Jump to a section +
Hosting is where the website runs
When someone requests a page, hosting infrastructure returns the files and data needed to build that page in the browser. The hosting may be a managed website platform, a provider-managed WordPress service, a virtual server, or a larger cloud architecture. Most small service businesses do not need to administer an operating system themselves. They need a dependable public site, safe publishing, working forms, recoverable content, and support that matches the consequence of an outage. Website care plans should explain those responsibilities instead of selling “premium hosting” as an undefined line item.
This is why a site can fail while the hosting server is technically healthy. DNS may point to the wrong place, a certificate may not provision, a third-party booking tool may be down, a form credential may expire, or a script may break the page. Hosting is central, but it is one layer. The companion explanation of domains versus hosting separates registration, DNS, web delivery, and email so owners can identify the correct provider when a problem appears.
Choose the management model before the specifications
Understand the capacity terms on the plan
Hosting terms translated into business questions
| Term | What it describes | Question to ask |
|---|---|---|
| Traffic or visits | Requests or visitors measured under the provider's method | What is counted, over what period, and what happens above the allowance? |
| Bandwidth | Data transferred when pages, images, downloads, and other resources are served | Are CDN traffic, large files, bots, and overages counted differently? |
| Storage | Space for files, media, databases, logs, or backups depending on the product | Which data is included and are backups stored separately from the quota? |
| CPU or compute | Processing capacity available to generate or run the site | Are resources dedicated, shared, burstable, or limited by time and request? |
| Database or CMS items | Records allowed for posts, products, projects, people, or other structured content | What counts as an item and can content be exported before the limit? |
| Seats or editors | People allowed to design, administer, or edit under plan roles | Which role can publish, bill, manage access, or restore? |
Do not buy capacity from a generic monthly-visitor estimate alone. A quiet site with large video downloads can transfer more data than a busy text site. A campaign can create a short peak even when annual traffic is modest. Bots and attack traffic may be counted or mitigated differently. Obtain current definitions from the actual provider, then compare the business's analytics, file sizes, publishing plans, campaigns, and growth. Include a response for limits: automatic overage, throttling, upgrade, suspension, or a call from support.
Know what a CDN changes
A content delivery network is a distributed group of servers that can cache and serve content nearer to visitors. Cloudflare's educational documentation describes a CDN as geographically distributed servers used to speed delivery by caching content. A CDN can reduce latency and origin load for suitable resources, but it is not the same thing as the origin host and does not repair oversized images, blocking scripts, slow third-party tools, poor caching rules, or inefficient application work. Ask whether the CDN is included, what it caches, how changes are purged, and who troubleshoots a stale or incorrect response.

Several services cooperate before a visitor sees a page, and they may be controlled by different accounts.
Separate HTTPS from complete security
HTTPS uses TLS to protect data in transit between the browser and the service presenting the certificate. Managed platforms often provision certificates as part of hosting; Webflow's hosting documentation, for example, describes SSL certificate provisioning in its service. A working certificate does not prove that administrator accounts, plugins, forms, stored submissions, APIs, backups, or employee devices are secure. The business still needs strong authentication, limited access, software updates where applicable, secure integrations, account recovery, and incident preparation. No provider can turn an exposed password or careless access policy into a security guarantee.
- Use business-controlled accounts and require multifactor authentication wherever the provider supports it.
- Assign the least access each designer, editor, analyst, contractor, or integration needs and remove access promptly when roles change.
- Keep platform, plugin, theme, runtime, and integration software updated under a tested process appropriate to the stack.
- Monitor domain, certificate, uptime, form delivery, error, billing, and security notifications through addresses the business actually watches.
- Document recovery contacts, backup locations, restore procedures, credential ownership, and the provider's support boundary.
- Review current CISA small-business guidance for MFA, updates, backups, and other basic controls, then adapt it to the website's actual risk.
Treat backups as a recovery capability
Questions that make a backup useful
What is captured?
Confirm files, CMS content, database, form data, settings, custom code, commerce records, and external services separately.
How often and how long?
Match backup frequency and retention to how much work or data the business can tolerate losing.
Where is it stored?
A copy controlled by the same account and failure domain may not cover every incident; understand provider and independent options.
