This advice applies to the kind of shared hosting accounts that individuals and small organizations might use. Your site shares a server with other users.

If you want to host a Website accessible to the public, how should you go about picking the host? Most people look at the obvious things:

  • Cost (including add-ons)
  • Amount of storage
  • Number and size of databases
  • Number of email accounts
  • Free non-commercial SSL certificates
  • Speed (promised)

At the moment, I have my Websites on three different hosts:

Each site tries to lure you with its offers:


Please notice the greater technical details and features in the A2 Hosting site. While these are important considerations, there may be more critical differences among hosting providers. I run six Websites, all based upon Drupal (which I recommend highly for a serious site that needs fine-grained access controls). However, to run Drupal Composer requires ai least 768 MB of memory for php, so you cannot use the cheapest A2 plan. The cheapest Ionos plan offers just 256 MB.

I am going to migrate all of my sites to A2hosting. Let me tell you why.

The first difference among the sites is the file layout. All sites give you a htdocs (or public_html) directory, which is where internet-accessible are placed. But you also need a directory that is NOT accessible over the internet for security purposes. Drupal requires this. Amazingly, Ionos does not give you a directory above htdocs. They do allow you to specify private files, but there is no way for Drupal to use these. You need this file space to store backups, new patches or versions for your system, etc. This is a security issue!

All hosts also allow you to choose Linux or Windows as a hosting platform. I always choose Linux (usually a version of Debian). I see no good reason to use a Windows-based server.

All hosts let you manage your site via a Control Panel. Almost all sites use a control Panel from, but there is a difference in what you can control, and how fine-grained things are. In addition to the Web interface via CPanel, to really manage your site, you will want to log in with ssh or to transfer files using sftp. All hosts allow this, but it is a bit easier with JustHost because you can use your username and site name:


Other hosts require the specific address of your host server. It is no big deal, but you should keep track of this. No host allows the use of X-windows (graphical ssh interface), so you need to learn how to use Vi (or better, Vim) in order to edit site files in your terminal window. However, on my Mac, using Transmit, I can mount a remote directory and use BBedit locally to edit my site files.

You will need a bunch of usernames and passwords to manage your site, so I urge you to make an encrypted spreadsheet page to remember all of them. They need to all be different for site security! For example, you will need login credentials for

  • Your hosting provider
  • ssh/sftp
  • Drupal (or Wordpress...) administration
  • The database server
  • Your site email accounts

And you may also need credentials for useful site add-ons such as

  • Google Maps and/or geolocation
  • Paypal
  • Mailchimp
  • Recaptcha (anti-spam)

The latest versions of Drupal (8.x) require management from your terminal via programs called Composer and Drush. This makes life a lot harder for site builders in my opinion. Both of these programs and Drupal itself rely upon the program PHP. There are three issues: All hosts allow you to choose the version of PHP for your site, but not all sites offer the latest version. 


JustHost stops at PHP 7.0, whereas PHP is is now up to version 7.3. Even worse, for Drupal, many of the Composer options require PHP > 7.1.3. There is no reason for the host to NOT put up more recent versions of PHP. Notice also that the PHP extensions offered by JustHost are Meagre. A2 Hosting offers an easy checklist to add extensions:


The second issue is that the version of PHP that you can use in your ssh shell is not necessarily the same as the one you can choose for your Web site. JustHost has only recently switched this to version 7.0 (from version 5), but it is still too old to properly run Composer.

php -v
PHP 7.0.31 (cli) (built: Aug  2 2018 14:51:52) ( NTS

And, no host allows you to actually change your shell PHP version.

A2 Hosting uses php 7.1.23

php -v
ea-php-cli Copyright 2017 cPanel, Inc.
PHP 7.1.23 (cli) (built: Oct 13 2018 05:10:45) ( NTS )

but, for Ionos:

~$ php -v
PHP 4.4.9 (cgi-fcgi) (built: Oct 19 2018 06:51:47)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies

and their explanation is:

"We set the php version to default which is PHP 4. In a shared hosting package we don't have an option to change that."

Php 4 is no longer maintained so using php 4.x is also a security issue, and moreover, it will not run the Drupal tool Composer, which is used to update Drupal and should be used to install modules. Yes, you can search for a newer version of php and use it via a full path, but since you have no home directory in which to put a .bashrc file which could change your path, or make aliases, this is a royal pain.

The final issue is whether you can control the PHP runtime parameters, and how easy it is to do this. A2 Hosting once again has a nice interface for this


On some other hosts, you must edit a php.ini file manually. Ionos (1&1) seems to ignore the php.ini file.

Having up-to-date host software is critical because your web environment might require the latest versions, and also, there are many security fixes. It is dangerous to use old unpatched versions of software. You have no way of telling whether your host software is patched or not. Once again, JustHost seems to be behind the curve. If you run phpMyAdmin (to administer your databases via a GUI), you get

You should upgrade to MySQL 5.5.0 or later.


When you switch hosting providers, it is very nice for the new host to migrate your site from the old host. A2hosting does this nicely.

Software to manage your site

My Drupal Theme Zurb_foundation requires npm to manage it properly. Without a directory level above www, it is impossible to do this. On A2Hosting, a ~/bin directory is already in your path, and you can easily install the required node.js, linking its bin directory to ~/bin.

Vulnerability checking

Another advantage of A2Hosting (I just discovered) is that they scan your installation for security issues and send you an email; none of my other hosts do this.

A2 Hosting

Toll Free (USA/Canada): 1-888-LINUX-HOST

International: +1 734-222-4678

Support Center Billing Services Contact Us


As part of our commitment to providing you with a secure hosting environment, we performed an automated scan of your domain(s) hosted on

It appears patches are available for application(s) installed in the following path(s):

Open redirect vulnerability in Drupal

Open redirect vulnerability in Drupal

Open redirect vulnerability in Drupal

Incorrect permissions vulnerability in Drupal

Sign up to create or to transfer your Web site to A2Hosting


Add new comment


  • No HTML tags allowed.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. Image CAPTCHA

Enter the characters shown in the image.