WP Buffs Blog |

What’s Cheaper: Fixing a Hacked Website or Proactively Securing WordPress?

When anyone starts a new business venture, one of the first things they hear about it is how high the rate of failure is within the first year (and how it gets worse with each passing year). All that pressure to do well–which means keeping expenses low and profits high–can often lead business owners to unknowingly make disastrous decisions.


One of the areas where that comes into play is with the WordPress website.

WordPress itself is a free content management system, which can lead to confusion and frustration with some users. Yes, WordPress is free, but the cost of building, securing, and maintaining it is not… which is why some business owners may choose to cut corners.

One of those corners that can’t afford to be cut is WordPress security.

While the security team behind WordPress does a good job in keeping the platform safe–regularly issuing updates, vetting repository themes and plugins, etc.–it’s not enough to 100% rely on them. Which leaves you with two choices:

  1. Hope that your web hosting plan and WordPress’s security procedures will keep most threats at bay. Then, fix any damage caused if or when your WordPress site is hacked.
  2. Take proactive steps now to secure your WordPress site from every possible angle. This includes finding a VPN to secure your online activity, implementing a WordPress audit log, and much more.
Our team at WP Buffs helps website owners, agency partners and freelancer partners proactively secure WordPress sites or recover from a hack. Whether you need us to manage 1 website or support 1000 client sites, we’ve got your back.

If you’re concerned about the cost of securing a WordPress website and think it might just be cheaper to wait and repair a hacked site down the road, let’s take a practical look at the costs of both options. Starting with #1:

The Cost of Fixing a Hacked Website

At a high level, the cost of fixing a hacked website might seem cheaper than the cost of applying various security measures to your WordPress site now. But we’re not just looking at the actual money you spend when paying for a premium security plugin or a VPS hosting plan. Business costs come in a variety of forms, which is why the cost of fixing a hacked website might not be what you’d expect it to be.

Here is a breakdown of how that might look:

Cost #1: Troubleshooting

You’ve become aware of a problem with your WordPress site, but you’re not sure 1) if it’s been hacked, 2) where the hacking occurred, and 3) how severe the attack was. Without scanning tools in place to investigate the issue, this means you (or your developer) will have to spend time troubleshooting the issue.

First, you’ll identify how the hack was detected:

  • Did a visitor or customer report an issue with the website?
  • Are your WordPress users unable to access the admin?
  • Did you spot new content or defects with your website upon visiting it?
  • Does Google Analytics show an unexpected spike in traffic?
  • Did your Google Analytics report show an unexpected drop in traffic?
  • Has your web hosting company reported high volumes of bandwidth when no significant changes have taken place on your end?
  • Have you or your visitors seen a warning from Google about the security of your site?
  • Is your website missing from search results altogether?

google analytics drop in traffic

Next, you’ll need to investigate what type of hack it was:

  • Spam
  • Malware infection
  • Ransomware attack
  • Distributed denial of service (DDoS) blocking access to the admin and/or the website
  • Defacement
  • Phishing page planted on your site
  • Website redirect
  • Malicious links or popups placed on the site
  • Stolen data

Finally, you’ll have to dig into the severity of the attack:

  • Were superficial links or pages planted on the site? Did anyone click on them?
  • Did hackers change your website’s files and insert malware? Have visitors’ devices been compromised?
  • What about your financial records?
  • Have your customers’ records been stolen?
  • Do you no longer have access to your website?
  • Has Google significantly penalized your website in search and posted a warning to visitors?
  • Has Google blacklisted your website?

WhatIsMyIP Blacklist Check

All of this time you spend investigating the cause of the breach as well as the severity of it is going to add up. And that time equates to money spent.

Cost #2: Hosting Support

The first resource you’ll likely to turn to in the case of a hacked website is your web hosting provider. But not every hosting plan comes with robust support and not every hosting provider provides support related to WordPress security.

Either way, this is going to cost you in terms of reaching out to your hosting provider, explaining the issue, providing screenshots, and attempting to get them to restore access to your site, restore a backup of it (if there is one), and so on. If hosting support isn’t well-versed in these kinds of matters, you could end up speaking with multiple representatives and getting very little out of it.

