Web Hosting

Summary

Hosting problems are almost never caused by the hosting platform — they are caused by what runs on top of it: bot traffic, plugin bloat, orphaned database artifacts, and misconfigured SMTP. The single most dangerous structural risk in the portfolio is shared hosting, where one misbehaving site can cascade 500-level errors across all ~60 co-hosted clients simultaneously. On managed WordPress platforms, cache hit rate is the most reliable proxy for site health; neglected environments routinely fall to 10–15% (against an 85% threshold) and generate daily gateway errors. Bot traffic is the most common trigger for both bandwidth exhaustion and cache degradation, and it cannot be stopped with a single mitigation layer.

Current Understanding

Cache hit rate and bot traffic are the two variables that explain the majority of hosting incidents across the portfolio. Everything else — plugin bloat, database accumulation, SMTP failures, DNS misconfiguration — is either a contributing factor to those two or an independent operational failure with a known fix.

Shared Hosting as a Systemic Risk

The structural problem with shared hosting is that resource limits are pooled. Village of Maple Bluff consumed 131 GB/month of bandwidth from bot traffic alone — a small municipal site with virtually no organic traffic — and that single site exhausted server bandwidth, triggering 500-level errors across all ~60 other client sites on the same server ^[1]. The failure mode is not gradual; it is a hard wall. One site hits the ceiling and everyone else goes down with it.

This is not a hypothetical risk. It has already materialized in the portfolio. The implication is that any client generating anomalous traffic — whether from a bot surge, a viral post, or a misconfigured crawler — becomes a threat to every other client on the server until isolated or rate-limited.

Cache Hit Rate as the Primary Health Signal on WP Engine

A healthy cache hit rate on WP Engine is 85% or higher. Sites falling below this threshold show predictable degradation: elevated 502/504 gateway errors, poor WP Engine health scores, and sluggish response times ^[2]. Neglected environments commonly drop to 10–15% cache hit rates, with health scores as low as 15/100.

Three causes account for most cache degradation: conflicting caching layers (multiple plugins attempting to cache simultaneously), plugin bloat and orphaned artifacts, and bot traffic overwhelming the cache with uncacheable requests. Doodla Farms had 6,000 unused files left behind by deactivated plugins — files that continued to consume resources and interfere with caching behavior despite the plugins being turned off ^[3]. Asymmetric's internal site accumulated 1,400,000 database entries from WP Activity Monitor alone ^[3]. Deactivated plugins do not clean up after themselves; the artifacts persist until explicitly removed.

Bot traffic compounds this. Sites under heavy bot pressure can absorb 8,000–10,000 bot hits per hour, crowding out legitimate cached responses and forcing the server to handle requests it cannot serve from cache ^[2].

Bot Traffic: Multi-Layer Mitigation Is Required

Bot traffic is not a problem that resolves with a single rule. PaperTube had geo-blocking rules in place — blocking Colombia, restricting to US/Europe/Canada — but when bot traffic shifted origin to UK and Europe, the geo-block was circumvented entirely ^[4]. Effective mitigation requires stacking enforcement layers: DNS/CDN perimeter rules (Cloudflare), server-level firewall, caching configuration, security headers, and AI bot blocking. PaperTube's security headers were graded D before intervention; HTML-level fixes raised this to A, but two headers required direct Cloudflare access that the agency did not have ^[4].

The PaperTube case also illustrates how bot surges correlate with external events. The traffic spike began around February 4–5, coinciding with Avast security warnings — suggesting that security scanner activity can itself generate bot-like traffic patterns ^[4].

Low Traffic Does Not Mean Low Resource Consumption

Traffic volume is a poor proxy for server load. A site with 72 monthly visits can still consume 24% of server requests if a plugin is running a query loop ^[5]. This is the diagnostic gap that WP Engine APM ($150/month flat rate per server, not per site) is designed to close — it provides code-level visibility into which plugins or queries are generating disproportionate server load ^[5]. Without APM, the only signal is degraded performance, which is too late.

