Almost nothing anyone says can be trusted on monetized websites. This website will be using monetized links so I guess you will have to apply that here too. Yet I’m an older guy, who started before there were even web pages and so I can tell you dinosaur stories of FTP to Helsinki (Finland) university via the education research network that extended out of ARPAnet. You can’t even find Wikipedia or google much about those days. I just remember saying, i’m downloading a file from Helsinki – nice. However, i’d been downloading files with modems and BBS systems for a while already. Being older doesn’t make you the best though … that takes day to day work staying on top of things. Mostly you learn because you have customers and you learn by resolving their problems for them.
So anyway – then came the days of ugly websites with the occasional beauty but generally … not so nice. However, it was the information and pictures that people were really looking for. Video was mostly out of the question then. Years passed, I worked for companies, I worked for Buddhists, and I used the various CMS as they showed up … Joomla, Drupal were some nicer ones. Had arguments about PHPnuke which was the first PHP cms – or so they claim. One guy I worked with wanted to use it and I said, “but nobody cares anymore” he was years behind trying to use “the best product”. Before long friends were saying “WordPress” and they loved that. Then they got hacked … there were no security solutions back then. Today that WordPress draw-cards is ubiquitous and people tend to go looking for a specialized provider. So I’m working to support it and secure it for clients. My mother used WordPress, my dad uses it today. I’m using it right now – this is WordPress. I have clients who use it – but mostly I become their IT provider so I can remove the malware that has slipped in.
So to help my clients I’ve created my own hardened servers … to reduce the chance of attacks being successful. However, if you run WordPress you are really mostly in the hands of the developers to find exploits, issue updates and you have to apply the updates before its too late and some automated bot finds your website and applies the exploit to sneak in malware or make other “hacks”. Companies will always tell you they will handle that but they tend to leave people on outdated servers where the updates can’t even be applied because some component needed by WordPress is too old (PHP for example). What you can do is use “security plugins” … because that is one of the main draw-cards for WordPress, the features you add with plugins.
Of course the plugins could make your WordPress vulnerable – so you need to have your website checked the same way an attacker would detect if you were vulnerable. You are unlikely to find a provider who will give you a free offensive security check … but some of the security plugins are almost at that level … almost. The fact is that WordPress security is getting to be somewhat expensive and it makes you wonder if the security providers are attacking everyone so they come to them and pay for assistance. They have all kinds of “help me” and “clean my site”. That is what you might wonder when you see the scale of operations and complexity – one provider I’m looking at doesn’t even have a single plugin they talk about 4 categories of security plugins – prevention, detection, auditing and utility. If the solution is that time consuming the user isn’t better off, you make security beyond a tickbox.
That would be why you might want to use a smaller company who just takes responsibility to offer you a secure website and audit it, check in and update, correct issues. I always try to offer the best of free or “part of the deal” access so there isn’t an endless up-sell. Real security is about trying to rid the web of threats by making the solutions free – that is what open source is about. If there is money left to invest – best to spend that on your IT staff or consulting, the provider.