Web hosting support might also cost you if restore and cleanup services are offered as a premium add-on. If you haven’t looked into what your current web hosting plan includes, be sure to review it now.

Cost #3: Outsourcing Support

If you don’t have hosting support, and if you don’t have the time or know-how to clean up and repair your website, you’re going to have to hire a WordPress security professional to do it for you.

There are a few options:

  1. Look for and hire a freelance WordPress developer with low rates and who claims to know how to investigate and repair a hacked site.
  2. Look for and hire an infection removal service provider to clean up your site.
  3. Sign up with a WordPress maintenance and support service. Ask them for assistance in cleaning up the issue and have them in place going forward to mitigate for future issues.

Each of these options is going to cost you. Obviously, it’s going to free up your time to work on other activities, which is good. However, do keep in mind that hiring individuals who are untested could be a risk as are companies that offer a quick-fix for cleanup. Your best bet is to reach out to a WordPress support provider.

Cost #4: Restore

Assuming that you have no backup of your WordPress site saved, or that the last one was captured awhile back, the time to get your site back online and fully restored can be quite expensive.

Consider the following:

  • Reinstalling WordPress
  • Changing your WordPress secret keys and salts
  • Resetting user passwords
  • Cleaning out your database
  • Deleting corrupt content
  • Re-uploading themes and plugins
  • Redesigning and reconfiguring your WordPress site (worst case scenario)
  • Publishing the cleaned-up website
  • Notifying users and search engines that the site has been repaired

scheduled backups

Without a regular nightly backup in place, restoring a hacked website is going to take some time. Be sure to factor in the cost of your time spent restoring it as well as any time offline that costs you leads and sales.

Cost #5: Cross-Contamination

Let’s say that, in the course of your investigation, you discover that your website wasn’t the only one affected by the breach. If your site is located on a Multisite network or it resides on shared hosting, your security breach could have put other websites at risk as well.

If either circumstance applies to your WordPress site, you’ll need to probe further into how far-reaching the attack really went. And, if other sites were affected, it could mean additional time you spend cleaning them up (if they’re on your network) or money you spend to help the other affected sites get fixed.

Cost #6: Data Loss – Your Business

Data, in and of itself, is a valuable commodity for businesses. As you gain more access to information from leads or close more sales with customers, it’s an opportunity for learning and growth for your website and company. But if you go about losing that data, your business is going to have to start from scratch in amassing it.

Then, you have to worry about the ramifications of that lost data. In other words, what sort of data was stolen:

  • Financial records for your website and business?
  • Lead contact information?
  • Customer payment details, social security numbers, health records, or other sensitive data?
📉 According to the 2017 Cost of Data Breach Study from the Ponemon Institute and IBM, each record lost costs businesses, on average, $141. #WordPress #security Click To TweetMultiply that by the number of records that were compromised and you can see how quickly that will add up.

Of course, there are other factors to consider in terms of how much data loss will cost you. To figure them out, I’d recommend using IBM’s cost of data breach calculator.

Update the calculator’s settings with your geographic, industry, and business-specific information. Then, watch as it tells you how much you could potentially lose from a breach.

Cost #7: Data Loss – Your Customers

Any loss of data is going to reflect poorly on your website as customers no longer trust that information provided to you will remain secure. So, in addition to losing that data, you’re also going to lose the trust of your customers.

Depending on how valuable that data was, you could be looking at a very high payout to compensate customers for the breach.

Even if it doesn’t come to that, the damaged reputation alone will be quite costly to your brand. This could cost you in a number of ways:

  • Time spent compiling a list of affected customers.
  • Time spent writing and sharing an apology with those customers.
  • Recovery planning to save customers from abandoning your brand (e.g. free giveaways, discounted services, “we’re sorry” marketing campaigns, etc.)
  • The inevitable loss of sales.

Then, there’s the cost of having to restart your lead generation efforts all over again. Costs for that will likely be on par with a total overhaul of your brand.

Cost #8: SEO

Let’s say that, for the most part, your current customer set has chosen not to go anywhere. They’ve accepted your apology, see that you’re taking the appropriate actions, and want to trust you’ll do right by them going forward.

