Website Protection That Goes Beyond Basics
Our websites run on WordPress and come equipped with a premium Wordfence Security license included as standard.
Wordfence monitors for system vulnerabilities, unauthorized access attempts, and suspicious network traffic in real time. Over time it builds a list of malicious IP addresses, progressively reducing the volume of attacks reaching your site. One of the biggest threat vectors for WordPress sites is the infrastructure used to build them — plugins and themes from a range of developers, each with their own update cycles and vulnerability windows. At Web Equipped we maintain secure PHP versions, WordPress core updates, and all theme and plugin updates as part of our routine maintenance, not as an afterthought.
Every website we manage receives an SSL certificate and TLS encryption, establishing a secure connection between your server and every visitor’s browser. This protects data in transit and is required for Google to classify your site as safe.
Our hosting partnership with Hosting.com (formerly A2 Hosting) includes Imunify360 as a machine-learning security solution operating at the server level — a layer of protection that sits before WordPress even loads.
Imunify360 provides:
- Advanced firewalls and intrusion detection
- Real-time malware scanning and automated patch management
- Reputation monitoring and proactive threat defense
- DDoS mitigation and continuous server-level monitoring
The combination of Wordfence at the application layer and Imunify360 at the server layer means threats are addressed at two independent checkpoints. Most hosting environments provide one or the other — not both.
Email Security You Can Trust
A compromised website often leads to a compromised email domain. We address this directly.
Your email system receives authentication protection through SPF, DKIM, and DMARC records — the three standards that prevent phishing and spoofing attacks that impersonate your domain. Without these records in place, anyone can send email that appears to come from your business address. With them configured correctly, receiving mail servers can verify that messages claiming to be from you actually are.
For clients handling sensitive communications, GnuPG encryption protects message content from unauthorized access. Only the intended recipient holding the private key can decrypt the message — there is no central server that can be compromised to expose your correspondence.
SpamAssassin uses text analysis, Bayesian filtering, and collaborative blocklists to protect your inbox from spam and malware. It learns from patterns over time, making it increasingly effective the longer it runs.
Backups and Password Management
Security isn’t only about preventing attacks — it’s about recovering quickly when something goes wrong.
Solid Security’s WordPress plugin performs weekly full-site backups stored securely on Amazon S3 servers. These backups act as a failsafe for any situation where your site is compromised, breaks during an update, or needs to be rolled back. We maintain backup history going back to the beginning of your site, not just the most recent copy.
For password management, we use KeePass — a local password manager that stores credentials on your device rather than in a cloud service. This prevents the common vulnerability of browser-based password tools and cloud password managers, which represent a single point of failure if breached. We recommend the same approach to all our clients.
What Happens If Something Goes Wrong
Security incidents happen even on well-protected sites. What matters is the response time and the recovery path.
When Wordfence or Imunify360 detects an issue, we receive an alert and respond within one business day for clients on our Monthly Support Plan. For critical security events — active malware, a breached admin account, a site taken offline — we treat these as priority issues regardless of time of day.
Our recovery process starts with the most recent clean backup, identifies the point of compromise, patches the vulnerability, and restores the site. Because we maintain backups on Amazon S3 going back through your site’s history, we can restore to a point before the compromise occurred rather than simply wiping and rebuilding.
The Monthly Support Plan
Website security is not a one-time setup — it requires continuous monitoring, regular updates, and expert oversight.
Web Equipped’s Monthly Support Plan starts at $100/month and includes every tool and practice described in this post: Wordfence Premium, Imunify360 through our hosting partnership, SSL maintenance, weekly backups on S3, plugin and core updates, email authentication records, and 24-hour response time for support requests. The plan also includes 15 minutes of development or tech support time each month for small changes and questions.
Don’t let the investment in your website be unprotected. A single security incident — downtime, data loss, or a Google penalty for a hacked site — typically costs far more than a year of proactive maintenance.
Frequently Asked Questions
Do I need website security if I’m a small business? Yes — and small businesses are disproportionately targeted. Automated attacks don’t discriminate by business size. Bots scan millions of WordPress sites continuously looking for outdated plugins, weak passwords, and unpatched vulnerabilities. Most successful attacks on small business websites are automated and opportunistic, not targeted. Being small doesn’t make you less visible to these attacks; it often makes you more vulnerable because the assumption is that small sites aren’t protected.
What is Wordfence and why do you use it? Wordfence is the most widely used WordPress security plugin, with over four million active installations. It includes a web application firewall that blocks malicious traffic before it reaches WordPress, a malware scanner that checks core files, themes, and plugins against known threat signatures, and real-time threat intelligence that updates as new attack vectors are identified. We include the premium license — which provides real-time firewall rules and faster malware signature updates — rather than the free version.
What is Imunify360? Imunify360 is a server-level security platform developed by CloudLinux and used by managed hosting providers. Unlike WordPress security plugins that operate within the application layer, Imunify360 runs at the server level — intercepting threats before they reach WordPress at all. It uses machine learning to identify new attack patterns and provides DDoS mitigation, intrusion detection, and automated malware cleanup. It is included through our hosting partnership with Hosting.com and provides a second independent layer of protection alongside Wordfence.
What happens if my site gets hacked while on your maintenance plan? We respond to active security incidents as a priority. Using your most recent clean backup from Amazon S3, we restore the site, identify the point of entry, and close the vulnerability before bringing the site back online. Security cleanup is covered as part of the plan for incidents originating from vulnerabilities we were actively monitoring and maintaining. If an incident results from credentials being compromised outside our scope — for example a client sharing admin access with a third party — we scope any remediation work separately.
How often are backups performed and where are they stored? Full-site backups run weekly and are stored on Amazon S3 — Amazon’s cloud storage infrastructure, which is geographically distributed and independent of your web host. This matters because if your hosting server has a problem, your backup is stored somewhere completely separate. We maintain backup history going back to the beginning of your site, not just the most recent copy.
What are SPF, DKIM, and DMARC records? These are DNS records that authenticate your email domain and prevent other senders from impersonating your business address. SPF specifies which mail servers are authorized to send email from your domain. DKIM adds a cryptographic signature to outgoing messages that receiving servers can verify. DMARC tells receiving servers what to do if SPF or DKIM checks fail — typically reject or quarantine the message. Together they are the standard defense against phishing attacks that spoof your domain. Without them, anyone can send email that appears to come from your business.
Do you support sites not built by Web Equipped? Yes. We regularly onboard existing WordPress sites into our maintenance plan regardless of who built them. Before onboarding, we perform a security audit to assess the current state — plugin versions, known vulnerabilities, existing security configuration, and hosting environment. If we find issues that need to be resolved before we can maintain the site responsibly, we scope that remediation work separately and clearly before starting.
What is KeePass and why do you recommend it? KeePass is an open-source password manager that stores credentials in an encrypted database on your local device — not in a cloud service. This means there is no central server that can be breached to expose your passwords. Browser-based password managers and cloud services like LastPass have experienced significant data breaches in recent years. A locally stored, encrypted password database eliminates that risk. We use it internally and recommend it to all clients managing admin access to their WordPress sites.