Can you make extra income by selling website care plans? Yes! The key to selling website care plans is education, and it must start during the first conversation with your clients.
In this guide, we’ll cover packaging, pricing, and selling website security services, along with how to educate your clients on the value of website security services.
Why Offer Website Care Plans? The Power of Recurring Revenue
Recurring income is the foundation of a successful web design business. It’s virtually impossible to survive without it.
Without a growing stream of recurring income…
- You’re completely dependent on consistent sales for survival.
- You’re living project to project.
- You only get paid when the client supplies the website assets to finish the job (which can take
days/weeks/ months) - You’re running walking a tightrope without a safety net.
You need recurring revenue and your clients need a website care plan.
Note: In this webinar, I may use the terms Website Care Plan, WordPress Management, and WordPress Security interchangeably and as part of one another. The idea is helping the client understand why keeping their WordPress websites healthy is important and how you will do that for them.
How Selling a Website Care Plan is the Starting Point
You have built the client relationship, so maximize its value for the long term, not just a single project.
Every WordPress website needs ongoing care. You should be offering these services to the client along with the initial build.
The Challenge: Explaining to Clients Why They Need a Care Plan
It can be challenging to explain to clients why a care plan is important. Clients are often not tech savvy, and don’t understand the challenges or the benefits of keeping a website healthy. It’s up to us to explain these things in a language that even a non technical client can understand.
2 Common Mistakes in Selling Website Care Plans
Let me give you what I think are the two most common mistakes when it comes to selling website care plans. (By the way, I’ve made both of these. And so I’m very familiar with each.)
1. Presenting Website Security as an Option
- WordPress Security is not an option, it’s a necessity if the client wants their website to stay healthy.
- A care plan is not an optional extended warranty like car dealerships try to sell.
- A care plan is more like regularly scheduled maintenance – oil changes, fluid checks, rotating and balancing tires, etc. If you skip them, the car will have problems sooner or later.
- When a client is budget-challenged, I’d rather see them spend less on the website project so that they have enough money to purchase a care plan.
2. Waiting Until Launch to Mention the Website Care Plan
- If you wait until website launch before you introduce the client to the concept of a care plan, you’ll rarely sell one.
- In fact, it’s likely the client will feel hoodwinked since their investment will change significantly.
- The key to selling care plans is education, and the discussion has to begin from your first meeting with the client.
- Care plan pricing should be part of your proposal – it’s just as important as the cost of the initial build.
The key to selling WordPress Care Plans is education, and it must start at the first conversation.
How I Present a Website Care Plan to the Client
Often when I meet with a client, I will draw out a box on a notebook or a napkin. I explain why each wall is important and what we do to provide protection.
Visual Example: The Four Walls of Protection

Let’s unpack each of these four walls:
1. Website Hosting
The client may or may not be familiar with $5 a month low-quality shared hosting.
I will often mention that this kind of service is out there, much like there are cars for $500 on Facebook Marketplace. A car like that might work for a little while, but I’m not going to put my family in it.
Shared hosting is so cheap because there are thousands of other websites on the same server as yours.
The other sites can make your site run slower, affect your website’s security if they get hacked, and even cause your site to be blacklisted if they do something bad.
Not only does our private server provide much better security for your website, but it will also be significantly faster than other alternatives.
A faster site can lead to better customer conversions and a higher ranking on Google.
Many times, the client won’t be interested in these details at all. You’ll have to make that decision.
When I’m dealing with a business owner who I can sense has no issue with spending money on value, I explain that we have our own private server that we control with only our client’s websites.
Frequently the client will simply be grateful that you can provide this service for them and they don’t have to figure out themselves.
Remember, they’re really making a trust-based choice to invest in YOU. Sell benefits, not features.
If “gigabytes of storage space” enters the conversation, you’re probably doing it wrong.
2. Website Backups
Since most clients will understand why backups are important as a concept, this part isn’t as hard to explain as the others.
There are two reasons we provide backup services:
- To mitigate the damage done by hackers – If your website should be compromised, we can immediately restore a backup to a pre-hacked condition.
