This article shares some light on how WordPress hosting companies can increase their recurring revenue by sending out WordPress security alerts.
The majority of security vulnerabilities in the WordPress ecosystem originate from plugins and themes. In fact, based on the WordPress security 2021 whitepaper where every known security vulnerability was counted, over 99% originated from plugins and themes.
An average WordPress site has around 20 different plugins installed. Many of them are outdated and some could even hide critical security vulnerabilities (use this free tool to see if your site has any vulnerable plugins installed).
A single popular WordPress hosting company may host millions of WordPress sites, each with its own ~20 plugins installed. Not sending out WordPress security alerts about vulnerabilities in plugins is a massive untapped opportunity and leaves many benefits (for customers and for a host) on the table. Let's talk about that.
If you start asking "Five whys" about how a website could be taken over by criminals, then you'll end up with 4 main reasons why WordPress sites get hacked. Today, the most critical one is vulnerabilities inside popular plugins.
There are hundreds of security vulnerabilities found each month in themes and plugins. There is even a bug bounty platform that covers all WordPress plugins where ethical hackers report new vulnerabilities in WordPress plugins - you can see the latest vulnerabilities on the WordPress vulnerability database.
Many popular WordPress plugins have millions of active installations. A single critical vulnerability found in any of them could give criminals access to an incredible amount of server resources, which will then be used to send spam, redirect traffic to malicious sites, host malware, and conduct massive brute-force attacks.
Malicious activity such as outgoing spam, phishing pages, and attacks originating from websites will be quickly detected by anti-virus companies and security professionals. Such IP addresses will then be reported to abuse lists such as Spamhaus and AbuseIPDB.
Just recently in November 2021 a WordPress security company Wordfence shared their statistics about a 5X increase in attacks originating from Amazon Web Services. For years, similar problems have been affecting many other large hosting companies around the world.
If an IP is shared with a hacked site that is taken over by criminals, it could cause other customers' emails to go to spam or their websites could even be blocked by firewalls and by anti-virus software too.
When customers start receiving emails that say that their website is inaccessible or redirect to weird sites, the hosting support is usually the first place they reach out to.
We have talked to many small and large hosting companies who all have said that this can create a significant load on customer support.
If a plugin vulnerability is being exploited then an attack wave hits many websites in a short period of time. For example, when a vulnerability was found in WordPress File Manager Plugin in 2021 - many hosts had thousands of websites hacked within a single day.
While many website owners have lost contact with their original developer, their only hope is to get help from a hosting company or reach out to a third-party service provider for a cleanup.
In the middle of it all is the hosting support, who needs to explain all of this to the victims.
Historically speaking, security has always been an unappealing topic. It's been difficult to understand and it has always felt similar to insurance.
People, in general, don't think that their websites will be targeted and end up postponing any investments towards security until it's too late.
Over the past years, vulnerabilities found in WordPress plugins have received more attention than ever, hacking incidents are talked about in the news and the general public has become more aware that nowadays everyone is a target.
Many hosting companies already understand that and bring out the security of their hosting service as a clear value proposition.
When one of our hosting partners that use Patchstack to notify about vulnerabilities (Veebimajutus) asked what kind of additional services customers would be interested in - security was the top priority.
Many don't realize this, but providing up-front value with security can be extremely rewarding and has incredible business opportunities. Letting customers know about security issues that affect them has more benefits than just looking more trustworthy and professional.
Some of the benefits that hosting companies get by notifying customers about security vulnerabilities in their WordPress websites:
If you happen to be in the hosting business, keeping the web secure probably aligns with your values. This is an opportunity not just to get all the benefits mentioned above, but also to increase your recurring revenue and grow as a business.
There are already plug-and-play solutions available for getting the right information and sending out WordPress security alerts (like this) to get you started without breaking the bank or requiring you to plan intense integration which would eat up all the development resources.
Thank you so much for reading this! If you're interested in data or case studies from this article, feel free to get in touch.
If you're a hosting company, ask customers how important security is for them, and if you see the same results as our partners have - let's have a call!