Platform-Specific Operational Friction

Bluehost creates a specific access problem: 2FA verification codes go to the account owner's email on every login attempt. During Shine's November 2025 onboarding, repeated dev team login attempts sent a stream of unwanted 2FA emails to the client ^[6]. The fix is creating a dedicated admin user with independent credentials, bypassing the 2FA dependency entirely ^[6]. This is a one-time setup step that should be standard for any Bluehost-hosted client.

Bluehost also increasingly blocks or rate-limits PHP mail, which is the default outbound mechanism for most WordPress contact form plugins. Shine's contact form was not reliably delivering submissions, with the likely root cause being either PHP mail blocking or SMTP misconfiguration — both sources agree on the symptom but differ slightly on the primary cause ^[7]. The resolution is authenticated SMTP configuration regardless of which cause is primary.

DNS misconfiguration is the most common launch blocker. Cordwainer's rebuild was approximately 80% complete with a 2–3 week launch window, blocked by an incorrect DNS A record in Cloudflare ^[8]. The conceptual error is common: when a domain switches servers, the site stays where it is — only the address changes via the A record. If the server is not configured to expect the domain, traffic returns a 404 even though the server is physically present ^[9].

What Works

Dedicated admin user creation on Bluehost at onboarding. Creating an independent admin user with agency-controlled credentials eliminates the 2FA email dependency before it becomes a client-facing problem. The Shine case demonstrates the cost of skipping this step: unwanted emails to the client during a sensitive onboarding window ^[6]. This is a five-minute setup task that should be non-negotiable for any Bluehost engagement.

WP Engine staging with automatic domain search-and-replace. WP Engine's staging push rewrites all internal URLs and serialized options across the entire database automatically ^[8]. Building in staging and pushing to production is more reliable than building in production and migrating manually, because manual migrations routinely miss serialized data in the database.

DNS changes 3–4 days before scheduled launch. Scheduling DNS record updates (A record, CNAME, legacy NS) several days before the target launch date allows propagation to complete and issues to surface before the launch window ^[8]. Same-day DNS changes create unnecessary risk.

Authenticated SMTP over PHP mail for contact forms. PHP mail is increasingly unreliable on shared hosting — Bluehost blocks or rate-limits it, and deliverability is inconsistent across providers. Configuring authenticated SMTP (via a plugin like WP Mail SMTP with a dedicated sending account) resolves delivery failures at the source rather than treating symptoms ^[10].

WP Engine APM for diagnosing disproportionate resource consumption. At $150/month per server (not per site), APM provides code-level visibility into query loops and plugin inefficiencies that are invisible from traffic metrics alone ^[5]. A site with 72 monthly visits consuming 24% of server requests would not be identifiable without this tool.

Stacked bot mitigation layers. Cloudflare perimeter rules, server-level firewall, security headers, and AI bot blocking in combination are more durable than any single rule. PaperTube's geo-block was circumvented when bots shifted to UK/Europe origins; the sites that held up had multiple enforcement layers ^[4].

Complimentary short-term hosting to unblock deliverables. When a client is mid-contract with another provider and backend access is a hard dependency, offering free hosting through a transition period (as done for A New Dawn Therapy and Shine Construction & Cleaning through end of 2025) removes the blocker without requiring the client to break an existing contract ^[11].

Explicit plugin cleanup after deactivation. Deactivated plugins leave files and database entries behind. Doodla Farms had 6,000 orphaned files; Asymmetric had 1.4 million database entries from a single plugin. Scheduled cleanup of orphaned artifacts is a prerequisite for stable cache hit rates ^[3].

What Doesn't Work

Geo-blocking as a standalone bot mitigation strategy. PaperTube had geo-blocking rules targeting Colombia, but bot traffic shifted to UK and European origins, bypassing the rules entirely ^[4]. Geo-blocking is a useful layer but not a solution on its own — bots adapt to single-rule enforcement.

Assuming deactivated plugins are inert. Deactivating a plugin in WordPress does not remove its files or database entries. Doodla Farms and Asymmetric both demonstrate that orphaned artifacts accumulate silently and degrade cache performance over time ^[3]. Deactivation without cleanup is a deferred performance problem.

Using traffic volume as a proxy for server load. A site with 72 monthly visits consuming 24% of server requests is not an edge case — it is what happens when plugin code runs inefficient query loops regardless of user activity ^[5]. Traffic-based triage will miss these sites entirely.

