Recently, one of my clients purchased a server with FireHost.com. We’d been on the search for a new web host for some time now to serve as the infrastructure supporting upcoming web applications we have in the works. We needed a company who is well recommended, and will help us scale and scale quickly.
You pay a more for a host like this but it’s part of the investment costs you need to make if you want to be positioned well for solid growth as a business.
Anyways, the purpose of this post is NOT to discredit or gripe about yet another hosting company that fails to live up to expectations. We actually really like the setup we have at FireHost. Although getting things setup were a bit of a pain – their support has been very prompt and generally okay. No, this post is more of a fyi for folks who are in a similar situation as us. I couldn’t find any information on this subject on the nets so thought I’d post my own findings.
One of the major components of some projects we are working on this year involves the use of WordPress multisite. It will provide the backbone of what we are building and is crucial that we have a server environment that supports this. FireHost does except for one niggling problem. They have a super awesome “Web Application Protection” firewall that works really well, too well, and prevents normal usage of WordPress multisite.
At issue is that any subsites created on WordPress multisite will fully function as long as those subsites don’t post any images or certain html in their posts. Cause if they do, BAM, the firewall sees that as a xss attack and shuts her down.
That’s no good is it? No. But wait, FireHost has the solution. All you have to do, is whenever this happens you just send them the path for the sites that the firewall does its thing on and they’ll add an exception. Greeatt! Except that we’re planning on using WordPress multisite to well actually make it easy for people to signup and get started on a new site right away (you know kind of like how people expect things to work? right?). So yeah, major pain to have to send a block of paths every time the firewall acts up.
I’m not going to tell you the solution we worked out but let’s just say not ideal.
Silly? Yeah. I get it. But obviously someone at FireHost needs to do some thinking about how this firewall is setup and put something in place to allow for easier management of WordPress multisite while keeping the firewall working on things that it should work on, or at least be clear about the side affect of the WAP for those using WP multisite, would have saved a lot of back and forth with tech staff. At the very least, create some sort of API or secure service for automating the firewall exceptions in cases like this where sites are being created dynamically via an application like WordPress multisite.
Anyways, again we do like what we have so far with FireHost except for this firewall experience, but I just wanted to post this up in case anyone else is thinking of using multi-site with FireHost and wondering why its not working as expected.
(I also have another reason for posting…secretly hoping some server guru out there will be able to explain how I’m either an idiot for expecting the firewall to be set up so multi-site works, or how FireHost can do things so multisite will work fine).
Update: December 2014
Just posting an update for anyone who visits this post via search engines (there are a few of you its seems. Besides the fact that Firehost did contact us within the 30 day window that was put forward by their CEO/founder in the comments to this post, we never did get on any “beta” program. The solution they are proposing for clients needing their own managed WAF is a $1500+/mo cost solution, which is not startup friendly. They did offer to help get us up on ModSecurity as an alternative to their WAF solution but in the end my client and I just decided to fire Firehost (yeah pun intended) as our hosting provider and we joined the cool cats over at Digital Ocean. We figured if we’re going to be doing most of the server setup/managing ourselves then no sense in paying a “managed” hosting provider to do it for us. We’ve been on Digital Ocean for about 5 months now and absolutely LOVE it.