Chad Perrin: SOB

29 April 2008

wordpress.com != good domain hosting

Filed under: Geek,Metalog — apotheon @ 02:04

In required cookies == bad design, I pointed out that requiring cookies just for people to view free content is a bad idea. When denying cookies means you can't view the Website in question, this means a lot of people aren't going to view the Website — including me, much of the time.

I gave this advice to all and sundry Website maintainers:

Maybe you should actually visit your own site on a computer you haven't used to do so before, and deny all cookies for the site. See what happens.

If you have registered a domain name and point it at a wordpress.com Weblog account, I can already tell you what happens on some systems: it enters an infinite loop during page load. The page stays white, and the browser just starts over the page loading process repeatedly, without end in sight. I haven't let it run long enough to see if it eventually crashes the browser (I suspect it doesn't, but I suppose there's a possibility, depending on browser memory management).

So . . . if you're smart about how you manage your online life, you won't use wordpress.com for domain hosting. Interestingly, I've discovered that http://cameron.blogs.foxnews.com uses wordpress.com — which might say something about the people managing blogs.foxnews.com.

I looked into what it takes for an average, non-professional Weblog user to get domain hosting at wordpress.com (I figured immediately that this probably costs money). What I discovered at the premium features page for Domain Registration and Mapping is:

If the domain isn’t registered, it will ask you for some information and then register it for you, and add domain mapping, for $15/yr.

If you already own a domain you registered somewhere else, you can map it for $10/yr.

I personally recommend against ever doing both domain registration and Webhosting through the same company. It's best to hedge your bets (as I discovered from personal experience years ago, when a Webhost/registrar I was using basically held my domain name hostage when I wanted to switch Webhosts to someone that provided better service for less money). Unless you have a really unscrupulous registrar like GoDaddy, or something equally dodgy, your most likely problem in outsourcing domain hosting is the Webhosting service provider — and if you registered your domain through someone else, it's trivial to switch service providers for Webhosting. If not, things might get messy.

Setting up a WordPress Weblog at my Webhost is as easy as doing so at wordpress.com, plus I have more control over the form of the Weblog, and I get to do a whole lot else with the Webhosting account too (including SSL/TLS access to POP, IMAP, and Web email accounts). Most relevantly, when someone denies cookies while visiting SOB, it doesn't enter an infinite refresh loop.

notes:

Testing on multiple platforms shows that the infinite refresh loop manifests on some systems, and not on others. I haven't investigated enough to know why that is. So far, it has shown up on an MS Windows Vista machine and a FreeBSD machine with Firefox, but not on MS Windows XP with Firefox or IE, nor on Debian with Iceweasel (rebranded Firefox).

With IE on Vista, refusing cookies one at a time, it eventually loads after about 20 times denying the cookie. With Opera on Vista, denying all cookies immediately, it loads. With Safari on Vista, it eventually loads (apparently all you can do for cookie handling is either deny all or accept all — not a good set of options for the security-conscious).

It has only been tested on one of each system configurations (IE+Vista, IE+XP, Fx+Vista, Fx+XP, Fx+FreeBSD, Iceweasel+Debian, Opera+Vista, Safari+Vista), so your mileage may vary.

re: email . . .

Looking at what wordpress.com offers for email addresses when hosting your domain name at a wordpress.com account, I see that the email options they offer (through Google Apps) are extremely limited. For instance, you don't get the email addresses if you only map a subdomain (like sob.apotheon.org instead of apotheon.org itself) to the wordpress.com account. I also don't have to let Google index all my email for search engine and targeted marketing purposes.

This little tidbit from wordpress.com's Email and a blog on the same domain page is interesting too:

Custom urls are not supported.

So, yeah . . . just don't do it. If you want a Weblog with your own domain (or subdomain!), don't use wordpress.com.

If they fix the infinite refresh loop problem, it might start being worthwhile, depending on your budget, or if you only intend a very few known people who you can be sure will always accept cookies there to be able to access it anyway — but otherwise, it's just a bad idea.

22 Comments

  1. Unless you have a really unscrupulous registrar like GoDaddy, or something equally dodgy, your most likely problem in outsourcing domain hosting is the Webhosting service provider — and if you registered your domain through someone else, it's trivial to switch service providers for Webhosting. If not, things might get messy.

