Website Maintenance 8 min read

Your Website Host Is Now Part of Your Security Risk

JJ

Jeremy Johnson

May 29, 2026

Your Website Host Is Now Part of Your Security Risk

Most business owners still think website security means “keep WordPress updated” and move on.

That is not enough anymore.

This week gave us three useful signals. CISA added a LiteSpeed cPanel plugin privilege escalation vulnerability to its Known Exploited Vulnerabilities catalog. Wordfence reported 99 new WordPress vulnerabilities in one weekly window. Google Threat Intelligence reported that attackers are now using AI to speed up vulnerability research and exploit development.

Different sources. Same message.

Your website host is not just where the site lives. It is part of your security posture.

The hosting layer can become the attack path

CISA added CVE-2026-48172 to the Known Exploited Vulnerabilities catalog on May 26, 2026. The issue affects the LiteSpeed cPanel Plugin. CISA describes it as a privilege escalation vulnerability that can let a cPanel user account execute arbitrary scripts with root privileges.

That sounds technical because it is. Here is the plain-English version: in some hosting setups, the problem is not inside your website content. It is in the hosting control layer around the website.

That matters for small businesses because most owners never touch cPanel. They do not know which server plugins are installed. They do not know whether LiteSpeed, Apache, CloudLinux, PHP handlers, backup tools, malware scanners, and WordPress security plugins are patched and configured correctly.

And they should not have to.

But somebody has to own it.

A website can have a clean homepage, a pretty design, and a working contact form while the server underneath it is carrying risk. That is the part cheap hosting rarely explains well. The bill looks simple. The responsibility is not.

Plugin risk is still moving fast

WordPress itself is not the whole problem. The plugin stack is usually where the risk spreads.

Wordfence’s May 18 to May 24 vulnerability report listed 99 vulnerabilities across 87 plugins and 1 theme. Thirty-six were unpatched at the time of the report. Ten were critical.

That is not a reason to panic. It is a reason to stop treating plugin updates like a casual Friday afternoon chore.

A business site may only have 15 or 20 plugins. That still creates a moving inventory:

  • Which plugins are active?
  • Which plugins are abandoned?
  • Which plugins are patched but not updated yet?
  • Which plugins are vulnerable but have no patch?
  • Which plugins are doing sensitive work like forms, ecommerce, login, SEO, file uploads, or caching?
  • Which sites need a firewall rule, a temporary disable, or a replacement plan?

This is where “we update plugins” is too vague. The useful question is whether anyone is watching the right signals and making judgment calls.

Automatic updates help, but they do not replace judgment. Some updates break layouts. Some patches need a cache purge. Some plugins should be removed instead of updated. Some vulnerabilities need action before a patch exists.

That is managed care, not commodity hosting.

Active exploitation does not wait for your next maintenance day

Wordfence also reported active exploitation of a critical vulnerability in the Breeze Cache plugin, CVE-2026-3844. The plugin had roughly 400,000 active installs. The issue allowed arbitrary file uploads that could lead to remote code execution when a specific Gravatar caching option was enabled.

The concerning part is the timing. Wordfence said mass exploitation began immediately after public disclosure, with more than 30,000 attacks blocked between April 22 and April 29.

That is the new normal. Public disclosure can turn into scanning and exploitation fast.

If your process is “log in once a month and click update,” you may be late. If your process is “the host sends an email and the business owner decides what to do,” you may be late. If your process is “we will fix it when the site breaks,” you are already reacting from behind.

A hacked website does not always announce itself by going down. It can create a hidden admin user. It can drop a backdoor into a cache directory. It can redirect visitors. It can quietly damage search visibility. It can get your domain flagged by browsers or email providers.

The site can look fine while the mess is already there. Helpful, in the same way a smoke alarm with the batteries removed is quiet.

AI makes the timeline tighter

Google Threat Intelligence Group published a May 2026 report describing how attackers are using AI in vulnerability research, exploit generation, malware operations, and initial access work.

The most important takeaway for business owners is simple: attackers are getting faster at finding and testing weak points.

This does not mean every small business is being targeted by a movie-villain hacker. Most small business attacks are still automated, opportunistic, and boring. But boring attacks scale very well. If AI helps attackers write, test, or adapt exploit code faster, the gap between “a vulnerability exists” and “bots are scanning for it” gets smaller.

That changes the standard for website care.

Security cannot be a one-time hardening checklist. It has to be a rhythm:

  • monitor vulnerability feeds
  • know the installed software inventory
  • patch quickly when safe
  • remove risky plugins when needed
  • use least-privilege accounts
  • back up the site off-server
  • watch uptime and public behavior
  • verify after changes
  • keep evidence of what changed

That rhythm matters whether your site is WordPress, Astro, static HTML, or an app site. The stack changes. The responsibility does not.

