Who should take the responsibility of WordPress security?

Whenever most people discuss WordPress security, the conversation typically revolves around which security solutions to use, where to host the website, and how to keep it secure. Something that often seems missing from these discussions is the question of who should do it.

All those articles we read online about “top security plugins” and “how to secure your WordPress site,” etc., are aimed at individuals who either build their own sites or those who create sites for others.

However, we all know that the majority of WordPress websites have not been built by the business or organization that owns the site. Most of them are constructed by an agency or a freelancer.

Shared Responsibility

When building a WordPress site, you essentially share responsibility with different parties. Hosts manage the infrastructure/server side of things, and you (or the agency) take the responsibility of ensuring the site has the functionality it needs and that it keeps running.

If you build the website for yourself, you take on the responsibility of maintenance and security. If you don’t do that, then security incidents are almost guaranteed and all you can blame is yourself. We often also see customers being misled by hosts who claim to cover all possible security and take that responsibility away, but all they get is a SSL & Cloudflare.

If you’re not building the website for yourself and have outsourced this to an agency or a freelancer, then you’re most likely not even aware of the responsibility you have. Here, it’s the responsibility of the agency or freelancer to ensure this requirement is clearly communicated and that this responsibility gets assigned.

Maintenance & Care Plans

One way developers & agencies can ensure that the responsibility over security and maintenance is assigned is by offering maintenance and care plans.

Every professional developer should clearly communicate the risks of owning a website and how important regular maintenance and security are. I would even recommend including the first year’s maintenance plan in the project cost. If you really don’t want to offer care plans, then you should still communicate the risks and requirements for security and direct them to a service provider who does.

At Patchstack, we work with many different hosting providers, and one of the most common issues hosts face is websites that have “lost” their developer. When issues arise (mostly when security has already failed and the site is compromised), the site owner does not know what to do and relies on hosting support.

This should not be the responsibility of a hosting company, yet this is forcing hosts to come up with solutions. We’re seeing more and more large hosts open a service business next to the hosting business because nobody else takes responsibility.

The space is already consolidated enough, so if you’re a developer or an agency, please offer care plans and make them an integral part of your business. It’s not only good for global web security but also a great recurring revenue opportunity.

Conclusion:

When talking about security, we often discuss how to do things and where, but we frequently forget to ask who should do it. It’s very important that responsibility is assigned to all critical aspects of having a website.

We, developers and agencies who bring new companies online, have the responsibility to explain the risks and requirements that come with it. Without doing so it could be straight up considered reckless.

Every website built on open source software should come with a care plan, even if the care plan service is offered by a third-party provider. Hopefully, one day we’ll get there.

Resources:

• What are WordPress Maintenance Plans (and how to Create your Own!)
• Website Care Plan Training
• Sell Care Plans Easier with The Website Owner’s Manual (25% off with coupon code A-WOM-WELCOME)