Your WordPress site keeps getting hacked and your agency says that is normal

Is it really normal for a site to get hacked?

No. A small business website should not be getting hacked on any kind of schedule. Most sites that get compromised do so because something on them has not been updated in months or years.

The agencies telling you it is normal are the ones causing it. They want it to sound like an act of God so you do not ask why it keeps happening on their watch.

Why WordPress sites get hit so often

WordPress runs roughly 40% of the web. That makes it the biggest target. Most hacks do not come through WordPress itself though - they come through the add-ons your site uses to do things like contact forms, image galleries, booking calendars and SEO.

These add-ons are written by thousands of different people, of wildly varying skill, and they need updating constantly. When one of them is out of date, attackers can walk in.

So when your site gets hacked, it almost always means one of these things:

• The add-ons have not been updated for a long time.
• An old add-on is still installed even though nobody uses it.
• The login password is weak or has been reused elsewhere.
• The site is running on an old version of WordPress itself.

All four of those are maintenance failures. They are exactly what you are paying an agency to prevent.

What your agency should be doing for the money

If you are paying somebody £100 to £200 a month to look after a WordPress site, the minimum you should expect is:

• Updates applied every month, with someone actually checking the site still works after.
• Old or unused add-ons removed entirely.
• Daily backups stored somewhere other than the site itself.
• A firewall or bot protection service in front of the site.
• Strong admin passwords and two-factor login.
• Monitoring so they notice a hack before you do.

If your site has been hacked more than once in the last two years, at least one of those is not being done. Most likely several.

The agency that calls a hack "just one of those things" is the same agency that has not logged in to update your site since the day it launched.

The real cost of a hacked website

When a hack happens, the visible damage is usually a defaced page or some spam links. The real damage is underneath.

Google will quietly demote a hacked site in search results, sometimes for months after it is cleaned up. Browsers will show visitors a red warning screen that says "deceptive site ahead". If you take any payment data or store customer details, you may also have a legal duty to report the breach under UK data protection rules.

And every time your agency "cleans it up", they are charging you. Often as an extra on top of the monthly fee, because the contract says security incidents are not included. Read your invoices.

What to do about it

First, ask your agency three direct questions in writing:

• When were the WordPress add-ons last updated?
• Where are the backups stored, and can I have a copy?
• Why has this happened more than once?

If the answers are vague, defensive, or include the phrase "it is just how WordPress works", you have your answer. They are not maintaining the site. They are firefighting it when it breaks, and charging you both times.

The next question is whether you even need WordPress. For most small business sites - a plumber in Leeds, a therapist in Bristol, a cafe in Manchester - WordPress is overkill. You have five pages that change twice a year. A plain hand-built site has nothing to hack because there is no login, no add-ons, and no database. It also loads faster and costs less to host.

This is what I do at SkipTheAgency. I rebuild small business sites as plain, fast pages with no moving parts to break. The Maintained plan is £65/month, which includes hosting, security, and content changes. Most clients I move off WordPress never get hacked again, because there is nothing left to attack.