WordPress Security for Agencies and Freelancers

When a client's WordPress site is hacked, who is responsible? The honest answer: it depends on what was agreed, and what was reasonable.

If you built the site and handed it over, your responsibility for ongoing security is typically limited. Clients manage their own plugins, their own passwords, and their own hosting. If they installed a vulnerable plugin six months after you delivered the project, that's not on you.

But if you're on a retainer, managing hosting, or providing ongoing maintenance services — and a site gets hacked because a plugin you were responsible for updating wasn't updated — that's a different conversation. Even if the contract doesn't explicitly define security responsibility, clients expect it to be covered when they're paying for maintenance.

The practical answer: define security scope explicitly in your client agreements. Either you're responsible for keeping things updated and monitoring for issues (and you price accordingly), or the client is. Don't leave it ambiguous.

A GuardingWP scan gives you an instant, shareable security report for any WordPress site. This is useful in two contexts:

Before you take on a new client: scan their site as part of your discovery process. If it has critical issues, you now have a concrete, objective report to present when discussing scope. "Your site currently has 3 critical and 2 medium security issues" is a much stronger conversation than "I think we should fix some security stuff."

For sites you're actively maintaining: run monthly scans and include the results in your reporting to clients. A clean scan report is proof of value. A report showing a new issue you caught and fixed demonstrates exactly why they're paying you.

You can run free scans for any URL without creating an account. For sites you manage on an ongoing basis, GuardingWP Pro automates the weekly scanning and sends alerts when new issues are found.

Security monitoring is one of the most defensible line items in a maintenance retainer. Clients understand that hacked sites are expensive to recover from. They may not understand the specifics of WordPress security, but they understand that prevention is cheaper than cure.

The pitch is simple: "As part of your maintenance plan, I run a weekly automated security scan on your site. If anything new comes up — a vulnerable plugin, a misconfiguration — I get an alert and handle it before it becomes a problem. You don't need to think about it."

This positions security as an ongoing service you're delivering, not a one-time task. It justifies recurring retainer fees. And it means you have a documented, defensible record of what you checked and when — which matters if a client ever questions whether you were doing your job.

The economics work. GuardingWP Pro is $9/month per site. If you're charging a client $100–$300/month for maintenance, the cost of the security monitoring is negligible. But the value it delivers — both to the client and to your own peace of mind — is significant.

If you audit a client site and find security issues that need to be fixed, you have two options: fix them yourself, or hand them off to a specialist.

Fixing them yourself makes sense if you're comfortable with .htaccess and functions.php, have the time, and want to keep the work in-house. The fix guides on this site cover all 11 of the most common WordPress security misconfigurations, with step-by-step instructions for both cPanel and SSH access.

The GuardingWP fix service makes sense when: you don't want to take on the liability of server-level changes on a client's live production site, the client wants a documented, guaranteed fix rather than a best-effort attempt, or you simply don't want to spend the time on it and would rather pass it through at a markup.

The fix service tiers are scoped to the type of work involved. The Simple tier ($49) covers everything that can be fixed in .htaccess — the most common misconfigurations. The Full tier ($149) covers everything including plugin updates and a full configuration audit.

If you manage five or more WordPress sites, manual security management becomes a significant time sink. Tracking which plugins need updating on which sites, remembering to run scans, keeping notes on what was fixed and when — it adds up.

The approach that scales: automated scanning per site, centralised alerting, and a clear process for handling findings. GuardingWP Pro covers the scanning and alerting side. You define the process: when an alert comes in, what gets checked first, who handles the fix, and how it gets documented for the client.

For freelancers and small agencies, the simplest version of this is a shared inbox for scan alerts and a monthly summary to clients. For larger operations, integrate the alerts into your project management or ticketing system so nothing falls through the cracks.