Insight

Should WordPress Maintenance Agencies Let Clients Install Plugins Themselves?

Install plugins through the WordPress admin.

Should clients be allowed to install plugins on their WordPress websites when they’re already working with a maintenance provider? On its face, this might seem a simple question, but it’s actually one that’s filled with nuance and “it depends…” type scenarios. This post was inspired by this tweet:

My reply:

https://twitter.com/taupecat/status/1266186619834507265

(The way Pantheon locks down the production environment is not the only reason I use and recommend them; it’s not even the primary reason. But that extra layer of security protects websites from hackers, and can protect clients from themselves.)

Arguments for Prohibiting Clients from Installing Plugins on Their Own

When you’re a website owner who hires an agency like Taupecat Studios to perform maintenance services, you’re entering into a partnership. And good partnerships thrive on communication. When the website owner installs plugins on a WordPress website, they’re putting the agency in a position that makes it harder to help them. The lack of communication means that they don’t have all the information about what’s going on with the website.

Presumably, the maintenance agreement exists because the agency has expertise that the website owner doesn’t. Are there known security issues with a particular plugin? Is there a plugin that would do the job better or is better maintained? Would the same goals be achieved more efficiently and to the website owner’s exact requirements with a custom solution instead?

I’ve also seen cases where website owners have used nulled or cloned versions of a premium plugin. This can be done through ignorance or the awareness that they are opting for the cheaper (albeit less honest) solution. I’m a firm believer in paying for quality where it is due, and have more than once educated clients as to why using the nulled version of a plugin is a bad idea.

Any good agency that does ongoing WordPress maintenance—including plugin and core updates—likely has an automated system in place to help with part or all of the process. When a client goes off and installs plugins on their own, they’re subverting this process, and the consequences can range from the plugin being removed at the next update cycle, or never being updated because it’s not properly recorded in the configuration.

But What About “Own Your Data”?

Russell Aaron had a different reaction to Angela’s original question:

That’s absolutely correct, and why this is not such a cut-and-dried question.
A client’s website is exactly that: the client’s. They ultimately control its content, its appearance, and its functionality. So when clients want to install a particular plugin on their site, we work with them to make it happen, and as quickly as is reasonable.

When receiving plugin requests, we look at all of the criteria listed above. But should clients have to go through this hoop to install a plugin on their websites?

It all comes back to the first point I made earlier: our clients and we are in a partnership. We want to help you, because it’s what you’re paying us to do. More importantly, though, we want you to be happy: with your website, as well as with our services.

So yes, your website is yours, and you can ultimately do what you want with it. But if you’re entered into a maintenance agreement with us, we ask that you allow us to work with you to make that happen in the best way possible.


Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash