Skip to main content
web60

Infrastructure

VPS Hosting vs Managed WordPress: The Root Access Myth That Costs Small Businesses

Graeme Conkie··11 min read
Abstract flat illustration of a cluster of small connected teal nodes on a warm stone grey background, one node isolated and unconnected from the rest, suggesting a system left without oversight

Everyone eventually hears the same advice once a business website starts getting real traffic: get a VPS, it gives you more control. Reviewing a support ticket this morning from someone asking why their "upgraded" hosting was slower than the shared plan they had left, the pattern was familiar enough that it was worth writing down properly. More control is true. What gets left out is what that control actually is, and what it costs you to hold onto it.

A VPS, a Virtual Private Server, is a slice of a physical server carved out with virtualisation software so it behaves like its own machine. On the unmanaged tier, that includes root access: full administrator rights over the operating system, the software stack, the firewall, everything. You can install anything. You can also break anything, and unless somebody is actively watching, you can leave a known, publicly documented vulnerability sitting open for months without ever knowing it is there.

What "Get a VPS" Actually Hands You

Root access sounds like an upgrade because, on paper, it is. You are no longer sharing resources with strangers on a crowded shared server, and you can configure the environment however a specific project needs. WordPress itself is not fussy about where it runs. Its own baseline is modest: a current PHP version, MySQL or MariaDB, and HTTPS, according to WordPress.org's own requirements page. Almost any VPS clears that bar on day one.

The part that gets glossed over is what happens after day one. An unmanaged VPS means the provider looks after the physical hardware and the network connection. Everything sitting on top of that, the operating system patches, the web server configuration, the database tuning, the firewall rules, the malware scanning, is entirely yours. Nobody nudges you when a critical update ships. Nobody checks whether last night's backup actually completed. That is not a criticism of VPS providers. It is the product. You are buying raw compute and full control, not a managed outcome.

So what does that mean for a business owner who just wanted a faster website? It means the "more control" you were sold is really a second job description: part-time systems administrator, unpaid, indefinite, with no handover notes.

Abstract flat illustration of a warm grey server-like block shape with scattered teal dots drifting away from it, suggesting unmonitored maintenance tasks left unattended
Root access is real control. It also means nobody else is watching the maintenance queue.

The Job Nobody Mentions When They Say "Get a VPS"

Patching sounds like a minor chore until you look at how organisations with entire security teams actually perform at it. Verizon's 2026 Data Breach Investigations Report found the median time to patch a known vulnerability has stretched to 43 days, up from 32 the year before, a 34% jump. Worse, of the vulnerabilities tracked on CISA's Known Exploited Vulnerabilities list, only 26% had been fully remediated, down from 38% the prior year. Vulnerability exploitation, not stolen passwords, is now the single most common way attackers get into a network in the first place, according to the same report. Those are organisations with dedicated security staff. A business owner running their own VPS between everything else they do is not going to beat that average.

Here is the scenario this plays out in most often, and it is deliberately not a story about any specific business, because it is common enough to be a pattern rather than an anecdote. A popular WordPress plugin, the kind installed on hundreds of thousands of sites, gets a critical vulnerability disclosed. A patch ships within days. On a server nobody is actively minding, that patch sits unapplied. Weeks pass. Automated scanning tools, not a targeted human attacker, sweep the internet looking for exactly that unpatched version, find it, and the site is compromised. Nobody logged in and did anything wrong. The vulnerability was public, the fix existed, and there was simply no one whose job it was to apply it. It is worth reading what actually goes wrong when plugin updates are left to chance, because an unpatched VPS fails in exactly the same way, just with nobody even offering to click "update."

I made a version of this mistake myself in SmartHost's early years. A client wanted more headroom for a directory site that was starting to get real traffic, and I sold him an unmanaged VPS on the understanding that his cousin, who had set it up, would keep it patched. Eighteen months later a plugin exploit did exactly what plugin exploits do, and I was the one on the phone explaining why "cheaper" and "covered" had never meant the same thing. I do not sell that arrangement any more without saying so directly.

Who Is Actually on the Hook Under GDPR

This is the part that turns a technical oversight into a legal one. Consider a fairly typical scenario: a small poultry and egg supplier outside Monaghan town builds up an online ordering system for local shops and a growing list of direct customers, hosted on a VPS a family member set up as a favour before heading off to college. Nobody touches the server again. The site collects names, delivery addresses and order histories, ordinary personal data under GDPR, and the business owner is, whether she has thought about it this way or not, the data controller.

Article 32 of GDPR requires the controller to implement security "appropriate to the risk," including keeping systems patched against known vulnerabilities. That obligation does not transfer to the cousin who configured the server, and it does not disappear because nobody remembered to check it after he left. If that server is compromised through an unpatched flaw, the Data Protection Commission's questions land with the business, not with whoever built the site. This is not a reason to panic about every VPS in Ireland, and it is not a substitute for advice from a solicitor on your specific setup. It is a reason to know, in advance, whose job the patching actually is, in writing, before it becomes a question you are answering under pressure.

What You Are Actually Paying For

Advertised VPS pricing looks compelling next to a managed hosting quote. DigitalOcean, one of the larger general-purpose cloud VPS providers, lists basic droplets from around $4 a month and general-purpose tiers with more memory from roughly $63. That price buys compute and storage. It does not buy anyone watching the box.

