Shared Hosting Security Is a Server-Level Problem
A plugin update can fix a plugin problem. It cannot fix a weak hosting operation.
That distinction matters right now.
In late May, LiteSpeed published an urgent security update for its user-end cPanel plugin. The issue, tracked as CVE-2026-48172, was already being exploited. LiteSpeed said affected versions of the user-end plugin could let any cPanel user, including a compromised account, execute arbitrary scripts as root through the lsws.redisAble function. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 26.
That is a different class of problem from a normal WordPress plugin bug. This is not “one site has an outdated add-on.” This is “a hosting control panel feature can create server-level risk.”
For small business owners, the lesson is uncomfortable but useful: website security is bigger than WordPress updates.
Why this is bigger than WordPress
WordPress gets most of the attention because business owners can see it. Plugins. Themes. Login pages. Update buttons.
But your website also depends on the hosting layer underneath it:
- The cPanel or control panel account.
- The web server and cache stack.
- PHP versions and permissions.
- Backup locations.
- SSH, FTP, and file manager access.
- Malware scanning and log review.
- The person responsible when something breaks.
If the hosting layer is neglected, the site can be patched and still exposed.
The LiteSpeed issue is a good example. The vulnerable component lived in the cPanel/LiteSpeed management layer, not in a dentist’s homepage copy or a contractor’s contact form. A business owner would not catch that by logging into WordPress and clicking “update plugins.”
Someone has to know the server exists.
Shared hosting makes ownership blurry
Cheap shared hosting works until it does not.
A lot of small businesses start there because it is easy. One login. One yearly bill. A familiar control panel. The problem is that shared hosting often hides the parts that matter during a security event.
Who checks whether the server-level plugin was removed or patched? Who reviews cPanel logs for signs of exploitation? Who confirms backups are off the server? Who knows whether another compromised account on the same environment can affect your site?
If the answer is “probably the host,” that is not a plan. It is a hope with an invoice.
Good hosting operations make those responsibilities explicit. They keep a known inventory of sites, software, users, plugins, backups, monitors, and response steps. That is the boring work that keeps a local business from learning about web infrastructure during a crisis.
The attack window is short
Patchstack’s 2026 WordPress security report found that mass exploitation can move fast, with a weighted median of five hours for heavily attacked vulnerabilities. Wordfence’s May reporting also showed real-world exploit activity around popular WordPress components, including Breeze Cache and Avada Builder.
That does not mean every business needs an in-house security team. It does mean “we check the site when someone complains” is too slow.
For most local businesses, the practical response is simple:
- Know who owns hosting maintenance.
- Keep WordPress core, plugins, and themes current.
- Watch server-level security advisories, not just WordPress dashboard notices.
- Store backups outside the hosting account.
- Test restores before you need one.
- Monitor uptime, SSL, forms, and public pages.
- Document changes so the next fix starts with context.
None of that is glamorous. Perfect. Security should be mostly uninteresting when it is handled well.
What business owners should ask their host
If you are not sure who is watching your site, ask these questions:
- Are my website files and database backed up off-server?
- How often are backups tested?
- Who receives security notices for the hosting account?
- Are cPanel, LiteSpeed, PHP, and server packages patched by a documented process?
- Are unused FTP, SSH, admin, and WordPress accounts removed?
- Does someone review alerts when a vulnerability is actively exploited?
- If the site is compromised, who cleans it and how fast does that process start?
You do not need a technical lecture. You need clear ownership.
If the answer is vague, the risk is probably vague too.
Managed care is the difference
Robben Media’s hosting and website care work is built around ownership. WordPress sites need plugin and theme maintenance, security monitoring, backups, uptime checks, cache management, and recovery planning. Static sites, Astro sites, and custom app sites need a different stack, but the same operating discipline.
The point is not to sell “hosting” as a commodity. The point is to keep the business website dependable.
That means watching both layers: the visible website and the infrastructure behind it. It means knowing when a WordPress plugin matters, when a server advisory matters, and when a support ticket should turn into a real incident response instead of another shrug.
If your site is on old shared hosting with unclear backups and no named owner, start there. Find out what is running, who is responsible, and what happens when something breaks.
Robben Media can help with website hosting and maintenance, WordPress maintenance, and website security.
Sources
Jeremy Johnson
Owner
Jeremy co-owns Robben Media and directs strategy for every client engagement. With a Computer Engineering degree from Missouri S&T, he brings deep technical expertise in web development, SEO, and automation. Before acquiring Robben Media in 2023, Jeremy led marketing and branch management in the mortgage industry. He believes marketing should be measured by revenue generated, not impressions reported.