What business owners should ask their host or agency

You do not need to become a server administrator. You do need better questions.

Ask these:

  1. Who monitors plugin, theme, WordPress core, server, and hosting-control vulnerabilities?
  2. How quickly are critical patches reviewed and applied?
  3. What happens when a vulnerable plugin has no patch yet?
  4. Are backups stored somewhere other than the same hosting account?
  5. Are restore tests performed, or are backups just assumed to work?
  6. Who checks the site after updates?
  7. Who owns uptime alerts, malware alerts, SSL issues, and broken form reports?
  8. Is there a written changelog of maintenance work?
  9. Are admin accounts reviewed and locked down?
  10. Does the process change for ecommerce, forms, client portals, or other sensitive data?

If the answer is “the hosting company handles it,” ask what that actually means. Many hosts keep the server online. That is not the same thing as managing the website.

If the answer is “we have automatic updates on,” ask what happens when an update breaks the site or when a plugin needs to be disabled before a patch exists.

If nobody owns those answers, the owner owns the risk by default.

Where Robben Media fits

Robben Media’s hosting and care model is built around the boring work that keeps websites useful: monitoring, updates, backups, SSL, uptime checks, security review, issue response, and practical judgment.

For some businesses, that means WordPress care. For others, it means static or Astro hosting, app-site monitoring, form routing, deploy checks, and uptime verification. The point is not to sell one platform as magic. No platform is magic. The point is to make sure someone is responsible for the full web property, not just the homepage.

That also means being honest about tiers. A basic hosting plan is not the same thing as full managed labor, phone support, or unlimited troubleshooting. But even basic care should have clear ownership, clean infrastructure, and a path for urgent issues.

Cheap hosting becomes expensive when nobody is watching.

The practical move

Do not wait until the site is down to ask who owns website security.

Start with an inventory. List the platform, host, DNS provider, CMS, plugins, themes, forms, backups, analytics, Search Console, and admin users. Then decide who is responsible for each part.

If that list is messy, that is the signal.

A business website is no longer just a marketing asset. It is infrastructure. Treat it that way.

If you want a second set of eyes on your site, contact Robben Media and ask for a website care review.

Source notes

  • CISA Known Exploited Vulnerabilities catalog entry for LiteSpeed cPanel Plugin CVE-2026-48172, added May 26, 2026.
  • Wordfence Intelligence weekly vulnerability report for May 18 to May 24, 2026: 99 vulnerabilities across 87 WordPress plugins and 1 theme, with 36 unpatched at publication.
  • Wordfence report on active exploitation of Breeze Cache CVE-2026-3844 after public disclosure.
  • Google Threat Intelligence Group report on adversaries using AI for vulnerability exploitation, augmented operations, and initial access.
Tags: website-security managed-hosting wordpress-security plugin-updates small-business-websites cisa-kev robben-media
Share: X / Twitter LinkedIn Facebook
JJ

Jeremy Johnson

Owner

Jeremy co-owns Robben Media and directs strategy for every client engagement. With a Computer Engineering degree from Missouri S&T, he brings deep technical expertise in web development, SEO, and automation. Before acquiring Robben Media in 2023, Jeremy led marketing and branch management in the mortgage industry. He believes marketing should be measured by revenue generated, not impressions reported.

Related Services

Website Hosting & Maintenance

Keep your website performing at its best.

Industries We Serve

Roofers Mortgage Brokers Dentists HVAC Contractors Law Firms Plumbers Therapists Real Estate Agents

Locations We Serve

Cincinnati, OH Columbia, MO Omaha, NE Moberly, MO Kansas City, MO St. Louis, MO Springfield, MO Jefferson City, MO

What Our Clients Say

Real results from real businesses. No fluff, no fake reviews.

4.9/5.0 from 71 reviews
“Robben Media has done amazing work for us. From creation of a website, to maintenance, to SEO - you name it, they're a master at it. We switched from a company we "thought" was doing a good job - but once we went to Robben Media our online success exploded. They are super nice, knowledgeable, and attentive. I would highly suggest you hire this team if you want to grow your company!”
Joe Burns
“Jeremy is extremely knowledgeable in his field. He is always prepared and armed with the knowledge and experience needed to grow your business online. If you want your business to be easily found in web searches, or if you need some help building or improving your website, Jeremy with Robben Media is the one to call!”
AK
Amber Klempke
“Jeremy and his team are professional, knowledgeable, and highly organized. They integrate their SEO expertise thoroughly into their web design process and deliver clean, super fast websites that actually perform. Excellent content strategy, too. I've seen him drive outstanding results for several roofing companies that we work with. Highly recommend Robben Media!”
CS
Craig Skalko
Read all 71 reviews

Ready to Put These Strategies to Work?

Your competitors are already investing in digital marketing. Let's make sure you're not left behind.

Get a Free Quote Call (660) 621-3573