    I'm not sure what your experience with GoDaddy is, but it most definitely isn't the same as mine.

    When I first switched my registrar to GoDaddy (it was InfoAvenue through my ISP and I didn't like not having the amount of control I have now), I also bought hosting with email from GoDaddy. Because GoDaddy didn't offer anything like what my current host offers, I switched with no problems at all. Now for joseph-a-nagy-jr.us I have Google Apps handling that domain, and for the rest (ameliorations.us, rpgcn.us, i-love-amy.com) I use my web host.

    Again, not sure what your problem was with GoDaddy but I'm definitely interested in knowing, just for curiosities sake.

    Comment by Joseph A Nagy Jr — 29 April 2008 @ 04:52

  2. For an introduction to the problems with GoDaddy, I'd recommend checking out NoDaddy. There's also the fact that it appears GoDaddy took a bribe from Microsoft to boost MS Windows/IIS statistics, then tried to buy open source community goodwill — which is especially ironic, considering GoDaddy doesn't even offer encrypted Webhosting account management with SSH for its shared hosting accounts (reason enough to use a different Webhost, even if its behavior as a domain registrar wasn't so reprehensible).

    Comment by apotheon — 29 April 2008 @ 05:59

  3. Well, it looks as if, with my second or third paycheck, I will be changing registrars as well as renewing my hosting. Sucks to be me.

    Any recommendations (I'm personally leaning toward directNIC at the moment)?

    Comment by Joseph A. Nagy, Jr. — 30 April 2008 @ 02:44

  4. I've run across a couple of accusations that directNIC is a sleazy domain squatter/stealer, but nothing that really makes me certain of the veracity of the claims. I don't really know much about directNIC, personally.

    My current favorite is pairNIC. All of their dealings that I've had occasion to notice give me the impression that the people at pairNIC are dedicated to integrity, attention to detail, and customer service in their manner of doing business. Among other things, pairNIC is a major supporter of sites like PerlMonks, and the CEO of pairNIC has shown up in a couple of forum sites that discuss Webhosting matters to make a strong case for transparent business practices, hosting security, and client privacy. I don't use pair Networks (the Webhosting arm of pairNIC) for Webhosting, just because some of my particular needs in a Webhost are not met there, but I use pairNIC for all my domain registrations at this time.

    Comment by apotheon — 30 April 2008 @ 03:16

  5. Thanks, I appreciate the recommendation and have spread the word (I find it highly ironic that the post in question happens to be numbered 404).

    Comment by Joseph A. Nagy, Jr. — 30 April 2008 @ 03:29

  6. Domain Name Registrars and Ethics...

    I’ve been a happy GoDaddy customer 4 years now and I’m proud to say that I’ve never had a problem with them. Unfortunately, I cannot make myself blind to what has happened to so many other people. After reading the stories there of wh...

    Trackback by Ameliorations — 2 May 2008 @ 02:40

  7. I've used godaddy for about 6 months now and really haven't had any problems. With any large company, you will always have a bunch of people that will hate you, but you will also have a bunch that will hate you. Unfortunately, you really only hear from the ones that hate you.

    Comment by WordPress, Made Easy — 10 July 2008 @ 02:45

  8. It's true that, given enough market share, there will always be someone who "hates" you. That doesn't mean that all such complaints are spurious, or that many complaints may not indicate a very good reason to avoid one domain registrar or hosting provider in favor of another. It doesn't make all vendors equal. Some have worse policies than others — and GoDaddy has proven many times to be be one of those.

    Comment by apotheon — 10 July 2008 @ 03:11

  9. If you can't afford the $7+/month for hosting, you really have no business running a blog. I couldn't stand knowing that someone has the potential of deleting my blog with the click of a button, without any sort of warning.

    Comment by Miracle Breast Reduction — 24 September 2008 @ 06:07

  10. Technically, someone can do that with a proper shared hosting account, too — but control over the account is at least a little better under such circumstances than via a service like WordPress.com, Blogger, or LiveJournal.