Search engines, on the other hand, aren’t as forgiving.

Wordfence put out the results from a hacked site survey in 2016. Here is a high-level overview of what it revealed about hacked websites and SEO:

Wordfence Organic SEO affected

Of the total hacked websites, 45% of them experienced a drop in organic search traffic as a result. That decrease in traffic was anywhere between 25% and 75% of the average traffic they had before the breach.

The number above pertains to all hacked websites. However, not every hacked website is detected by Google before the owner or developer has had a chance to repair it.

Wordfence Google flagged

For websites that Google had flagged, a greater percentage of them (77%, to be exact) witnessed more severe penalties.

Now, let’s say your site has been hacked. Google has issued a penalty and traffic has dropped. However, you’ve taken immediate action to repair the breach and set your WordPress site on the right path.

Wordfence post cleanup SEO

Sadly, even after a hacked site has been cleaned up, only 45% of them will see organic search traffic go back to normal. And it doesn’t matter how long you’ve known about the breach or how quickly it was cleaned up. If Google spots the problem and issues the penalty (or, worse, blacklists your site), it’s going to be incredibly difficult to get your search ranking close to where it was before.

To tie this together with the points mentioned above, here is what Wordfence concluded from these results:

  • On average, it takes 7.49 days for a website to go back to normal.
  • Of those who suffered a hacked site, over 85% chose to handle it on their own (which might explain the lengthy recovery time). 14% opted to pay a professional to handle it.
  • In sum, Wordfence, calculated the average cost of a security breach to be $2,518.

Granted, these numbers are all averages and based on Wordfence’s survey respondents. That said, really take a minute to put that into perspective. Let’s say that your WordPress site is “average”, can you afford $2.5K in damages?

The Cost of Proactively Securing WordPress

Okay, so we have a good benchmark for the cost of repairing a hacked site. Now, let’s delve into the associated costs with proactively securing a WordPress site.

Cost #1: Web Hosting

To start, you’re going to have to look at your web hosting plan:

  • How much does the hosting provider do for securing its web server?
  • Does your plan relegate your site to a shared server?
  • Does the hosting company offer security add-ons?
  • How much support is provided in case your site gets attacked?

Starting with a secure base of operations for your WordPress site is essential, which means entrusting your site to a host that prioritizes security. Here are our recommendations for the best WordPress hosts for security:

💰 Starting at $3.95/mo

SiteGround* is one of our favorite hosting providers as far as shared hosting goes. Web hosting is their craft. The latest speed technologies are their passion. Unique security solutions are their specialty. Amazing technical support is their pride. Nuff said!

Go to SiteGround*


💰 Starting at $20/mo

If you’re looking for hassle-free WordPress hosting for freelancers and web professionals, Anchor Hosting is for you. Austin’s white-glove service is for anybody looking to work with a small, intimate team that can take care of all your hosting needs.

Go to Anchor


💰 Starting at $20.83/mo

With award winning speed and an expert WordPress support team, Pressable Hosting* is a great choice for agencies and developers. The company is owned by Automattic, so you know they do great work. Pressable is suited to website owners, freelancers and WordPress Agencies and every plan supports staging sites for testing.

See Strategic Partnership*

Go to Pressable*


💰 Starting at $30/mo

Kinsta* is a managed WordPress hosting provider where they take care of all your needs regarding your website. They run their services on cutting edge technology and take support seriously. They specialize in high-traffic WordPress site, so if you have one, they’re an ideal partner.

Go to Kinsta*

Pricing will differ based on what kind of plan you sign on for, as well as whether it’s regular or managed WordPress hosting.

Cost #2: Security-Related WordPress Plugins

Because the WordPress repository is chock full of free plugins, the cost of this particular item is going to remain relatively low. The only real cost will come from choosing, installing, and configuring your security plugins.