Who can restore?
Name the authorized operator, required access, support process, expected timing, and whether the restore replaces newer content.
Has recovery been tested?
Use a safe environment to confirm that the restored site, content, forms, integrations, DNS, and certificates work together.
Webflow's official backup documentation explains that site backups can be previewed and restored and that a restore saves the current version. That feature is useful within Webflow, but it does not automatically cover every external account or business record. Other hosts and platforms offer different scope and retention. An export is also not automatically a restorable backup. Ask what would be required to rebuild the complete public service after accidental deletion, account loss, provider failure, bad deployment, or compromised credentials.
Use staging and deployment controls where change risk warrants them
A staging environment lets a team review changes away from the public site. It is useful for software updates, navigation changes, forms, redesigns, integrations, and content imports, but only when it resembles production closely enough for the test. Protect staging from public indexing and unauthorized access, avoid real customer data when it is unnecessary, and do not assume a successful preview guarantees production behavior. Maintain a release checklist, a rollback path, and a record of who published what. Simple sites may use platform previews and backups; complex stacks may require separate environments and deployment automation.
Keep business email separate in the ownership map
A company may buy a domain, host its website, manage DNS, and receive email through four different providers. Moving the website does not require moving email, but careless DNS edits can interrupt mail because email routing records live in the same DNS zone. Record the email provider, administrators, billing owner, recovery methods, MX records, sender-authentication records, and support route. Before a host migration, copy the complete DNS zone and change only the web records required by the current destination documentation. Never delete unfamiliar records simply because they do not point to the website.
Read the invoice as a service inventory
Items often bundled under hosting
| Invoice item | Clarify before comparing |
|---|---|
| Platform or hosting plan | Current tier, billing term, capacity, features, overages, renewal, and account owner |
| Domain | Registrar, registrant details, renewal term, DNS host, and whether it is merely billed through the provider |
| Maintenance | Updates, monitoring, content requests, testing, response time, and exclusions |
| Backup | Scope, frequency, retention, storage, restore labor, and testing |
| Security | Specific controls and response duties rather than an undefined secure-hosting claim |
| Support | Hours, channels, response target, emergency definition, included time, and escalation |
| Licenses and services | Themes, plugins, fonts, forms, email, CDN, analytics, scheduling, or other recurring dependencies |
The lowest hosting price may exclude administration, maintenance, recovery, and support. A higher care invoice may include real labor, but the provider should list it. Compare like with like and make sure the business can access each account if the relationship ends. Continue through the platforms, hosting, and ownership guides for domain control, portability, backups, care plans, and exit planning. Hosting is a continuing operating choice, not the shelf where a finished website is placed forever.
What type of hosting does a small business need?
Most brochure, lead-generation, and ordinary content sites are well served by a reputable managed platform or managed host that fits their capacity, workflow, support, backup, and integration needs. Custom infrastructure needs a clear technical reason and qualified operators.
Is managed hosting the same as website maintenance?
Not necessarily. Managed hosting may operate infrastructure or platform components, while maintenance can include software updates, content changes, form checks, monitoring, integrations, accessibility, and support. Read the exact responsibilities.
Does hosting include the domain and business email?
Sometimes one vendor bills several products, but domain registration, DNS, website hosting, and email remain distinct services. Record each account and avoid changing email records during website work unless required.
Does a CDN replace website hosting?
Usually no. A CDN commonly caches and delivers content at distributed edge locations while an origin host stores or runs the underlying site. Products vary, so confirm the actual architecture and support boundary.
Does HTTPS mean the website is secure?
HTTPS protects traffic in transit when configured correctly, but it does not secure every account, application, stored record, integration, device, or business process. Security requires layered controls and continuing ownership.
Evidence behind the guide
Sources and further reading
- Webflow Hosting OverviewWebflow Help Center
- Save and Restore BackupsWebflow Help Center
- What Is a CDN?Cloudflare Learning Center
- Secure Your BusinessCybersecurity and Infrastructure Security Agency
Continue on Web Respawn
Pages that actually connect to this decision.
These links are selected for the subject of this guide. They are not a generic service dump.








