Every client wants a secure, robust website. But there’s a common misconception that security is something you can “tick off” on a list, once and for all. In reality, website security isn’t a checkbox; it’s an ongoing process. For example, a plugin that was safe and widely used last year might develop a vulnerability tomorrow; and once that vulnerability becomes known, it can be exploited by automated attacks within hours. No matter how well-built your site is, or how solid your hosting and support are, there’s no such thing as a website that’s forever secure. So, what can you do to keep your site as safe as possible over the long term?
What’s a vulnerability?
A vulnerability is a weakness in a website’s software or configuration that could be exploited by an attacker. This might be anything from a coding flaw in a theme or plugin, to an outdated component that allows unauthorised access, or misconfigured permissions that expose sensitive data.
Vulnerabilities aren’t always the result of someone doing something “wrong”. Often, they emerge as technologies evolve; what was safe yesterday might not be tomorrow. Once discovered, these flaws can quickly become public knowledge, making unpatched sites a target for automated attacks.
What’s a plugin?
A plugin is a modular extension that adds extra features to your WordPress site: things like contact forms, galleries, SEO tools, events calendars, and much more. One of the main reasons WordPress is so flexible and popular is because of its rich plugin ecosystem.
Plugins can be small or large, simple or complex, free or commercial. But every plugin you install introduces new code to your website, and with the code, potential security risks. That’s why we recommend and use well-established and well-supported plugins when we build a website, and, if you are a support client of ours, ensure that new updates are pushed to your site quickly.
The WordPress community and response to vulnerabilities
WordPress core and well-maintained plugins are developed by highly active communities. These developers keep a close watch for vulnerabilities. In most cases, we first learn of a vulnerability when a fix is released and pushed out via a plugin update.
This is why regular updates are so important: they’re not just about adding features or cosmetic changes; they often contain crucial security patches that close off newly discovered weaknesses. Delaying updates increases your risk of attack exponentially because the knowledge of the vulnerability is now public, and malicious actors can quickly start targeting it.
Unfixed vulnerabilities
On rare occasions, we become aware of a serious vulnerability before the plugin or WordPress developers have had a chance to issue a fix. This could be through specialist security bulletins, threat monitoring platforms, or industry alerts.
In such cases, we take swift action:
- We alert affected clients;
- We offer to provide a workaround or temporary mitigation, if possible;
- We offer to patch or protect your site manually until an official update is available
These scenarios are rare, but they’re an important reminder that website security isn’t something that can be put on autopilot.
Zero-day vulnerabilities
Of course, there may be a lag between a vulnerability coming into existence and it being known about at all by plugin developers, or the community, or us. In such a case it is open to exploit until detection and release of a fix. Should such a vulnerability be used to affect your site, the site can be restored to a safe backup and then tightly locked down until a fix can be implemented.
How Solid Security and Patchstack help
To strengthen your website’s defenses, we often recommend (and in some cases install by default) tools like Solid Security Pro (formerly iThemes Security) and Patchstack.
Solid Security Pro
Solid Security Pro is a robust plugin that helps harden your WordPress site against common attack vectors. It provides features like:
- Two-factor authentication (2FA)
- Malware scanning
- Login attempt limits
- File integrity monitoring
- Scheduled security checks
It’s an excellent layer of protection that helps secure many of the low-hanging fruit commonly exploited by attackers. A common alternative is Wordfence Premium.
Patchstack
Patchstack is a more specialised security service that actively monitors known plugin vulnerabilities. It:
- Scans your site for vulnerable plugins
- Alerts us the moment a threat is identified
- Often gives us early warnings about issues before they’re widely known
Together, these tools add multiple layers of early detection and proactive response, greatly reducing your site’s exposure to risk.
Patchstack is available as an integration with Solid Security Pro, or as a standalone service.
The website security arms race
Technology evolves. So do the tactics of malicious actors. Software vulnerabilities emerge, new types of attacks are developed, and outdated systems become increasingly susceptible to exploitation.
Even widely used, well-supported platforms like WordPress aren’t immune. WordPress itself is kept very secure by its core team, but its vast plugin ecosystem can be a double-edged sword. A single outdated or abandoned plugin can open a backdoor for hackers.
That’s why regular updates are essential. Keeping WordPress, all plugins, themes, and custom code up to date, paired with excellent hosting (our partner Kinsta is one of the best), goes a long way. But even that doesn’t make a site immune to threats.
No such thing as “forever secure”
It might be comforting to imagine we can create a website so secure that it will never need looking at again but it just doesn’t work that way.
Security is dynamic. New threats and vulnerabilities appear daily. Today’s robust site may have an unknown issue six months from now, or become vulnerable because a plugin hasn’t kept up with changes to the WordPress core.
That’s why we recommend regular security audits. These are proactive reviews of your website’s infrastructure, plugin usage, access controls, and more, resulting in a list of tailored, actionable recommendations. We offer annual audits as part of our ongoing services.
For clients needing additional assurance, we can also arrange penetration testing (simulated cyberattacks performed by specialist firms to probe for vulnerabilities). This is typically a much higher-cost option and, according to Kinsta, isn’t necessary for most small-to-medium-sized websites. But it’s there if you want it.
Responsibility for fixing security issues
We are often asked: “Why don’t you fix security issues as part of our support package?” We’ll assist in any way we can, but our Technical support package includes hosting, backups, plugin licenses and updates, hosting support and other technical services, but not time spent actually working on your site – and that includes time spent on security work. So if you’d like us to address security issues – which are an inevitable ongoing part of any software work – we’d need to bill for the work, or put it against your retainer if you’re on a higher package.
Security issues can range from minor plugin conflicts to complex breaches or architectural vulnerabilities. Investigating, diagnosing, and resolving these kinds of problems can be time-consuming and unpredictable in scope. So we can’t build such work as an overhead into our support packages or we’d inflate the pricing for everyone whether you needed this work done or not.
Instead, we take a fairer approach: we flag any security issues we detect, provide clear recommendations, and (if you choose) quote separately for any remedial work required. That way, you’re only paying for what your site actually needs.
Security checklist for website owners
Even though we take care of the technical side – including updates, backups, and monitoring – there are still a few simple things you can do to help keep your website safe and secure:
- Use strong passwords Choose passwords that are hard to guess, and avoid reusing them across different accounts. A password manager like Proton Pass can help.
- Turn on two-factor authentication (2FA) If you log into your website, enabling 2FA adds an extra layer of protection. We can help you set this up if it’s not already enabled.
- Limit who has access Only give admin access to people who truly need it. If a team member leaves or changes roles, let us know so we can update permissions.
- Be cautious when installing anything Don’t install new plugins, themes, or tools without checking with us first. Even well-meaning changes can introduce security risks.
- Let us know if something seems off If you notice unusual activity — like unexpected emails, login issues, or performance slowdowns — don’t ignore it. Tell us right away so we can investigate.
- Request a security audit if you’re unsure If it’s been a while since your site was reviewed, or if your business needs have changed, we can run a full audit and give you clear recommendations.
No website can ever be completely future-proofed. But by understanding the risks and committing to regular reviews and updates, you can ensure your site remains as secure, stable, and resilient as possible.
Need help? Talk to us about a security audit or just drop us a line with your questions. We’re here to help you stay a few steps ahead.
