Many website owners and organizations that use WordPress are happy to spend hundreds and sometimes even thousands on a new custom WordPress theme, an SEO audit, content generation, website management tools and many other services and software. Yet they find it difficult to justify spending a single penny on WordPress security.
Why People Don’t Pay for WordPress Security?
No Visible and Direct Impact on Business (Or so it seems)
When you invest in WordPress security you won’t notice any visible impact on your business’ revenue. For example by paying for good content or for an SEO audit your website will attract more visitors, which means more conversions (be it click on adverts or direct sales) and much more revenue. A new theme or an improvement to the website’s usability might also create a direct impact, such as generating more sales.
On the other hand if you hire a security professional to do a source code security audit of your WordPress customizations or WordPress plugin you are developing, or if you install a WordPress security plugin, there won’t be an increase in visitors or conversions and revenue.
DIY WordPress Security
One of WordPress’ main forte is it is very easy to use. The “ease of use” concept though misleads a lot of people. I am not a designer or a developer, nor an SEO expert but I can create basic theme and can scribble some code and write a WordPress plugin. I can also setup a website and do a bit of SEO, enough to attract a few thousands of visits a month. Though none of the above make me a designer, developer or an SEO expert.
The same applies to WordPress security. There are some plugins which can help you get started and some service providers also have a basic idea of WordPress security needs, and do understand that there are different types of WordPress security plugins with different roles. Yet that does not make them security professionals who understand the basic concepts of security and who can do a proper security source code audits, or audit an Apache or NginX configuration and do a proper penetration test.
My WordPress Website Is Not a Target
Most WordPress hacks are non-targeted, so irrelevant of how popular (or not) your WordPress website is, it is always a target. As explained in What are Targeted and Non-Targeted WordPress Hack Attacks hackers do not even target a specific website during a mass attack. They simply use automated tools to scan subnets from the internet and identify problems and security flaws in websites. Therefore if your vulnerable WordPress website happens to be on that subnet the attackers will identify it and hack it.
WordPress – A Lot is Available for Free
WordPress is open source and free, and so are many plugins and themes. Though open source or not the code must be planned, written and tested by someone. Unfortunately open source alone does not pay the bills and provide a roof unless there is a good business model around it. For many it is a hobby but for many others, especially those who provide professional services and develop popular plugins it is a business and their livelihood.
Most probably you can find a good number of security solutions available for free, but if you want a stable product that is backed by professional support you have to pay for it. A stable product is a result of hard work, research and testing and all of that does not happen for free.
How Much Should You Pay for WordPress Security?
There are many premium WordPress security plugins and services available on the market. To setup something basic and automated it should not cost you much especially for SMB websites. On the other hand if you have a large scale implementation with custom code and WordPress customizations hire a security professional for a WordPress security source code audit. This might be more costly but it costs less to hire a WordPress security professional than to recover from a hack and regain your business’ reputation.
WordPress Security Costs Money
There are many other reasons why you should pay for a WordPress security plugin or service, but the above should be enough to highlight the benefits of investing in WordPress security. If you are looking for a mediocre security solution, you can get it for free. But if you want a good product backed by professional service and support it has to be paid for.
I do understand that many cannot and shouldn’t pay. If you have a blog about cute kittens which is just a hobby I don’t expect you to invest in WordPress security but you should still try to take the basic precautions. On the other hand if you have an online business or your WordPress website is your main source of income, for example it is your shop to the rest of the world then you should definitely allocate a budget for WordPress security.
Security, Reputation and Expenses
If you’re still not sure about investing in WordPress security, or you need to make a decision just think about how much it would cost you if your website was down for a few days, or if your customers got infected with malware when they visited your website. And this is not just about the financial burden, but about your business’ reputation as well. How much time, money and energy did it cost you to get where you are today? It will cost you double as much to regain the confidence of the public, just to say the least.