BlueHost Review

2010-03-19 Update

I got the e-mail below from BlueHost last week. It looks like they made some security updates to their affiliate site, but I still never heard back from them regarding my issue with personal information being included in an unsecured PDF in an unsecured e-mail.

date    Mon, Mar 8, 2010 at 10:05 PM
subject    New Affiliate Security Features

Dear M,

Over the past few weeks we have been updating a number of things within the affiliate manager website.  Along with the new updates we have also included two new security features to the affiliate system which will directly affect your account:

1. We are now limiting the number of failed login attempts to 5 per hour.  Once this limit is met you will be locked out of the account for 1 hour.
2. We have also installed a password strength requirement to reduce potential account compromises that can occur when weak passwords are allowed.

2010-01-16 Initial Post

I chose BlueHost because I saw a lot of references for them and they seem like a decent company. They’re also listed as one of the recommended hosts by WordPress. Their prices and features were competitive with other hosts that I looked at. It's only $3.95/month with the 2 or 3 year plan. It includes one free domain with domain privacy. They make it pretty easy with cPanel for administration and SimpleScripts for installing apps such as WordPress.

So far, the package seems to be working fine.


  1. Good feature set that includes unlimited storage, domains, and transfers.
  2. User-friendly layout with cPanel.
  3. SimpleScripts – This is a third party tool that allows customers to easily install and upgrade apps such as WordPress. I also used it to install WebCalendar to test for something else.
  4. For e-mail, they offer secure POP3, IMAP, and SMTP servers along with the non-secure versions.


1. This isn't entirely a BlueHost issue, but after I setup WordPress using SimpleScripts, the WP admin username and password were e-mailed to me. For security, passwords should never be sent over unsecured e-mail--especially not in the same e-mail that also contains the username.

2. The biggest complaint I have so far doesn’t really have to do with the Web hosting itself. I signed up to become an affiliate, and after filling out the info, they e-mailed me a nice PDF of the IRS form W-9 with my name, address, and social security number already filled out. They also sent me my affiliate user name and password in another unsecured e-mail.

Considering all the ID theft issues, I replied back to the address that sent me the form and requested that they report the issue to IT security. The  PDF file itself or the e-mail should have been encrypted. What’s even worse is that the e-mail stated that I could sign and e-mail the form back to them (with no mention of encryption). Anyway, below is the e-mail thread. As of Jan 16, 2010, I have not heard back from BlueHost since the last e-mail.

I'll keep my 2 year contract with BlueHost since their service seems to be decent and I've already paid for it. I'm not hosting an e-commerce site, so security is not a huge issue. I don't want to beat them up on this because I'm sure other Web hosts probably have security issues like this, or worse, so you can't ever get away from issues like this. We'll see what their response is--that'll show me how they feel about security issues.

-----Original Message-----
From:  <>
Date: Tue, Jan 12, 2010 at 4:46 PM
Subject: RE: Necessary tax forms from BlueHost.Com
To: "Me" <>


I've forwarded your concern to the programmer who setup this auto populate feature and our owner. The forms department only collects and processes these forms so we were not aware that it was auto populating affiliate information. I agree that this needs to be addressed for security reasons. It is being addressed.

Forms Department

-----Original Message-----
From: Me []
Sent: Tuesday, January 12, 2010 2:21 PM
Subject: Re: Necessary tax forms from BlueHost.Com

Yes, I understand that, and I'm mailing the form to you via USPS. The issue is that BlueHost is sending those PDF files to customers. This is a security issue that needs to be addressed. The file wasn't encrypted and it had my name, address, and SSN on it. If you don't want to address the issue, I will bring this up on some security forums, which will not be good publicity for BlueHost.

-----Original Message-----
On Tue, Jan 12, 2010 at 4:16 PM,  <> wrote:

If you don't feel comfortable sending your form back via email you can mail it in to our office.

ATTN: Forms Department

1958 S 950 E

Provo, UT 84606


Every affiliate needs to return this tax form to us. If you are promoting our services through your affiliate link then we do need to have this form filled out. Otherwise if you earn a payment in the future, we would be required to withhold a portion of that payment and send it to the I.R.S. (Backup Withholding).

Thank you.

-----Original Message-----
From: Me []
Sent: Tuesday, January 12, 2010 6:29 AM
Subject: Re: Necessary tax forms from BlueHost.Com

To Whom It May Concern:

Sending these forms with the customer name, address, and social security number already filled out is a security risk. Neither the e-mail nor the PDF file was encrypted. Please send this to your IT security department for review, and keep me posted on what they're going to do about it.

Thank you.

-----Original Message-----
On Mon, Jan 11, 2010 at 7:12 PM,  <> wrote:

In order to receive payments from the affiliate program you are required to fill out and return the attached tax form.  Please make sure you SIGN AND DATE the form before sending it back to us.  Forms can be returned via email to or faxed to 801-812-8669. If you prefer to send via post, please remit to:

BlueHost.Com Inc.
ATTN: Forms Dept.
1958 S 950 E
Provo, UT 84606


(801) 812-8669 (fax)

Leave a Reply