‘ZDNet Recommends’ What exactly does that mean?
ZDNet’s recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNet nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNet’s editorial team writes on behalf of YOU, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form
WP Engine is a well-known managed hosting provider for WordPress. But does it live up to its hype and is it worth the expense? We take an in-depth look at the features, capabilities, and performance of this popular service.
In addition to hosting the ZDNet Government and ZDNet DIY-IT blogs, Distinguished Lecturer David Gewirtz is an author, U.S. policy advisor and computer scientist.
If you’re looking for a web hosting provider, you have a tremendous number of choices. In my web hosting provider comparison guide — Best web hosting providers — I looked at 15 providers that offer a wide range of plans.
In this review, we’re going to dive into WP Engine’s offerings.
Normally, to get a better feel for each individual provider, I set up the most basic account possible and performed a series of tests. But WP Engine is a more specialized host, primarily offering managed WordPress hosting.
As such, WP Engine’s basic plan starts at $24 per month (when a year is prepaid), where most of the other hosting providers we’ve reviewed offer plans under $5 per month. Note that this isn’t because WP Engine is overpriced. Instead, it’s offering a more advanced level of service for sites that require more resources.
As you transition from a site with a few pages to a site like mine with a lot of complexity but still relatively small, to huge sites like ZDNet, the cost of hosting goes up considerably. WP Engine targets small businesses up through enterprise needs, so its pricing reflects the resources those customers need to be able to use.
For our review, I’ve chosen the Managed Hosting Plus Startup Plan. The Plus plan is $4 per month different from the basic plan, but it adds automatic plugin updates, tested plugins, auto-rollbacks, and a choice of which plugins are updated.
To be clear, the automatic plugin updates feature is no longer much of a selling point, because WordPress now offers that as part of its basic install. But the auto-rollback feature (which when you need it, you really need it) is worth the extra few bucks a month. If you’re springing for managed hosting, you might as well have an “Ah, sh__!” button you can press when you need it.
This is normally the place in my hosting reviews where I begin my rant on the scammy bait-and-switch lock-in strategy hosting providers use to get and keep your business.
Lower-end hosting services suck you in with offers of a couple of bucks a month. But to get the advertised price, you wind up paying for years of service up front, and then when that contract is up, the renewal fees are anywhere from double to ten times what you originally paid.
There are business reasons for this, of course. First, it works. Most people don’t worry about what the renewal cost will be until they’re faced with a whopping bill to keep their site up or incur weeks or months of pain to port it somewhere else. But it’s also because running a hosting service is expensive, and the hosts have to make money somehow.
But once you move up a tier, into small business managed hosting and above, most hosting providers make their money from the fees they charge. They don’t have to entice you with a low-ball offer. You know you need more memory, more CPU capacity, more storage, more bandwidth, and more support — and you’re willing to pay for it. So, they don’t need to bait-and-switch.
After all, at $30 per month to $40 per month, you’re paying more in a month than many of the low-ball hosting providers make in a year from a given client.
WP Engine’s plans are like that. It has tiers that make sense. First, if you pay for a year up front, you save a bit over paying monthly. Usually, that’s the equivalent of about two months of free service.
For every category of plan, it scales based on the number of sites you get with the plan, number of visits per month, amount of storage you use, and bandwidth.
Then comes the four plan types the offer. The first is basic managed hosting. This gets you 24/7 support via chat, some themes, free automated migrations, daily backups, free SSL and SSH, and a staging site. All good, especially if you’re doing series work.
I opted to test the Managed Hosting Plus plan, which is just a few bucks more. As I mentioned, it adds automatic updates (which is now provided by WordPress), and automatic rollbacks, which is very helpful. When I scoped out the plans, I realized I would never recommend the basic plan given the Plus plan is a few bucks more. So, I’m testing that.
If you don’t get the WP Engine eCommerce plan, you’re not prevented from setting up an online store. It’s just that you have to do most of the heavy lifting, finding the software, etc. With the eCommerce plan, WP Engine installs WooCommerce (the top WordPress online store add-on, owned by the company that produces WordPress). It also provides an optimized store theme, some templates, and so on. In the next tier up, it adds store search functionality, which lets customers search for products. Basically, you’re paying a few bucks more for WP Engine to get it working for you.
Finally, the company has a Secured Hosting plan. This doesn’t necessarily secure your site from malware. If you’re concerned about malware, you can reach out to WP Engine support, and they’ll help you determine if you’ve been attacked or not.
No, what the Secured Hosting plan does is protect you from outside traffic attacks. It offers distributed denial of service attack protection and a security firewall for your traffic (which can help defend against malware flowing into your site).
