Frequently Asked Questions

Security and Compliance as Agency Responsibilities

CMS security and compliance are not merely technical concerns — they are agency responsibilities with direct commercial, legal, and reputational implications. When an agency manages a client’s website, whether through an in-house team or a white label development partner, it assumes a degree of responsibility for the security and regulatory compliance of that digital asset. Understanding the nature of that responsibility, and fulfilling it systematically, is one of the defining characteristics of a professional, trustworthy agency.

The stakes are high. A successful cyber attack on a client’s website can result in data theft, financial loss, reputational damage, regulatory fines, and loss of client trust. Under the UK GDPR and its EU equivalent, organisations that process personal data have obligations to protect that data and to report breaches within 72 hours of discovery. Agencies that have not implemented adequate security practices — and that cannot demonstrate they have fulfilled their obligations — expose both their clients and themselves to significant risk.

The good news is that the core security practices required to protect most CMS websites are well-defined, relatively inexpensive to implement, and highly effective when applied consistently. The challenge for agencies is not understanding what good security looks like, but building the operational systems to apply it consistently across a portfolio of client websites.

The Key Security Risks for CMS Websites

Understanding the threat landscape is the starting point for building an effective security posture. CMS websites — particularly those running WordPress, which is both the most popular platform and therefore the most targeted — face a range of security risks that agencies must actively manage.

• Outdated Software: The most common entry point for attacks on CMS websites is outdated core software, plugins, or themes with known vulnerabilities. WordPress plugins are frequently found to contain security flaws that are patched in updated versions. Sites running outdated plugins are continuously exposed to exploits targeting those known vulnerabilities. The WordPress Vulnerability Database tracks known issues, and the gap between a vulnerability being published and exploitation attempts beginning is often measured in hours, not days.
• Compromised Credentials: Brute force attacks, credential stuffing from leaked password databases, and phishing attacks targeting CMS admin users are common. Weak passwords, reused credentials, and the absence of multi-factor authentication all amplify this risk.
• Malicious File Uploads: CMSs that allow file uploads without strict validation can be exploited to upload malicious PHP files that give an attacker arbitrary code execution on the server. This is a common attack vector on WordPress sites with misconfigured upload permissions.
• SQL Injection and Cross-Site Scripting (XSS): Poorly coded plugins or custom functionality can introduce SQL injection and XSS vulnerabilities that allow attackers to extract database content, inject malicious scripts, or redirect visitors to malicious sites.
• Supply Chain Attacks: Plugins or themes that have been acquired by malicious actors who then inject malicious code, or legitimate plugins that are compromised through their update mechanisms, represent a growing category of CMS security risk.
• Server Misconfiguration: PHP versions that are end-of-life, open directory listings, misconfigured file permissions, and the absence of a web application firewall all create exploitable vulnerabilities at the infrastructure level.

Agency Responsibilities for CMS Security

The responsibilities of an agency managing client CMS websites fall into three categories: technical, contractual, and communicative.

Technical responsibilities cover the implementation and maintenance of security controls: ensuring software is kept updated, that strong authentication is enforced, that backups are in place and tested, that security monitoring is active, and that the hosting environment is properly configured. These responsibilities exist regardless of whether the agency has a formal security agreement with the client — they are the standard of professional care that any competent digital agency should apply.

Contractual responsibilities define the scope and limits of the agency’s security obligations. Agencies should ensure their client contracts clearly specify what security services they do and do not provide, who is responsible for hosting configuration and server security, and what the agency’s liability is in the event of a security incident. Clear contracts protect both parties and create the commercial foundation for paid security management services.

Communicative responsibilities involve keeping clients informed about the security posture of their websites, alerting them promptly to any incidents or vulnerabilities, and providing regular reporting on security maintenance activities. Clients who are kept in the dark about security are more likely to be caught off-guard by incidents and more likely to hold the agency responsible.

Core CMS Security Practices

The following are the core security practices that agencies should implement and maintain for every client website under their management.