    Comment by apotheon — 25 September 2008 @ 02:02

  11. I don't get why so many people have beef with Godaddy. I've rarely had any problems with my sites, however, I could see a cause for concern for those using their Windows package. I had some problems with setting up my sites until I switched to Linux boxes.

    Comment by Theo — 14 October 2008 @ 11:05

  12. Theo:

    You might want to scroll up the page to the second comment here and check out the links I provided. If you don't understand why people have "a beef" with GoDaddy, the information at the other end of those links might give you some ideas.

    If you're just saying that because you personally haven't had any problem with GoDaddy, nobody else should either, I think you're generalizing from a single case too much. Basically, you might just be one of the lucky ones.

    It's surely the case that the vast majority of GoDaddy customers never have any problem with GoDaddy services (at least, nothing they notice). That doesn't change the ethical bankruptcy of GoDaddy policies, or the fact that there is danger to doing business with GoDaddy that many of us consider an unacceptable risk.

    Comment by apotheon — 15 October 2008 @ 11:01

  13. Godaddy suck, for anything other than domains. Look at their website also, it's horrible, I can never find anything on it and constantly get lost. For hosting I recommend using Hostgator as their support will fix things on an ad-hoc basis if anything goes wrong. It's also cheap, costs me about $9 a month for unlimited domains, and a huge amount of BW.

    Jay.

    Comment by free local search engine submission forms — 10 December 2008 @ 08:33

  14. I have 10 domain names and 5 of them are blogs. I have used Blogger extensively but it is a very different experience to use our own hosting company. I am using a shared host but it is not cheap. It allowed me to use unlimited domain names and a handsome amount of bandwidth. domainsite is my domain registrar and they are perfect registrar for me.

    Comment by Sabac | Autoclaves Australia — 27 December 2008 @ 06:41

  15. To be very true, There is nothing better than Godaddy because I have been using it since an year for all my hosting needs. Mosterhost and Bluehost are also good but nobody can beat Godaddy. I am happy with their support and performance.

    Comment by horoscope 2009 — 8 January 2009 @ 05:35

  16. There's nothing wrong with Godaddy hosting. People have very massive expectations for hosting which is costing them only a few bucks a month. If you want more from a hosting account, look into reseller hosting from HostGator.

    Comment by Dental Assistant — 24 February 2009 @ 09:12

  17. There's nothing wrong with GoDaddy — except that:

    1. GoDaddy makes its conflict resolution decisions based on which of the two parties are most likely to reduce effective revenue — not on who's right.
    2. GoDaddy's basic Web hosting service is basically just a way to beg to have one's Website compromised, thanks to its complete lack of fundamental security concerns.
    3. GoDaddy plays such underhanded games when it mistreats you (as the party that cannot have as big a negative effect on its revenue as the other) as holding domain names for ransom for hundreds of dollars even when you prove you're not the spammer/whatever you were accused of being that got you shut down in the first place.

    How cheap is your $3 domain registration when you have to pay a $350 ransom to get control of it back after someone else who has more pull with GoDaddy made a completely unfounded claim against you?

    By the way, I edited out the URL for your "Dental Assistant" username because I'm half-convinced you're a Weblog comment spammer. I've done the same for a couple of others that are similarly sketchy-seeming as well.

    Comment by apotheon — 24 February 2009 @ 10:44

  18. [...] this is a bad way to run a Web site, and I picked on WordPress.com hosting in particular with wordpress.com != good domain hosting. None of that changes the fact that sometimes one might want to visit a site hosted by [...]

    Pingback by Paranoid cookie management | IT Security | TechRepublic.com — 9 September 2009 @ 03:18

  19. I tried to respond to http://www.zdnetasia.com/techguide/security/0,39044901,62058141,00.htm in three different browsers (Firefox, Safari & Chrome) and always fail the CAPTCHA and then on redoing the CAPTCHA it complains that my email address is invalid.

    Here is my comment:

    Hi Chad, thanks for letting us, WordPress.com, know about these issues.

    We did also have some yuckier related bugs some time ago, and I had thought we got all of them.

    I’m having problems reproducing this issue though. I wonder if the scenario is that during your investigation you accept some cookies (.wordpress.com ones), then disable cookie acceptance in his browser. You then tried to visit a custom-domain site on WordPress.com which triggers a remote-login attempt, sees you have .wordpress.com cookies, and tries to log you into this custom domain?