Unmanaged VPS"Managed" VPSManaged WordPress Hosting
OS and security patchingYour responsibility entirelyBasic OS-level support onlyHandled as part of the service
WordPress-specific stack (caching, PHP-FPM)You configure it yourselfRarely includedBuilt and tuned for WordPress specifically
Backups and restoreManual, if you set it upOften a paid add-onAutomatic, with one-click restore
Malware scanning and hardeningNot includedInconsistent between providersBuilt in as standard

Every row in that table earns its place. OS patching is the responsibility gap covered above. The WordPress-specific stack matters because a general-purpose "managed" VPS typically covers the operating system and not much past it, leaving you to configure Nginx or Apache, PHP-FPM tuning, and an object caching layer like Redis yourself, or hire someone who can, on top of the base monthly fee. Backups on a VPS are frequently an extra line item rather than something running automatically from day one. Malware scanning and hardening, where they exist on VPS plans at all, tend to be inconsistent between providers rather than a fixed standard.

Add a genuine patching and monitoring routine to an unmanaged VPS, whether that is your own time or a contractor's, and the real monthly cost climbs well past the advertised entry price, before you have matched what a WordPress-specific managed host already includes as standard. WordPress itself now runs a little over four in ten websites globally, according to W3Techs, so whichever hosting model you choose, you are very rarely the only one running that exact stack. The advantage of a host built specifically around it is that somebody else has already solved the maintenance problem for every customer on the platform, not just you. The backup row in that table alone is worth reading properly in our complete guide to WordPress security and backups, since "I will set up backups later" is exactly how most unmanaged VPS setups end up with none.

Web60 runs on a managed WordPress stack built on WordOps, Nginx, PHP-FPM and Redis object caching, tuned for WordPress specifically, with automatic nightly backups, server-level hardening and malware scanning included in the €60 a year, not billed separately once you notice you need them.

Where an Unmanaged VPS Genuinely Is the Right Call

None of this means a VPS is always the wrong choice. If you are running custom software outside WordPress entirely, a bespoke booking system, a data processing pipeline, something with server requirements a WordPress-specific host will never support, root access is genuinely useful, and you likely already have someone whose job includes keeping it patched. That is a real, specific case. It is also not most business websites, and it is worth being honest that very few owners asking "do I need a VPS" are actually describing that situation.

There is a limitation worth naming on the other side too. Managed WordPress hosting, including Web60's, does not give you raw root access to install arbitrary system-level software outside the WordPress environment. If your business genuinely needs that, a managed WordPress platform is the wrong tool, and no amount of support will change that. For a standard business site, a growing directory, a booking system, an online shop, that trade-off runs firmly the other way. You give up root access you were unlikely to use correctly, and get back a stack somebody else is contractually responsible for keeping current.

Conclusion

"Get a VPS for more control" is not bad advice exactly. It is incomplete advice. Control over a server means responsibility for a server, and that responsibility does not pause because you are busy running an actual business. Before taking that advice, ask the more useful question: who, specifically, by name, is going to patch this thing every month, and what happens the month they do not. If the honest answer is nobody, the VPS was never really the upgrade it was sold as.

Frequently Asked Questions

What is the difference between VPS hosting and managed WordPress hosting?

A VPS gives you a virtual slice of a server and, on the unmanaged tier, root access to configure it however you like. Managed WordPress hosting gives you a server already configured, patched and secured specifically for running WordPress, with someone else responsible for keeping it that way.

Do I need root access for a business website?

Almost never, if the site runs on WordPress. Root access matters when you are running custom software with unusual server requirements. A standard business site, even a busy one, does not need it and rarely benefits from it.

Is managed VPS the same as managed WordPress hosting?

No. A managed VPS still gives you a general-purpose server with basic operating system support. Managed WordPress hosting is built specifically around the WordPress stack, including the caching layers, security hardening and update process WordPress itself needs.

Who is responsible for security if my website is hosted on a VPS?

On an unmanaged VPS, you are, whether or not you realise it. That includes operating system patches, WordPress core and plugin updates, firewall rules and malware scanning. As the data controller under GDPR, that responsibility does not transfer to whoever set the server up for you.

When does a VPS genuinely make sense for a small business?

When you are running custom software outside WordPress, need a specific server configuration a WordPress host will not offer, or already employ someone whose job includes patching and securing servers. Outside those cases, the maintenance burden usually outweighs the extra control.

Sources

WordPress.org - Requirements

DigitalOcean - Droplet Pricing

Verizon - 2026 Data Breach Investigations Report

W3Techs - Usage Statistics and Market Share of WordPress

EUR-Lex - Regulation (EU) 2016/679 (GDPR), Article 32

Graeme Conkie
Graeme ConkieFounder & Managing Director, Web60

Graeme Conkie founded SmartHost in 2020 and has spent years building hosting infrastructure for Irish businesses. He created Web60 after seeing the same problem repeatedly — Irish SMEs paying too much for hosting that underdelivers. He writes about WordPress infrastructure, server security, developer workflows, managed hosting strategy, and the real cost of hosting decisions for Irish business owners.

More by Graeme Conkie

Ready to get your business online?

Describe your business. AI builds your website in 60 seconds.

Build My Website Free →
Buy NowTry Free
VPS Hosting vs Managed WordPress: The Real Cost | Web60