point you to some performance management features of the host dashboard.

dashboard-david-gewirtz-site-wordpress-2021-08-15-01-40-40.jpg

Screenshot by David Gewirtz/ZDNET

My next stop was Plugins, and it was garbage-free as well (something of a rarity with WordPress hosting providers):

plugins-david-gewirtz-site-wordpress-2021-08-15-01-43-30.jpg

Screenshot by David Gewirtz/ZDNET

There’s the Akismet Anti-Spam plugin that comes with most sites, and that’s it. I have to say it was very nice having a clean site to work with.

The Themes area was equally un-hateful. The only themes shown are the default WordPress themes.

manage-themes-david-gewirtz-site-wordpress-2021-08-15-01-45-00.jpg

Screenshot by David Gewirtz/ZDNET

Overall, the WordPress install in WP Engine was clean and without either muss or fuss. It’s definitely workable.

The rest of the WP Engine dashboard

The first thing I like to do when looking at a new hosting provider is exploring their dashboard. Is it an old friend, like cPanel? Is it some sort of janky, barely configured open source, or homegrown mess? Or is it a carefully crafted custom dashboard? These are often the ones that worry me the most because they almost always hide restrictions that I’m going to have to work around somehow.

You don’t really gain access to the WP Engine dashboard until after you install a site/environment:

user-portal-wp-engine-2021-08-15-03-11-33.jpg

Once you do, a quick click on the site name gives you a more comprehensive tool:

overview-user-portal-wp-engine-2021-08-15-03-14-26.jpg

Screenshot by David Gewirtz/ZDNET

Yeah, that’s more like it. There’s a quick access button to PhpMyAdmin for database manipulation, another to launch the WordPress admin interface and quite a lot of setup options. I’m not going to go into them in-depth since this review still has quite a way to go, but I didn’t see (or not see) anything that would make me worry.

All told, WP Engine seems to be quite comprehensive in terms of what it allows site operators to do.

This might also be a good place to mention that WP Engine produces the Local WordPress hosting environment, for hosting WordPress on your development machine. This product used to be Local by Flywheel before WP Engine acquired it.

I can personally attest to the quality of the Local implementation. As I mentioned in my development tools article, I use Local every day for coding and maintenance of the WordPress plugins I manage. It’s a very helpful tool. And, it’s free.

Quick security checks with WP Engine

Security is one of the biggest issues when it comes to operating a website. You want to make sure your site is safe from hackers, doesn’t flag Google, and can connect securely to payment engines if you’re running an e-commerce site of any kind.

While the scope of this review doesn’t allow for exhaustive security testing, there are a few quick checks that can help indicate whether WP Engine is starting with a secure foundation.

The first of these is multifactor authentication (MFA). It’s way too easy for hackers to just bang away at a website’s login screen and brute-force a password. One of my sites has been pounded on for weeks by some hacker or another, but because I have some relatively strong protections in place, the bad actor hasn’t been able to get in.

WP Engine has a well-considered MFA implementation, allowing you to use SMS, Google Authenticator, or even Okta for enterprise SSO. This is for the main WP Engine dashboard. You, of course, can add a plugin to your WordPress site to put MFA on there as well.

adaptive-multi-factor-authentication-user-portal-wp-engine-2021-08-15-03-22-06.jpg

Also, the site created by WP Engine has SSL security by default. As you can see, the dashboard (and this also applies to the user-facing content) has a valid certificate and encryption. I didn’t have to set up anything

connection-is-secure-2021-08-15-03-24-16.jpg

I like to externally test SSL implementations using a test suite provided by SSL Labs. WP Engine passed easily:

ssl-server-test-funwithzdnet-wpengine-com-powered-by-qualys-ssl-labs-2021-08-15-03-27-46.jpg

Screenshot by David Gewirtz/ZDNET

As my last quick security check, I like to look at the versions of some of the main system components that run web applications. To make things easy, I chose four components necessary to safe WordPress operation. While other apps may use other components, I’ve found that if components are up-to-date for one set of needs, they’re usually up to date across the board.