- To protect against human error. Just in case you or one of your employees accidentally delete or damage the website, we can restore a backup that’s no more than 24 hours old.
I explain that we are relentless about backups and provide a 2-tiered backup strategy.
- First, we have backups at the server level. Everything is backed up to our web host’s data center each night. That’s the first line of defense.
- Second, we run a separate backup of each web site individually on a daily basis. A 6-month archive of these backups are kept offsite in cloud storage so that just in case something happens to the web host, we always have a copy of your website.
The important thing about this is that the client understands that you have a working strategy to keep the website backed up and safe.
Sometimes too many details can muddy the waters for the client. Others want as much detail as possible. You’ll have to use your best judgment on what kind of client you’re dealing with.
3. Software Updates
This one is a little more difficult to explain to some clients.
There are 2 kinds of clients I’ve found who push back on the importance of WordPress theme and plugin updates…
- Non-technical clients who don’t understand why you’d have to do this to begin with.
- Semi-technical clients who think it’s just as simple as pushing a button (okay, in many cases it is – but we’ve all had issues where an update has broken something and we’ve become a lot more careful as a result).
The best analogy I use is to relate website updates to software updates on a computer.
Why do we apply software patches?
The developer has found problems or security vulnerabilities, so the patch was released to fix those issues. If you don’t keep your software up to date, you could become infected with malware, or worse ransomware.
WordPress updates are similar, but even more important since your website is on the Internet for anyone to see. That means hackers can (and will) snoop around looking for problems to exploit.
We update your WordPress site each week under normal circumstances, making sure all the patches to the software on your site have been applied and your site is functioning well.
On average, a few times each year, a vulnerability will be revealed in WordPress software.
We stay abreast of security news so that we are aware of these issues.
During those times when the threat level is enhanced, we perform updates more frequently.
The goal here is for the client to understand that you have their back on these things so they don’t have to be a web security expert.
4. Website Security
Website Security is a three-phase approach:
- Architecture – we choose only the best WordPress themes, plugins, and code to build your website.
- Launch – as part of our launch process, we perform a 43-point WordPress security lockdown.
- Note, the 43 points are the individual features in iThemes Security Pro we enable during launch (be sure to count the ones you use if you want to say something like this). This is the number of features we employ as of today. Of course, this number can and probably will change in the future.
- Monitoring – we monitor your website for hack attempts and perform regular malware scans to ensure your website is clean. These are features provided by iThemes Security Pro.
We also provide a free SSL certificate as part of our care plan.
That way, all communication between your website and users is encrypted. Your website will show a padlock in the address bar which can enhance a visitor’s confidence in you. It also helps your Google ranking.
Explaining Hackers to Clients
Many clients, especially small businesses and organizations, will not understand why a hacker would want to access their website to begin with.
They might also take a “so what” approach, believing that there is nothing of value on their website that they would lose even if a hack occurred.
It’s often helpful to explain the following to clients who push back on these things
A Hacker Analogy
A few years ago, we had a string of vehicle break-ins in our neighborhood. No cars were damaged but items were stolen. Turns out it was several teenagers walking driveway to driveway just checking door handles. If a car was left unlocked, they would rummage the contents for anything of value.
That’s what hackers do. They’re just checking the doors and windows of your website to see if anything will allow them easy access.
But a hacker doesn’t just try one door at a time. They have software that will scan the web for them looking for open doors and windows.
It would be like the hacker pressing a button and automatically checking all the doors and windows in the neighborhood at once.
When you think of a hacker, don’t think of a single person in their parent’s basement late at night typing away trying to break into your website with Cheetos dust on their fingers.
Hackers create little programs that scan the Internet looking for website vulnerabilities. When they find an open door, they’re programmed to automatically infect the website and then report back their success to the hacker, who will likely have hundreds of websites to exploit at once.
Why Hackers Hack
“But why would someone do this? What value is my little site to them?” These are often a question I get. The answer is that the hacker probably isn’t after you specifically. You’re just one of a million sites they’re trying to exploit.
What do they have to gain?
Server Resources – If hackers can compromise your website, they can use server resources to run complex calculations to create digital currency like Bitcoin. They can use the server’s resources to perform other tasks anonymously.
