This is Part 1 of a 3-part series: Who Should Be Managing Your Website? Part 2: The Real Risks of Managing It Yourself | Part 3: What Professional Management Looks Like
Most business owners pay for website hosting and assume that covers everything. It typically does not. Hosting and website management are two separate services, and the gap between them is where most website problems originate.
Understanding what each service actually includes, and what each one leaves out, is the first step toward figuring out whether your site has an unaddressed risk.
What Hosting Is
Hosting is infrastructure. When you pay for hosting, you are paying for the server space and resources required to serve your website’s files to visitors.
A hosting account typically includes:
- Server space to store your website’s files (HTML, CSS, JavaScript, images, databases)
- Bandwidth to deliver those files to visitors
- A connection to the internet so the server is reachable
- Basic server software (a web server like Apache or Nginx, PHP, a database server)
Depending on the provider and the tier, hosting may also include automated daily backups, a staging environment, SSL certificate provisioning, basic server-level security (firewall rules, DDoS mitigation), and uptime monitoring that alerts the host if the server goes offline.
What hosting almost never includes, regardless of what the marketing language implies:
- Updating your CMS, plugins, or themes
- Monitoring your site for security breaches or malware
- Fixing things that break after an update
- Making content changes
- Recovering a hacked site
- Testing the site after updates to confirm it still works
- Managing your domain registration
Hosting keeps the server running. The hosting provider’s responsibility typically ends there. What happens to the software running on that server is, in most standard arrangements, someone else’s job.
What Website Management Is
Website management is the ongoing work of keeping the software layer of your website functional, secure, and current. It is a service layer that operates above the hosting infrastructure.
A management retainer typically includes:
- CMS core updates (WordPress core, for example)
- Plugin and theme updates
- Testing after updates to verify the site works correctly
- Uptime monitoring with human response when the site goes down
- Security scanning for malware or suspicious file changes
- Backup verification (confirming backups exist and are restorable, not just scheduled)
- Response to break-fix issues caused by updates or software conflicts
Depending on the scope of the retainer, management may also include content updates, performance monitoring and optimization, security incident response, analytics review and reporting, and handling contact with the hosting provider on the client’s behalf.
Website management is the human-and-process layer that keeps the application running on top of the hosting infrastructure. It requires someone with technical knowledge of the specific platform and a consistent process for applying and testing changes.
Where the Confusion Comes From
Hosting providers often bundle services in ways that blur the line. “Managed WordPress hosting” is a common example. The term “managed” in this context typically refers to managed infrastructure: the host handles server configuration, server-level caching, and sometimes automatic WordPress core updates. It does not usually mean the host is responsible for your plugins, your theme, your content, or your site’s security at the application level.
The other common source of confusion is the domain registrar. Many business owners assume that because they pay a hosting company, the hosting company also controls their domain. In many cases, the domain is registered separately, with a different account, at a different provider. If the domain expires, the site goes offline regardless of whether the hosting account is active.
The Five Responsibility Gaps
When hosting and management are not clearly defined, responsibility gaps form. These are the most common ones we see:
The plugin update gap. The hosting provider does not update plugins. The site owner does not know they need to. An outdated plugin with a known vulnerability goes unpatched for months. This is one of the most common pathways for WordPress sites to get compromised.
The broken update gap. A plugin or theme update breaks part of the site. The hosting provider does not know anything is wrong because their responsibility ends at the server. The site owner is not monitoring the site and does not notice for days.
The backup gap. The hosting provider takes nightly backups, but no one has verified that the backups are restorable. When a restore is needed, the backup turns out to be corrupt or incomplete. This scenario is more common than it should be because “backups are scheduled” is treated as equivalent to “backups work.”
The domain expiration gap. The site owner assumes the hosting provider manages the domain. The domain registrar account is under an old email address no one monitors. The domain expires and the site goes offline.
The security incident gap. The site gets infected with malware. The hosting provider may detect it and suspend the account. But cleaning the infection, identifying the entry point, and hardening the site to prevent re-infection requires application-level expertise that the hosting provider does not typically offer as part of a standard hosting plan.
Questions to Ask About Your Current Setup
To identify whether you have gaps between hosting and management, work through these:
- Who manages your domain registration, and where is that account? Do you have access to it?
- Does your hosting provider update WordPress, plugins, and themes, or is that your responsibility?
- Who monitors your site for downtime, and what is the response process when it goes down?
- When did you last verify that your backups are restorable?
- If your site was infected with malware tomorrow, who would you call, and what would their scope of response include?
- Is your SSL certificate managed by the hosting provider, and what happens when it expires?
These questions surface where responsibility is clear and where it is not. The gaps that appear are usually not anyone’s fault. They are the result of services being bundled or implied in ways that were never made explicit.
Closing the Gaps
The cleanest arrangement is one where a single provider is responsible for both hosting and management, with a clear written scope of what that includes. If hosting and management are handled by different parties, the scope of each party’s responsibilities should be documented and agreed upon, including which tasks belong to which party, what the response time expectations are, and how the parties communicate when something affects both layers.
The next two parts of this series cover the specific risks of managing your own site (Part 2) and what professional management looks like when it is done well (Part 3).
Next: Part 2: The Real Risks of Managing It Yourself
Related reading: Website Hosting Explained: What Each Plan Actually Covers, Backups Are Not Optional: What Business Website Backups Should Actually Look Like, and Who Should Be Managing Your Website? Part 2: The Real Risks of Managing It Yourself.