In 2009 (before I wrote for ZDNet), I was on the receiving end of a massive attack. My hosting provider did not have any defense and I wound up writing my own code. It would have been a huge relief to have the Secured Hosting plan when that happened.
When you first log into WP Engine’s dashboard, you’re greeted with a survey screen. Presumably, these questions are used for marketing purposes.
Once you dig through those screens, you’re given the opportunity to set up other user accounts. These are dashboard users. Setting up your WordPress users will be done in WordPress.
And, finally, you’re in the dashboard.
Let’s add a new site:
This step is actually very interesting and requires some unpacking. When you buy your plan, you’re given a certain number of sites you’re allowed. The plan I’m on allows one site.
But…WP Engine has this concept of a “transferable site.” You can’t switch a site from non-transferable to transferable, so decide this upfront. A transferable site is one where you build the site, then you transfer it to a client who also has a WP Engine account. You’re allowed as many transferable sites as you want since the only way outside traffic can get in is via a password-protected portal.
Next up comes a grid of four choices. You can start with a (mostly) blank site, get some handholding as you build your site, or transfer sites.
I always like to go with as much control as I can, so I’m starting with a basic site. Then I clicked Next.
I thought this was kind of interesting. First, you need to name your “environment.” Initially, you can use a subdomain, but you can later move it to a domain of your choosing.
It’s this environment thing that’s interesting. In addition to the transferable sites, you can set up three “environment” sites: Development, staging, and testing. This means you can work on your site while your production site is live, and then switch environments. I like that… a lot.
I’m going to go straight to production because I’m just running some basic tests. I’m also turning off automatic plugin updates because I like to be aware of when my plugins update.
Then I clicked Add Site. At this point, the following Site list shows up.
You can’t do much yet, other than delete the site. After about five minutes, I got an email telling me my site was ready.
I clicked the URL, and there you go:
Next, I configured an admin password. This takes you to the normal WordPress admin reset screen, where you enter your email address and a new password is mailed out. Nothing surprising here.
The main WordPress dashboard page was surprisingly crap-free. That’s definitely a breath of fresh air after encountering all the upsells and crapware of previous reviews. There is a “WP Engine has your back” widget, but all it does is point you to some performance management features of the host dashboard.
My next stop was Plugins and it was pretty much garbage-free (something of a rarity with WordPress hosting providers):
There’s the Akismet Anti-Spam plugin that comes with most sites, and StudioPress (a WP Engine product) Genesis Blocks, a plugin that adds some editor features.
The Themes area was equally un-hateful. Yes, WP Engine defaulted to its in-house theme, but Genesis is actually a fine base theme. Beyond that, it just had a few recent default WordPress themes installed.
Overall, the WordPress install in WP Engine was clean and without either muss or fuss. It’s definitely workable.
The first thing I like to do when looking at a new hosting provider is exploring their dashboard. Is it an old friend, like cPanel? Is it some sort of janky, barely configured open source, or homegrown mess? Or is it a carefully crafted custom dashboard? These are often the ones that worry me the most because they almost always hide restrictions that I’m going to have to work around somehow.
You don’t really gain access to the WP Engine dashboard until after you install a site/environment:
Once you do, a quick click on the site name gives you a more comprehensive tool:
Yeah, that’s more like it. There’s a quick access button to PhpMyAdmin for database manipulation, another to launch the WordPress admin interface and quite a lot of setup options. I’m not going to go into them in-depth since this review still has quite a way to go, but I didn’t see (or not see) anything that would make me worry.
All told, WP Engine seems to be quite comprehensive in terms of what it allows site operators to do.
This might also be a good place to mention that WP Engine produces the Local WordPress hosting environment, for hosting WordPress on your development machine. This product used to be Local by Flywheel before WP Engine acquired it.
I can personally attest to the quality of the Local implementation. As I mentioned in my development tools article, I use Local every day for coding and maintenance of the WordPress plugins I manage. It’s a very helpful tool. And, it’s free.
Security is one of the biggest issues when it comes to operating a website. You want to make sure your site is safe from hackers, doesn’t flag Google, and can connect securely to payment engines if you’re running an e-commerce site of any kind.
While the scope of this article doesn’t allow for exhaustive security testing, there are a few quick checks that can help indicate whether WP Engine is starting with a secure foundation.
The first of these is multifactor authentication (MFA). It’s way too easy for hackers to just bang away at a website’s login screen and brute-force a password. One of my sites has been pounded on for weeks by some hacker or another, but because I have some relatively strong protections in place, the bad actor hasn’t been able to get in.
WP Engine has a well-considered MFA implementation, allowing you to use SMS, Google Authenticator, or even Okta for enterprise SSO. This is for the main WP Engine dashboard. You, of course, can add a plugin to your WordPress site to put MFA on there as well.