Sending Spam Emails – The server can also be harnessed to send millions of spam emails anonymously
Content Injection – Hackers can add text and image links to products and sites you probably don’t want to advertise (think porn and male pharmaceuticals).
Malware – Hackers can add code that will exploit vulnerabilities on your visitors’ computers if they are using out of date web browsers, operating systems, or other old software. Once exposed, your visitors could have their computers compromised with keyloggers, malware and ransomware. Nasty stuff. And you don’t want to be responsible for it.
The Good News
Clients, especially the nontechnical ones, might be scared to death at this point.
Assure them that WordPress is quite secure when a good security strategy is employed, like the one you’re offering to them as part of your care plan.
I explain that I have never had a website infected when it was managed under the care plan that I offer.
The Client’s Responsibilities in Their Website Security
It’s important for clients to understand that they themselves still have some responsibility in keeping their website secure.
The items below are detailed in my Master Services Agreement (contract) and also explained to the client during training.
Keeping Computers Protected
A common way that websites become compromised is through keylogging programs that are installed on an infected computer.
If your computer is not kept secure, the login information for any site you visit can be recorded and sent to a hacker, who can then log into those sites as you.
The client must agree that any computer that they or their employees or contractors use to log into the website will be protected by:
- Installing and maintaining updated security software
- Using the most up-to-date version of your preferred web browser
- Keeping the operating system patched with recommended updates
Using a Unique Password
The client must also agree to use a strong password (as shown by the WordPress password indicator) for any account used to log into and edit the website.
This password must only be used on the website, it should not be used elsewhere.
We recommend the use of a password manager (like Bitwarden, Dashlane, 1Password, etc.) so that you have unique passwords for each website you visit.
If the client has their “one favorite password” they use for everything, explain that it’s like a master key to their life.
If one website they use gets compromised, a hacker can now log into every site where they have an account.
Suggest searching for the email and password combination at https://haveibeenpwned.com.
Note, iThemes Security includes HaveIBeenPwned protection for all WordPress user accounts. I will often explain how this works, and clients love it.
Giving Your Client Options
When I explain the importance of a Care Plan, I give the client three options. It’s up to them to choose which is right for them.
Do Nothing
- It’s a bad option, but an option nonetheless
- You’ll eventually get hacked or your website will break
Do It Yourself
- We will teach you how to keep your website updated and monitor security issues.
- Be sure to include sufficient time for this in-depth training in your proposal
We Do It For You
- We offer a suite of ongoing services to keep your website safe and working properly.
Pricing Your Website Care Plans
Pricing is one the most difficult jobs for any WordPress business owner working with clients. Care plan pricing can vary wildly, but is usually dependent on one factor…
Guidelines / Suggestions / Starting Points
Generally speaking, the price of your care plan depends on the price of your websites.
Typical Website Price Typical Care Plan Price | Suggested Monthly Price |
---|---|
Under $2000 | $50/month and up |
$2000-$3500 | $75/month and up |
$3500 and up | $100/month and up |
Note: It’s hard to sell a $100/mo care plan if you’re charging $1500 for a website.
Watch the Video: How to Package and Sell Website Care Plans
During this recent WordPress Disaster Week webinar, I unpack this entire approach to website care plans. I cover reach part of the process in more detail, along with answers to a few FAQs.
Get The Tools You Need to Provide Website Care Plans for WordPress Sites
Good news! There are tools designed specifically for make providing WordPress website care plans an easy process. I recommend and use:
- The WordPress security plugin iThemes Security Pro for website security
- The WordPress backup plugin BackupBuddy for website backups
- iThemes Sync, a central dashboard for managing multiple WordPress sites, for website updates
Here’s more on my recommended tips, tools, and settings for each product when it comes to providing website care plans, including an export file of my favorite settings.

Nathan is the Host at iThemes Training where he teaches WordPress and business development topics via live webinar. He is a growth coach for WordPress business owners, helping them become more successful in their businesses individually and in groups. Nathan is also the creator of MonsterContracts, a service that provides contracts for WordPress client work. He has been working with clients to build websites since 1995.