How to Package & Sell Website Care Plans for Clients

Can you make extra income by selling website care plans? Yes! The key to selling website care plans is education, and it must start during the first conversation with your clients.

Read on to learn more about packaging, pricing, and selling website security services, along with how to educate your clients on the value of website security services.

Why Offer Website Care Plans? The Power of Recurring Revenue

Recurring income is the foundation of a successful web design business. It’s virtually impossible to survive without it.

Without a growing stream of recurring income…

• You’re completely dependent on consistent sales for survival.
• You’re living project to project. 
• You only get paid when the client supplies the website assets to finish  the job (which can take days / weeks / months) 
• You’re running walking a tightrope without a safety net. 

You need recurring revenue and your clients need a website care plan. 

Note: I may use the terms Website Care Plan, WordPress Management, and WordPress Security interchangeably and as part of one another. The idea is helping the client understand why  keeping their WordPress websites healthy is important and how you will do that for them. 

How Selling a Website Care Plan is the Starting Point  

You have built the client relationship, so maximize its value for the long term, not just a single project. 

Every WordPress website needs ongoing care. You should be offering these services to the client along with the initial build. 

The Challenge: Explaining to Clients Why They Need a Care Plan 

It can be challenging to explain to clients why a care plan is important. Clients are often not tech savvy, and don’t understand the challenges or the benefits of keeping a website healthy. It’s up to us to explain these things in a language that even a non technical client can understand. 

2 Common Mistakes in Selling Website Care Plans

Let me give you what I think are the two most common mistakes when it comes to selling website care plans. (By the way, I’ve made both of these. And so I’m very familiar with each.)

1. Presenting Website Security as an Option 

• WordPress Security is not an option, it’s a necessity if the client wants their website to stay healthy. 
• A care plan is not an optional extended warranty like car dealerships try to sell. 
• A care plan is more like regularly scheduled maintenance – oil changes, fluid checks, rotating and balancing tires, etc. If you skip them, the car  will have problems sooner or later. 
• When a client is budget-challenged, I’d rather see them spend less on the website project so that they have enough money to purchase a  care plan.

2. Waiting Until Launch to Mention the Website Care Plan 

• If you wait until website launch before you introduce the client to the concept of a care plan, you’ll rarely sell one. 
• In fact, it’s likely the client will feel hoodwinked since their investment will change significantly. 
• The key to selling care plans is education, and the discussion has to  begin from your first meeting with the client. 
• Care plan pricing should be part of your proposal – it’s just as important as the cost of the initial build. 

The key to selling WordPress Care Plans is education, and it must start at the first conversation. 

How I Present a Website Care Plan to the Client 

Often when I meet with a client, I will draw out a box on a notebook or a napkin. I explain why each wall is important and what we do to provide protection. 

Visual Example: The Four Walls of Protection 

Let’s unpack each of these four walls:

1. Website Hosting 

The client may or may not be familiar with inexpensive, low-quality shared hosting. 

I will often mention that this kind of service is out there, much like there are cars for $500 on Facebook Marketplace. A car like that might work for a little while, but I’m not going to put my family in it.

Shared hosting is so cheap because there are thousands of other websites on the same server as yours.

The other sites can make your site run slower, affect your website’s security if they get hacked, and even cause your site to  be blacklisted if they do something bad.

Not only does a private server provide much better security for your website, but it will also be significantly faster than other alternatives. A faster site can lead to better customer conversions and a higher ranking on Google.

Many times, the client won’t be interested in these details at all. You’ll have to make that decision. When I’m dealing with a business owner who I can sense has no issue with spending money on value, I explain that we have our own private server that we control with only our client’s websites.

Frequently the client will simply be grateful that you can provide this  service for them and they don’t have to figure out themselves.

Remember, they’re really making a trust-based choice to invest in YOU. Sell benefits, not features.

If “gigabytes of storage space” enters the conversation, you’re probably doing it wrong.

2. Website Backups 

Since most clients will understand why backups are important as a concept, this part isn’t as hard to explain as the others. 

There are two reasons we provide backup services:

• To mitigate the damage done by hackers – If your website should be compromised, we can immediately restore a backup to a pre-hacked condition.
• To protect against human error. Just in case you or one of your employees accidentally delete or damage the website, we can restore a backup that’s no more than 24 hours old.

I explain that we are relentless about backups and provide a 2-tiered backup strategy. 

1. First, we have backups at the server level. Everything is backed up to our web host’s data center each night. That’s the first line of defense. 
2. Second, we run a separate backup of each web site individually  on a daily basis. A 6-month archive of these backups are kept  offsite in cloud storage so that just in case something happens to  the web host, we always have a copy of your website. 

The important thing about this is that the client understands that you have a working strategy to keep the website backed up and safe. 

Sometimes too many details can muddy the waters for the client. Others want as much detail as possible. You’ll have to use your  best judgment on what kind of client you’re dealing with.

3. Software Updates 

This one is a little more difficult to explain to some clients. 

There are 2 kinds of clients I’ve found who push back on the importance of WordPress theme and plugin updates… 

• Non-technical clients who don’t understand why you’d have to do this to begin with. 
• Semi-technical clients who think it’s just as simple as pushing a  button (okay, in many cases it is – but we’ve all had issues where  an update has broken something and we’ve become a lot more  careful as a result). 

The best analogy I use is to relate website updates to software updates on a computer.  

Why do we apply software patches?  

The developer has found problems or security vulnerabilities, so the patch was released to fix those issues. If you don’t keep your software up to date, you could become infected with malware, or worse ransomware. 

WordPress updates are similar, but even more important since  your website is on the Internet for anyone to see. That means hackers can (and will) snoop around looking  for problems to exploit. 

