When a client site is compromised, the client’s first call is to your agency — regardless of whether the vulnerability was in a plugin you recommended, a password the client reused, or a hosting-level issue. In their eyes, you’re responsible for their website’s security.

On your contract terms. If your care plan promises ‘security monitoring and management’, a compromise could constitute a breach of contract. Clear scope definitions — what you do monitor and what falls outside your responsibility — are essential. Understand GDPR responsibilities in this context.

The incident response process should be documented before you need it: 1) Contain the breach (take the site offline if necessary), 2) Assess the damage (what data was accessed or modified), 3) Notify the client with a clear, honest communication, 4) Remediate (clean the malware, patch the vulnerability), 5) Document everything for potential regulatory reporting.

Client communication during a security incident sets the tone for the relationship going forward. Transparency builds trust; defensiveness destroys it. Acknowledge the issue, explain what happened in non-technical terms, outline the remediation steps, and describe the preventive measures being implemented.

WP Pro Host reduces agency security liability with: proactive malware scanning

Frequently Asked Questions

Is a WordPress agency liable when a client site is hacked?

Legal liability depends on what was agreed in writing. If your service agreement includes security management, updates, and monitoring, a compromised site due to an unpatched plugin or inadequate security configuration could create professional liability exposure. If the agreement clearly defines security responsibilities and the client refused recommended updates or insisted on hosting you advised against, liability is reduced. The practical reality: even when legally not liable, agencies absorb significant relationship damage, emergency response time, and reputational cost when client sites are compromised. Proactive security management protects the business relationship regardless of the legal position.

What should agencies include in service agreements to limit security liability?

Service agreements should specify: which party is responsible for plugin updates and with what frequency, what security infrastructure is provided (and what is not), the client’s responsibility for their own credentials and access management, any warranties or guarantees around security monitoring, and the response process when an incident occurs. Include an explicit clause that no hosting environment can guarantee 100% security and that the agency’s liability for security incidents is limited to the service fees paid in the preceding month. Have a solicitor review the security liability section for any client handling significant personal data under UK GDPR.

How should agencies communicate with clients after a security incident?

Effective incident communication: notify the client as soon as the issue is confirmed (do not delay while investigating — initial notification should be within 2 hours of discovery), use plain language describing what happened without technical jargon, explain what has been done so far and what will happen next, provide a realistic timeline for resolution, and follow up with a written incident report once the issue is resolved. Transparency builds trust; defensiveness and minimisation destroy it. Clients who feel informed and supported during an incident typically remain clients; clients who feel surprised and left in the dark often don’t.

What records should agencies keep for client security incidents?

Document: initial detection timestamp and method (monitoring alert, client report, discovery during routine check), timeline of investigation and actions taken, attack vector identified (vulnerable plugin version, credential compromise, hosting configuration), scope of compromise (which files were affected, whether database was accessed, any data potentially exfiltrated), remediation steps taken, and verification steps confirming clean resolution. Under UK GDPR, if personal data was compromised, you may need this documentation to support the client’s ICO notification within the 72-hour window. Keep incident records for at least 3 years.

How does managed hosting reduce agency security liability?

Managed hosting with proactive security reduces agency liability in two ways: it reduces incident frequency (server-level WAF, malware scanning, and virtual patching prevent many compromises before they occur), and it accelerates response when incidents do happen (continuous monitoring detects compromises in hours rather than the 200+ day average on shared hosting, and automated malware removal begins immediately). This means agencies can demonstrate that appropriate security infrastructure was in place — relevant both for client communications and for any professional liability considerations. Hosting that includes incident reports suitable for client communication and regulatory notification further supports the agency’s position.

that catches compromises within hours, automatic malware removal for known threats, incident reports suitable for client communication and regulatory notification, and forensic analysis that identifies the attack vector for future prevention.