Relying on PHP mail for contact form delivery on shared hosting. PHP mail is the default mechanism for most WordPress form plugins, but Bluehost and other shared hosts increasingly block or rate-limit it. Shine's contact form failures are the predictable outcome of this assumption ^[10].

Treating Avast security flags as confirmed security incidents. Bluepoint's site was flagged as a URL Scam by Avast WebGuard while carrying an A+ security rating — a false positive ^[12]. Newer domains and lower-traffic sites are disproportionately susceptible to these flags. Escalating to the client as a security incident before verifying the rating wastes time and creates unnecessary alarm.

Delaying DNS changes until launch day. Cordwainer's launch was blocked by a DNS misconfiguration that could have been identified and resolved days earlier ^[8]. DNS propagation is not instantaneous, and same-day changes compress the window for catching errors.

Patterns Across Clients

Bot traffic is the most common root cause of hosting incidents across the portfolio. Village of Maple Bluff (131 GB/month bandwidth consumption), PaperTube (bot surge beginning February 4–5 with Avast correlation), and the general WP Engine pattern of 8,000–10,000 bot hits per hour all trace back to the same source ^[13]. Bot traffic is not a niche problem for high-profile sites — a small municipal government site with no organic traffic was the most severe case in the portfolio.

Plugin accumulation degrades performance silently over time. Doodla Farms (6,000 orphaned files) and Asymmetric (1.4 million database entries from one plugin) both show the same pattern: plugins are installed, used briefly, deactivated, and never cleaned up ^[3]. The degradation is invisible until cache hit rates collapse or health scores drop. Neither client had an obvious trigger event — the damage accumulated gradually.

Bluehost creates predictable access and deliverability friction. Shine encountered both the 2FA email problem during onboarding and contact form delivery failures from PHP mail blocking ^[7]. A New Dawn was migrated off Bluehost partly because Google Workspace billing was tied to Bluehost as a reseller, preventing direct client management ^[14]. Bluehost is a recurring source of operational friction across three separate client contexts.

Managed hosting proposals are stalling at the proposal stage. Didion's managed hosting proposal ($150/month) was originally sent July 7 of the prior year and needed to be resent — while the site continued generating multiple 500-level errors per day ^[15]. The pattern of clients deferring managed hosting decisions while experiencing active degradation appears in at least one case and is likely broader.

DNS misconfiguration is the most common launch blocker. Cordwainer's launch was blocked by an incorrect DNS A record in Cloudflare ^[8]. The conceptual gap — not understanding that switching servers changes only the address, not the site's physical location — is common enough to warrant a standard pre-launch DNS checklist.

Complimentary hosting is used as a strategic onboarding tool. A New Dawn Therapy and Shine Construction & Cleaning both received free hosting through end of 2025 ^[11]. In both cases, the client was mid-contract with another provider and backend access was a prerequisite for project work. The pattern suggests this is a deliberate tactic rather than an ad hoc concession.

Exceptions and Edge Cases

Low-traffic sites are not low-risk sites. The general assumption that small sites with minimal traffic place minimal load on shared servers is wrong when plugin inefficiencies are present. A site with 72 monthly visits consuming 24% of server requests is the clearest counterexample ^[5]. Village of Maple Bluff reinforces this from the bandwidth side: near-zero organic traffic, 131 GB/month consumption. Traffic metrics are not a reliable risk signal.

Avast WebGuard flags are not reliable security indicators for newer domains. Bluepoint's A+ security rating alongside a URL Scam flag from Avast demonstrates that reputation systems lag behind actual security posture for sites with limited traffic history ^[12]. The correct response is to verify the actual security rating before treating the flag as actionable.

The Shine SMTP root cause is ambiguous. Two sources describe the same contact form delivery failure but emphasize different causes: one points to misconfigured or absent email configuration in Bluehost, the other to PHP mail blocking at the host level ^[7]. Both may be true simultaneously. The practical resolution (authenticated SMTP) is the same regardless, but the diagnostic path differs. This is the one case in the portfolio where the root cause is not cleanly resolved.

