While doing research for some recent posts, we ran into what we found to be an odd situation, which highlights that the security being provided by enterprise WordPress web hosting can be lacking despite the high price of the service.

In announcing an investment that Automattic made in web host GridPane, GridPane highlighted one of their clients:

GridPane users can also get a look at their potential future by looking at the very recent past of Performant Websites, one of GridPane’s clients, who entered their GridPane powered service into the industry’s gold standard ReviewSignal independent performance benchmark. Congratulations to Martin Duncanson, CEO of Performant Websites, for earning a top tier honor in the Enterprise category of the 2022 Review Signal WordPress Hosting Benchmarks.

A comment on WP Tavern’s coverage of that benchmark mentioned there, raised questions related to that:

Not sure why Performant Host is in that list. Their website seems half done, footer links don’t work, their FAQ contains 2 rows of the same questions, no Privacy Policy, no Terms of Service on their website, no Cookie Policy, contact details are lacking and/or plain wrong on their contact page, Case Studies page is filled with garbage… They should be removed from that list.

The person behind that benchmark responded to that in part:

It definitely opens up an interesting can of worms this discussion. I was aware from the start they are a GridPane (partner? client? not sure what the right word is here). Since it was the enterprise tier, it’s very flexible in terms of offer and setup (the only tier where default setup isn’t a requirement). So I don’t need to go through a signup process, they can stand up whatever they like.

So you have a provider offering “enterprise” level web hosting that is simply reselling another provider’s service. That web host, Performant, doesn’t spell that out in promoting themselves. On the benchmark’s website, the described themselves this way:

We’re a small team who are passionate about performance. Our hosting business grew out of our need to keep our own portfolio of business websites operational at all times, and our desire to do it better and cheaper than the faceless conglomerates. We’re small enough to care and take a personal interest in understanding our clients business objectives, while more than capable of delivering the needed results.

Considering they are a reseller, the guarantee they promote on their website seems unlikely:

We guarantee better performance for the same money or less!

On their website they prominently promote their security features:

What they are describing is actually GridPane’s security features. Part of what is referenced in that is the Snicco Fortress plugin, which they refer to as “Fortress WordPress Security Plugin“. That plugin is marketed as “enterprise-grade WordPress security”, and as the “only WordPress plugin smashing real security threats”, but in reality it fails to deliver protection against real threats. GridPane heavily promotes false and misleading claims about that plugin, which seems to be part of a larger lack of understanding by that company about security.

What is missing in their marketing is any measure of effectiveness of the security they are offering, which should be front and center for any security solution. Especially for anything that is marketed as being enterprise-grade, as even high-end hosting providers don’t necessarily provide the protection that a free security plugin could.