Here are my findings (using the Health Check & Troubleshooting plugin), as of the day I tested, for WP Engine’s Startup plan:

Component

Version Provided

Current Version

How Old

PHP

8.2.14

8.3.4

3 months

MySQL

8.0.35-2

8.0.36

5 months

cURL

7.81.0

8.6.0

26 months

OpenSSL

OpenSSL 3.0.2

OpenSSL 3.0.12

24 months

In general, these results aren’t bad. You kind of need to know the component to know how to read these results. PHP is pretty much right on track as is MySQL. PHP is the language used to run WordPress and MySQL is the database environment.

cURL is a little disturbingly out of date as is OpenSSL, but as the previous SSL test showed, the actual SSL encryption is solid, which is what we’re really concerned about.

Also, Brent Stackhouse, VP of Security and IT at WP Engine, tells us:

For some of our packages, including OpenSSL and cURL, we use the Linux distribution Ubuntu’s packages, whose versions often do not match the official maintainer’s versions due to something called “backporting.” In this case, both OpenSSL and cURL are fully patched but the version makes it appear otherwise, because backporting in Ubuntu packages is not reflected in the version number. We have verified internally that all recent vulnerabilities (designated by CVE number) are included in our running versions of OpenSSL and cURL.

The bottom line is that WP Engine is on track for the core WordPress components and a little behind on supporting encryption and data transfer, but testing shows it’s not far enough behind to cause a security threat.

Performance testing WP Engine

Next, I wanted to see how the site performed using some online performance testing tools. It’s important not to take these tests too seriously. These are just quick tests on a site with no traffic.

That said, it’s nice to have an idea of what to expect. The way I tested was to use the fresh install of WordPress with the default installed theme. I then performance test the sample page, which is mostly text. That way, we’re able to focus on the responsiveness of a basic page without being too concerned about media overhead.

First, I ran two Pingdom Tools tests, one hitting the site from San Francisco and the second from Germany. Here’s the San Francisco test rating:

sf-speed-test-pingdom-tools-2021-08-15-04-13-46.jpg

Screenshot by David Gewirtz/ZDNET

Then I ran the test from Germany. The results were hard to complain about:

germany-speed-test-pingdom-tools-2021-08-15-04-14-56.jpg

Screenshot by David Gewirtz/ZDNET

Next, I ran a similar test using the Bitchatcha service:

bitcatcha-your-website-performance-report-attached-2021-08-15-04-16-17.jpg

Screenshot by David Gewirtz/ZDNET

This test ran based on the home page of the site, and it didn’t seem to like the loading speed for the main image. In my testing, the image seemed to load just fine, so again, I don’t have any real complaints.

Now, here’s the gotcha. Basic performance is fine, but we don’t have data for how the service will perform under load. Since you’re presumably buying a higher-end managed hosting service, you’re probably expecting some level of traffic.

I say this a lot in my reviews, but take advantage of the money-back time period to fully test out results for yourself. You have 60 days with WP Engine. Make sure to use them. And if you run into performance issues, reach out to the company. Managed hosting services are supposed to provide better hands-on support, so use it.

WP Engine support and money-back guarantee

WP Engine does have 24/7/365 live chat support. I tried it out at 1 a.m. on a Sunday morning (what? I’m a night person) and found the support representative to be both knowledgeable and friendly.

WP Engine offers a 60-day money-back guarantee. Here’s a blog post that explains how to cancel the various types of service.

Overall conclusion: No complaints

I got no complaints. No, seriously, I have no complaints. Other than a few component versions being out of date (but still within the system requirements for WordPress), I have nothing to ding them over.

Setup was straightforward. The hosting dashboard, while not as comprehensive as cPanel, provided all the resources a well-equipped WordPress would require. The addition of development and staging versions, along with the transferable sites provides a lot of flexibility for a 1-site plan.

SSL worked and passed my tests, and site responsiveness was good. Support was responsive, helpful, and intelligent in the middle of the night on a weekend.

If you’re looking for a super-cheap hosting offering, this isn’t it. But if you’re serious about hosting your site, you could do a lot worse than WP Engine. I don’t do star reviews, but I’d give it a four (out of five).

The only reason I wouldn’t give it a five is I’d never give a hosting provider a top rating on just a week or so of evaluation. You don’t really get to know your hosting provider until you’ve worked with them for a few years and resolved a few crisis events.

That said, if I had to move my sites to another provider, I’d definitely consider WP Engine.


You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.





Source link