Here are the security-related WordPress plugins you will need:

Security Plugin

A basic security plugin will automate two critical activities: monitoring for threats and putting up walls to defend against them. And if you get a truly robust security plugin, you can cover the majority of your bases in one fell swoop:

  • Firewall protection
  • Brute force login protection
  • Password security rules (like two-factor authentication)
  • Malware scanning
  • DDoS scanning
  • Monitoring for changes to your files
  • Real-time security monitoring and notifications

Wordfence plugin

Start with Wordfence Security. It’s the most popular security plugin in WordPress right now, it’s well-reviewed, and it’s free to use.

Spam Plugin

Spam might not seem as harmful to a WordPress site as a malware injection, but that doesn’t mean you shouldn’t protect against it.

akismet plugin

The Akismet Anti-Spam plugin simplifies this process; monitoring and removing spam the moment it’s detected. It’s also free to use.

Backup Plugin

While a backup plugin isn’t really a security plugin as it won’t fend off attacks from malicious bots and hackers, it plays a critical role in saving your website and helping to restore it to the latest and safest iteration as quickly as possible.


UpdraftPlus is a free backup-and-restore plugin you can use for this purpose. It connects to your choice of third-party cloud storage, so your website copies remain safely away from hackers that gain access to your server.

Cost #3: Software

As a best practice, in general, you should take good care of your website’s software. This translates to:

  • Updating the WordPress core soon after each version is released.
  • Updating your plugins and themes as new versions come out.
  • Using highly rated and commonly downloaded WordPress plugins that have been vetted by WordPress’s security team and that users agree are safe to use.

There’s just too much that can go wrong when software is not well-attended to or isn’t chosen carefully, so take your time in making these choices.

Cost #4: SSL Certificate

An SSL certificate encrypts your website so that communications that take place between its visitors and its server remain secure.

With some WordPress hosting plans, an SSL certificate is included in the monthly cost. With others, you’ll have to procure your own. You can, of course, seek out a free SSL certificate from one of the few providers who offer them or you can see about purchasing one on your own.

Cost #5: Antivirus Software

Your WordPress site and server aren’t the only things that need security. So, too, does your machine (as well as any machine or device your team members and contributors use to access WordPress).

An antivirus software installed on your device will scan your computer for vulnerabilities and help you repair them if any are detected. McAfee and Norton are two of the more well-known and trusted brands to offer this kind of security solution. You’ll have to pay for the software, but it’ll also give you peace of mind that your machine is in good hands.

Cost #6: CDN

CDNs typically are associated with improving performance in WordPress, though many CDNs will give you extra security features as well, like firewalls, encryption, two-factor authentication, and so on.

If your website has a global presence and would benefit from the performance benefits of a CDN, make sure to choose one that also prioritizes security. Our picks for the best CDN services include a unique set of security features:

There is no such thing as a free CDN, so you will have to pay for this service.

Cost #7: Coding

For the most part, much of the security measures you put in place come from external tools you’ll hook into your server (see above). However, there are other measures you must take to protect your WordPress site at a deeper level, and this will require you to get into the database and do some coding.

Specifically, I would recommend you look at ways to harden both your Apache security as well as your PHP security. That way, even if a bot, hacker, or rogue user should find their way inside WordPress, they won’t be able to alter a line of code.

Granted, this won’t cost you anything–except maybe the fee for a developer to implement–but the time it takes to code it needs to be considered.

Cost #8: Payment Gateway

Any e-commerce website accepting payments from customers needs to be extra diligent about security. In addition to putting all these other security measures in place, you also must be prepared to handle their payment information safely and in compliance with PCI standards.

To do this, you’ll need to employ a secure payment gateway. One which caters to your customers, first and foremost, in terms of speed, convenience, and location; but also one which takes security seriously.

For extra security, you could also opt for a payment gateway provider that processes payments from their own server. Granted, this could be jarring for customers that weren’t expecting to leave your site in order to make a purchase. However, if they’re redirected to a secure and trusted payment provider (like PayPal, for instance), this could end up being a beneficial and really smart choice on your part.

PayPal payment gateway

The cost of a payment gateway provider is the same as it would be even if you weren’t concerned about security. Typically, they don’t charge anything to use their platform; however, they do charge fees per transactions. So, whether you use a gateway like PayPal/Payflow, Stripe, or one of the many other choices, expect there to be fees for the secure processing of payments.