• Regular Software Updates: CMS core, plugins, and themes should be updated regularly — weekly for security patches, monthly for minor updates, with testing on staging before deployment to production. Automated update tools can assist, but should always be paired with a testing process rather than applied blindly to production.
• Strong Authentication: All admin user accounts should use strong, unique passwords managed through a password manager. Multi-factor authentication (MFA) should be enforced for all admin accounts — this single control eliminates the vast majority of brute-force and credential-stuffing attacks.
• Limiting Admin Access: The principle of least privilege should apply — users should have only the permissions necessary for their role. Dormant admin accounts should be removed. The default WordPress ‘admin’ username should never be used.
• Web Application Firewall (WAF): A WAF intercepts and filters malicious traffic before it reaches the CMS application. Services like Cloudflare, Sucuri, or Wordfence Premium provide effective WAF protection for WordPress sites. For headless architectures, Cloudflare provides excellent WAF coverage at the CDN edge.
• SSL/TLS Configuration: All sites must use HTTPS with a valid SSL/TLS certificate. Certificates should be monitored for expiry — an expired certificate not only breaks the site but destroys visitor trust. TLS 1.2 should be the minimum supported version, with TLS 1.3 preferred.
• Automated Malware Scanning: Regular automated scans for malware and file integrity violations provide early warning of compromise. For WordPress, Wordfence or Sucuri SiteCheck provide this capability. Managed hosting platforms often include server-level malware scanning.
• Backup Infrastructure: Automated daily backups stored off-server with a tested restoration process are essential. The backup is the last line of defence when other security measures fail. Backups that have never been tested should not be relied upon.
• Security Headers: HTTP security headers — including Content Security Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security — reduce the attack surface for cross-site scripting, clickjacking, and other browser-based attacks. These should be configured at the server or CDN level.

GDPR and Cookie Compliance for Agency-Managed Websites

Beyond technical security, agencies managing CMS websites must ensure those sites comply with relevant data protection legislation — primarily the UK GDPR and, for sites targeting EU audiences, the EU GDPR. Non-compliance can result in significant fines (up to £17.5 million or 4% of global turnover under UK GDPR), ICO investigations, and reputational damage.

The key areas of GDPR compliance relevant to CMS websites are consent management, privacy policy accuracy, data minimisation, and data subject rights.

• Consent Management and Cookie Compliance: Websites that use non-essential cookies — analytics cookies, advertising cookies, marketing automation cookies — must obtain explicit consent before setting those cookies. A cookie consent banner is the mechanism through which this consent is obtained and recorded. The banner must clearly explain what cookies are used and why, offer users a genuine choice to accept or reject non-essential cookies, and record consent in a way that can be demonstrated to regulators. Cookie banners that are designed to obscure the reject option or that use dark patterns to nudge users toward acceptance are non-compliant and represent a legal risk. Agencies should implement compliant consent solutions — Cookiebot, OneTrust, or CookieYes are commonly used — on all client sites that use non-essential cookies.
• Privacy Policy Accuracy: Every website that collects personal data — including contact form submissions, newsletter signups, analytics data, or e-commerce transactions — must have an accurate privacy policy that explains what data is collected, how it is used, who it is shared with, how long it is retained, and how data subjects can exercise their rights. Agencies that use template privacy policies without customising them to the client’s actual data practices create compliance risk. Privacy policies should be reviewed at least annually and updated whenever the site’s data practices change.
• Secure Data Handling: Contact forms, e-commerce checkout data, newsletter signup forms, and any other mechanism through which the site collects personal data must transmit and store that data securely. Form submissions should be transmitted over HTTPS, and stored data should be subject to access controls and retention limits. Integration with email marketing platforms and CRMs should be configured to comply with GDPR consent requirements.
• Data Subject Rights: UK and EU GDPR grant individuals rights over their personal data, including the right to access, correct, delete, and port their data. Agencies managing client websites should ensure there is a clear process for handling data subject requests — typically a named contact in the privacy policy and an internal procedure for responding within the 30-day statutory deadline.

Evaluating White Label Development Partners on Security Standards

For agencies that use white label development partners for CMS delivery, the partner’s security standards are a direct extension of the agency’s own security posture. A partner that builds insecure websites or implements poor security practices creates risk that ultimately falls on the agency and its clients.

Agencies should evaluate potential white label partners on the following security criteria: whether they apply security-by-default practices in their development process (including hardened WordPress configurations, security headers, and principle of least privilege); whether they have a documented policy for handling vulnerabilities and security incidents; whether they provide pre-launch security checks as part of their QA process; whether they have experience implementing cookie consent solutions and advising on GDPR compliance; and whether they are willing to contractually commit to minimum security standards in the white label agreement.

Partners who treat security as an afterthought — who skip hardening, ignore known vulnerabilities, or treat update management as optional — represent a significant commercial and legal risk to the agency. Security quality should be a primary evaluation criterion in partner selection, not a secondary consideration after price and capability.

Agencies that build a reputation for delivering and maintaining secure, compliant websites create a powerful commercial differentiator. In sectors such as healthcare, financial services, education, and public services — where data sensitivity is high and regulatory scrutiny is intense — security credentials are not a nice-to-have but a commercial requirement. The agency that can demonstrate a systematic, professional approach to CMS security and compliance is the agency that wins and retains the best clients in these sectors.