    That’s the only scenario where I could reproduce this issue. I don’t think that makes us bad hosting. We’re seeing what we can do to fix this scenario too.

    If there are other related bugs, we are eager to find out the details and fix them.

    Comment by Lloyd Budd — 29 September 2009 @ 10:55

  20. I can't speak for ZDNet Asia. I don't even write for that site. I write for TechRepublic, and the articles sometimes get farmed out to other CBS Internactive sites (including ZDNet Asia) without anyone bothering to tell me. I'm sorry you're having trouble with the CAPTCHA there. In the future, if you see an article of mine there and want to post a comment, you might want to check on whether the article is also on TechRepublic at the TR IT Security Weblog.

    I know the organization of the CBS Interactive sites is a little busy and difficult to scan effectively, and sympathize if you weren't able to quickly come up with a means of submitting a bug related to CAPTCHA there. There's a "contact us" link at the bottom of (every?) page at ZDNet Asia, though, that leads to a CBSi contact page with a "support" email address. You can try bringing someone's attention to the problem there — someone who's actually in a position to do something about it. I hope that helps.

    I also try to keep a list of my IT security articles up-to-date, so you could try checking to see if the same title you found somewhere like ZDNet Asia is on that list and click through to the TR article. The downside of this approach is that sometimes they edit the article headlines after publication, so the title may not match exactly if you do a text search on that page for a specific title. Actually, another downside is that I think TR requires you to make an account before posting a comment in discussion. Alas, I'm not in a position to change policy on stuff like that. I'm not even a TechRepublic employee; I write for TR, and send invoices, as an independent contractor.

    Anyway, to the subject at hand . . .

    I think the explanation you describe is probably exactly right. I do accept cookies from WordPress.com, and sometimes when visiting a site I don't know is hosted at WordPress.com (because it has a custom domain name), I deny cookies — then have the problem of perpetual reloads I described. I'd say that an endless loop due to a visitor's lack of omniscience about the hosting provider for a domain is a serious problem, too, as is anything else involving a technical decision that could drive traffic away from the site in question. As long as this bug remains, I certainly wouldn't host a domain at WordPress.com. I guess your mileage may vary.

    Off the top of my head, that's the only bug I know about.

    When I first stumbled across this issue, I tried finding a way to submit a bug. I wasn't able to find a convenient means of doing so, which is why WordPress.com didn't get a direct bug report from me. Ultimately, I just found it much easier to post this entry at SOB than to keep trying to figure out where to submit the bug to WordPress.com. Perhaps a prominent link to the issue/bug tracking system on the front page of the WordPress.com site would be in order.

    Comment by apotheon — 29 September 2009 @ 11:36

  21. Oh, interesting regarding syndication. Too bad they don't link back to the original article. I should have mentioned that I already reported the commenting issue there as well — just thought you might want to know, but sounds well out of your domain.

    Though I've met a few people that seem omniscience, you are quite right regarding the insidious potential of that cookie bug. And the nature of the problem may mean it would be left unreported.

    Regarding issue tracking, there is no public tracker. Reports are submitted through your 24/7 Support http://support.wordpress.com/ WordPress.com specific issues we handle internally. If the issue is with one of the numerous open source components then those get reported and patched upstream (some side streams).

    Comment by Lloyd Budd — 29 September 2009 @ 12:22

  22. The 24/7 Support doesn't seem to be suitable for someone who doesn't have a WordPress.com hosting account to report a bug, which leaves no obvious channel for reporting something like this — since the people who have hosting accounts are unlikely to encounter the same bug. I'd really suggest providing a more obvious way for "outsiders" to point out issues.

    Thanks for letting me know about the ZDNet Asia issue, even if there's nothing I can do about it (except maybe tell someone else about it), and thanks for informing them of the problem (so I don't have to). Even if I never find out the article was reposted there, it would be nice to know that people aren't prevented from posting comments in discussion there. One of my main motivations in writing those articles is to help people learn more about security, and encourage them to think for themselves. Open discussion aids in that goal, whether I get to see the discussion or not.

    Comment by apotheon — 29 September 2009 @ 02:00

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License