Cost #9: CRM

Payment information isn’t the only data your website collects. You ask for other information from leads and customers as well, based on the type of business you run. While you could use a contact form plugin to collect the information, keeping that data inside of WordPress is not ideal.

Instead, all information should be instantly shuttled to a secure customer relationship management (CRM) software like Hubspot, Zoho, or Salesforce. You should also think about storing financial information in external software, though that should go to a financial management tool like FreshBooks or QuickBooks.

Of course, using third-party software means more costs to your business. However, if you’re just starting out, you can usually find a secure platform offering an account for free to startups and other small businesses. As your website grows, you can upgrade and factor in the monthly cost to use the software with the rest of your security costs.

Cost #10: Monitoring

Sure, your security plugin and antivirus software will handle the monitoring of threats to your machine as well as your WordPress website. But is that enough? It might be, though, to be on the safe side, there’s a little more you should do:

  • Implement an audit logging plugin. This will log all changes on your WordPress site, so you can figure out where unwarranted or unauthorized activity has taken place.
  • Use WP Checkup once a week to check in on your site’s security status. It will tell you where weakened areas are and how to harden them.
  • Log into WordPress once a day. Make sure access hasn’t been blocked, all updates have been made, and nothing seems to be out of order.
  • Visit your WordPress site once a day. Do a quick sweep to ensure the site is online, content is intact, and performance is high.

By keeping a close eye on your WordPress site, you can be sure that you’re the one who detects the security breach before anyone else. And this won’t cost you anything more than maybe a few minutes of your time every day in DIY monitoring and maintenance.

Cost #11: WordPress Care Plan

As you can see from the list of costs with proactively securing a WordPress site, there is a lot to do: monitoring activity, installing and managing plugins, implementing good security practices… It might not be very costly in terms of money spent on software, but it does require a good investment of your time. (Though it’ll likely never exceed the $2,500-plus in costs you’ll face having to clean up a hacked site, so there’s that.)

💡 If you’re finding the costs and associated time commitment for securing your site to be too much, a #WordPress care plan will do the trick! #security Click To Tweet Granted, it does require a monthly payment, but think about how much time and peace of mind it will afford you.

WP Buffs plans

In sum, WP Buffs security care plans include the following services:

  • Renaming of wp-admin
  • Blocking fake crawlers and bots
  • Spam filtering and blocking
  • Scanning of core, plugin, and theme files
  • Database optimization
  • Alerts related to DNS changes
  • Inactive plugin review and cleanup
  • Vetting of all plugins and themes
  • Strict file permissions
  • Two-factor authentication
  • Implementation of security keys and salts
  • Link scanning
  • Uptime monitoring
  • Cloud backups
  • Website restore services
  • Weekly reports

Premium plans also include malware removal and priority support. Need I say more?

What’s Cheaper: Proactive WordPress Security or Fixing a Hacked Site?

Well, according to Wordfence’s survey, the breach of a compromised website and the consequent fixing of it could cost your business thousands of dollars. But that’s really only considering the monetary consequences of a hacked site.

When considering this issue, think about the damage to your reputation with customers, the hit your site will take in search, and all of the recovery work you’ll have to do to get anywhere close to where you were before the breach. Not to mention the fact that, after being faced with a security breach, you’ll likely never want to leave your website unchecked again. So, when thinking about the costs of fixing a hacked site, go ahead and add the costs of proactively securing WordPress to it, too.

Obviously, that leads me to my conclusion that a proactive approach to WordPress security is not only best but also the cheapest option in the long-run. While you will have to purchase a few pieces of key software to manage it, there are ways to automate and outsource some of this work so that it’s much less costly in the end.

Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.

If you enjoyed this article, then you’ll really enjoy the 24/7 WordPress website management and support services WP Buffs’ has to offer! Partner with the team that offers every aspect of premium WordPress support services.

From speed optimization services, to unlimited website edits, security, 24/7 support, or even white-label site management for agencies and freelancers, our expert engineers have your back. Bring us in as part of your team to make your site Bufftastic! Check out our plans

Curious about what we do?