We update your WordPress site each week under normal circumstances, making sure all the patches to the software on your site have been applied and your site is functioning well. 

On average, a few times each year, a vulnerability will be revealed in WordPress software. 

We stay abreast of security news so that we are aware of these issues.

During those times when the threat level is enhanced, we perform updates more frequently. 

The goal here is for the client to understand that you have their back on these things so they don’t have to be a web security expert. 

4. Website Security 

Website Security is a three-phase approach: 

1. Architecture – we choose only the best WordPress themes,  plugins, and code to build your website.  
2. Launch – as part of our launch process, we perform a 43-point WordPress security lockdown.
   • Note, the 43 points are the individual features in Solid Security Pro we enable during launch (be sure to count the  ones you use if you want to say something like this). This is the number of features we employ as of today. Of  course, this number can and probably will change in the future. 
3. Monitoring – we monitor your website for hack attempts and  perform regular scans to identify vulnerabilities on your website. If a vulnerability is detected, we are alerted and apply a patch as soon as it is available. In the meantime, our advanced firewall patches the vulnerability in real time until the final fix can be applied. These features are available with Solid Security Pro with Patchstack Firewall and virtual patching.

We also provide a free SSL certificate as part of our care plan. 

That way, all communication between your website and users is encrypted. Your website will show a padlock in the address bar which can  enhance a visitor’s confidence in you. It also helps your Google  ranking.

Explaining Hackers to Clients 

Many clients, especially small businesses and organizations, will not understand why a hacker would want to access their website to begin  with. 

They might also take a “so what” approach, believing that there is nothing of value on their website that they would lose even if a hack  occurred. 

It’s often helpful to explain the following to clients who push back on these things 

A Hacker Analogy 

A few years ago, we had a string of vehicle break-ins in our neighborhood. No cars were damaged but items were stolen. Turns out it was several teenagers walking driveway to driveway just checking door handles. If a car was left unlocked, they would rummage the contents for anything of value. 

That’s what hackers do. They’re just checking the doors and windows of your website to see if anything will allow them easy access. 

But a hacker doesn’t just try one door at a time. They have software that will scan the web for them looking for open doors and windows.  

It would be like the hacker pressing a button and automatically checking all the doors and windows in the neighborhood at once. 

When you think of a hacker, don’t think of a single person in their parent’s basement late at night typing away trying to break into your  website with Cheetos dust on their fingers. 

Hackers create little programs that scan the Internet looking for website vulnerabilities. When they find an open door, they’re programmed to  automatically infect the website and then report back their success to  the hacker, who will likely have hundreds of websites to exploit at once.

Why Hackers Hack 

“But why would someone do this? What value is my little site to them?” These are often a question I get. The answer is that the hacker probably isn’t after you specifically. You’re  just one of a million sites they’re trying to exploit. 

What do they have to gain? 

Server Resources – If hackers can compromise your website, they can use server resources to run complex calculations to create digital currency like Bitcoin. They can use the server’s resources to perform other tasks anonymously.

Sending Spam Emails – The server can also be harnessed to send millions of spam emails anonymously 

Content Injection – Hackers can add text and image links to products and sites  you probably don’t want to advertise (think porn and male  pharmaceuticals). 

Malware – Hackers can add code that will exploit vulnerabilities on  your visitors’ computers if they are using out of date web browsers, operating systems, or other old software. Once exposed, your visitors could have their computers  compromised with keyloggers, malware and ransomware. Nasty stuff. And you don’t want to be responsible for it.

The Good News 

Clients, especially the nontechnical ones, might be scared to death at this point. 

Assure them that WordPress is quite secure when a good security strategy is employed, like the one you’re offering to them as part of your  care plan. 

I explain that I have never had a website infected when it was managed under the care plan that I offer. 

The Client’s Responsibilities in Their Website Security 

It’s important for clients to understand that they themselves still have  some responsibility in keeping their website secure. 

The items below are detailed in my Master Services Agreement  (contract) and also explained to the client during training. 

Keeping Computers Protected 

A common way that websites become compromised is through keylogging programs that are installed on an infected computer.  

If your computer is not kept secure, the login information for any  site you visit can be recorded and sent to a hacker, who can then  log into those sites as you. 

The client must agree that any computer that they or their employees or contractors use to log into the website will be protected by: 

• Installing and maintaining updated security software 
• Using the most up-to-date version of your preferred web browser 
• Keeping the operating system patched with recommended  updates

Using a Unique Password 

The client must also agree to use a strong password (as shown by the WordPress password indicator) for any account used to log into and  edit the website. 

This password must only be used on the website, it should not be used elsewhere. 

We recommend the use of a password manager (like Bitwarden, Dashlane, 1Password, etc.) so that you have unique passwords for each  website you visit. 

If the client has their “one favorite password” they use for everything, explain that it’s like a master key to their life.  

If one website they use gets compromised, a hacker can now log  into every site where they have an account. 

Suggest searching for the email and password combination at  https://haveibeenpwned.com. 

Note, iThemes Security includes HaveIBeenPwned protection for  all WordPress user accounts. I will often explain how this works, and clients love it. 

Giving Your Client Options 

When I explain the importance of a Care Plan, I give the client three options. It’s up to them to choose which is right for them. 

Do Nothing 

• It’s a bad option, but an option nonetheless 
• You’ll eventually get hacked or your website will break

Do It Yourself 

• We will teach you how to keep your website updated and monitor security issues. 
• Be sure to include sufficient time for this in-depth training in your proposal 

We Do It For You 

• We offer a suite of ongoing services to keep your website safe and working properly. 

Watch the Video: How to Package and Sell Website Care Plans

During this recent WordPress Disaster Week webinar, I unpack this entire approach to website care plans. I cover reach part of the process in more detail, along with answers to a few FAQs.