Also, the site created by WP Engine has SSL security by default. As you can see, the dashboard (and this also applies to the user-facing content) has a valid certificate and encryption. I didn’t have to set up anything
I like to externally test SSL implementations using a test suite provided by SSL Labs. WP Engine passed easily:
As my last quick security check, I like to look at the versions of some of the main system components that run web applications. To make things easy, I chose four components necessary to safe WordPress operation. While other apps may use other components, I’ve found that if components are up-to-date for one set of needs, they’re usually up to date across the board.
Here are my findings (using the Health Check & Troubleshooting plugin), as of the day I tested, for WP Engine’s Managed Hosting Plus Startup plan:
In general, these results aren’t bad. You kind of need to know the component to know how to read these results. PHP is pretty much right on track.
MySQL currently lives in two tracks, a maintained 5.7 track and an 8.0 track with newer technology. Both are supported by WordPress and as long as the 5.7 track is maintained and updated (particularly for security threats), it’s fine to be running 5.7.34.
Oddly enough, Local (the local development environment owned by WP Engine I discussed earlier) defaults to MySQL 8.0.16. So much for consistency. Go figure.
cURL is a little disturbingly out of date as is OpenSSL, but as the previous SSL test showed, the actual SSL encryption is solid, which is what we’re really concerned about.
Also, Brent Stackhouse, VP of Security and IT at WP Engine, tells us:
For some of our packages, including OpenSSL and cURL, we use the Linux distribution Ubuntu’s packages, whose versions often do not match the official maintainer’s versions due to something called “backporting.” In this case, both OpenSSL and cURL are fully patched but the version makes it appear otherwise, because backporting in Ubuntu packages is not reflected in the version number. We have verified internally that all recent vulnerabilities (designated by CVE number) are included in our running versions of OpenSSL and cURL.
The bottom line is that WP Engine is on track for the core WordPress components and a little behind on supporting encryption and data transfer, but testing shows it’s not far enough behind to cause a security threat.
Next, I wanted to see how the site performed using some online performance testing tools. It’s important not to take these tests too seriously. These are just quick tests on a site with no traffic.
That said, it’s nice to have an idea of what to expect. The way I tested was to use the fresh install of WordPress with the default installed theme. I then performance test the “Hello, world” page, which is mostly text, with just an image header. That way, we’re able to focus on the responsiveness of a basic page without being too concerned about media overhead.
First, I ran two Pingdom Tools tests, one hitting the site from San Francisco and the second from Germany. Here’s the San Francisco test rating:
Then I ran the test from Germany. The results were both quite good:
Next, I ran a similar test using the Bitchatcha service:
None of the tests showed bad performance, and I found the responsiveness of the WordPress dashboard to be snappy as well.
Now, here’s the gotcha. Basic performance is fine, but we don’t have data for how the service will perform under load. Since you’re presumably buying a higher-end managed hosting service, you’re probably expecting some level of traffic.
I say this a lot in my reviews, but take advantage of the money-back time period to fully test out results for yourself. You have 60 days with WP Engine. Make sure to use them. And if you run into performance issues, reach out to the company. Managed hosting services are supposed to provide better hands-on support, so use it.
The company does have 24/7/365 live chat support. I tried it out at 1am on a Sunday morning (what? I’m a night person) and found the support representative to be both knowledgeable and friendly.
WP Engine offers a 60-day money-back guarantee. Here’s a blog post that explains how to cancel the various types of service.
I got no complaints. No, seriously, I have no complaints. Other than a few component versions being out of date (but still within the system requirements for WordPress), I have nothing to ding them over.
Setup was straightforward. The hosting dashboard, while not as comprehensive as cPanel, provided all the resources a well-equipped WordPress would require. The addition of development and staging versions, along with the transferable sites provides a lot of flexibility for a 1-site plan.
SSL worked and passed my tests, and site responsiveness was good. Support was responsive, helpful, and intelligent in the middle of the night on a weekend.
If you’re looking for a super-cheap hosting offering, this isn’t it. But if you’re serious about hosting your site, you could do a lot worse than WP Engine. I don’t do star reviews, but I’d give it a four (out of five).
The only reason I wouldn’t give it a five is I’d never give a hosting provider a top rating on just a week or so of evaluation. You don’t really get to know your hosting provider until you’ve worked with them for a few years and resolved a few crisis events.
That said, if I had to move my sites to another provider, I’d definitely consider WP Engine.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.
M1 MacBook Air review: After a year of use, here’s what I wish I’d known
Please review our terms of service to complete your newsletter subscription.