Google Workspace billing tied to a hosting reseller creates a migration dependency. A New Dawn's Bluehost migration was complicated by Google Workspace billing running through Bluehost as a reseller, which prevented direct client management of the service ^[14]. This is not a standard hosting migration concern — it only surfaces when a host is also acting as a Google Workspace reseller. Worth checking before any Bluehost migration.

Evolution and Change

The hosting landscape across the portfolio has been stable in platform terms — WP Engine, Kinsta, Bluehost, and Cloudflare are the same platforms in use throughout the observation window (October 2025 to April 2026). What has changed is the threat environment: bot traffic volume and sophistication have increased, with PaperTube's February 2026 surge and Village of Maple Bluff's sustained 131 GB/month consumption both representing a more aggressive bot landscape than would have been typical for sites of this size and profile two years prior.

The Bluehost PHP mail blocking pattern is a slow-moving platform change that has been accelerating. Bluehost's increasing restriction of PHP mail is not a new policy, but it is becoming more aggressive, and the number of clients on Bluehost who will encounter contact form delivery failures is likely to grow without proactive SMTP configuration.

The shift toward managed hosting proposals ($150/month for Didion, $1.50/month for A New Dawn) signals an internal evolution in how hosting is being positioned — from a commodity line item to a managed service with monitoring and maintenance included. Whether this positioning is converting to closed deals is unclear from the evidence; Didion's stalled proposal suggests conversion friction exists.

Gaps in Our Understanding

No evidence on how bot traffic is being monitored proactively across the full server. The Village of Maple Bluff incident was identified reactively after server-wide 500 errors appeared. We have no evidence of a proactive monitoring system that would flag a single site's bandwidth consumption before it cascades to other clients.

No data on which clients are currently below the 85% WP Engine cache hit rate threshold. The cache hit rate pattern is well-documented, but we have no evidence of a regular audit across all WP Engine-hosted clients. Doodla Farms and Asymmetric were identified; others may be degraded without anyone knowing.

Managed hosting conversion rate is unknown. Didion's proposal stalled for at least several months. We have no evidence on how many other managed hosting proposals have been sent, accepted, or declined. If this is a recurring pattern, the proposal itself may need revision.

No evidence from Adava Care, Avant Gardening, Exterior Renovations, or Finwellu on hosting configuration, platform, or any incidents. These clients are mentioned in the topic metadata but absent from all fragments. Their hosting situations are entirely uncharacterized.

The Shine SMTP root cause is unresolved. Whether the contact form failure was caused by PHP mail blocking, email misconfiguration, or both has not been definitively diagnosed ^[7]. Knowing the primary cause would inform whether other Bluehost-hosted clients are at risk of the same failure.

Open Questions

Does WP Engine APM at $150/month per server justify the cost when spread across ~60 client sites? At roughly $2.50/site/month, APM provides code-level diagnostics that would otherwise require manual investigation. The question is whether the diagnostic value is being captured systematically or only deployed reactively when a site is already degraded.

What is the threshold at which a client site on shared hosting should be isolated to its own server? Village of Maple Bluff's bot traffic caused server-wide failures. Is there a bandwidth or request-rate threshold that triggers isolation, or is the decision currently ad hoc?

How durable is Cloudflare's AI bot blocking against evolving bot behavior? PaperTube's bots adapted to geo-blocking within the observation window. AI bot blocking is a more sophisticated layer, but the same adaptation dynamic may apply over a longer time horizon.

Does the 85% WP Engine cache hit rate threshold hold across all site types, or does it vary for WooCommerce or membership sites? Dynamic content (cart pages, member dashboards) is typically excluded from caching, which would structurally lower the achievable hit rate for those site types. The 85% benchmark may not be applicable uniformly.

What is the current state of Cordwainer's DNS resolution and launch? The fragment dates suggest the DNS A record issue was active as of the most recent update. Whether the launch completed is unknown from available evidence.

Is Bluehost's PHP mail blocking policy documented anywhere that would allow proactive identification of affected clients? If the policy is published, it would allow auditing all Bluehost-hosted clients for SMTP configuration before failures occur rather than after.

Related Topics

• Index
• Index
• Index
• Index
• Index

Sources

Synthesized from 14 Layer 2 articles, spanning 2025-10-23 to 2026-04-08.