What Happened
A dental practice we work with discovered their website was selling Viagra. Not a popup or a weird ad – their actual website had been hijacked to display pharmaceutical spam. Their patients were seeing it. Google was indexing it.
They were hosted on Flywheel. They’d done everything right (or at least everything Flywheel told them to do). But when the infection hit, they were stuck. Flywheel’s support could scan and clean, but the client had no visibility into what actually happened, no access to server-level logs, and no way to verify the problem was truly fixed. We’ve now helped multiple Flywheel clients recover from similar situations.
The Flywheel Tradeoff
Flywheel is popular because it’s simple and affordable. For a lot of use cases, that’s fine. But simplicity comes with tradeoffs that aren’t obvious until something goes wrong:
- No server-level access. You can’t see IP-level changes, dig into logs, or investigate what actually happened during an incident. You’re entirely dependent on Flywheel’s support team to tell you what they found.
- Plugin updates are your problem. Flywheel handles WordPress core updates, but plugins and themes (where 96% of vulnerabilities live) are on you. They offer managed plugin updates for $8/month per site, but that’s just updates. It’s not monitoring, it’s not investigation, it’s not someone in your corner when things break.
- When you need help, you’re in a queue. Flywheel’s own documentation says malware cleanup “may take 24-48 hours.” If your patients are seeing spam on your website, 48 hours is an eternity.
- DIY cleanup usually fails. Flywheel admits this themselves: “We’ve noticed a handful of customers trying to clean up their sites themselves…and this often resulted in sites that weren’t fully eradicated of malware.” Modern malware hides in your database, not just your files. If you don’t know to look there, you’ll think you fixed it until it comes back.
What We Do Differently
Our managed hosting starts at $95/month. That’s more than Flywheel. We’re not going to pretend otherwise.
But here’s what that includes:
- server management
- plugin and theme updates
- uptime monitoring
- security monitoring
- a team that actually goes to bat for you when something goes wrong.
We’re the ones dealing with the hosting infrastructure. We’re the ones digging into logs and database tables. We’re the ones who can tell you exactly what happened and prove it’s fixed.
When our clients have issues, they don’t open a support ticket and wait 48 hours. They call us. And because we specialize in healthcare websites, we understand what’s at stake (your practice’s reputation, your patients’ trust, and the compliance requirements that come with running a healthcare organization online).
The Real Question
Which is actually more expensive, a few extra dollars a month in hosting, or your patient seeing a Viagra ad on your website?
The cheap route works until it doesn’t. And recent vulnerabilities have shown us that “until it doesn’t” is happening more often than anyone wants to admit. Patchstack documented nearly 8,000 new WordPress vulnerabilities in 2024 alone, a 34% increase from the year before.
You can self-manage on Flywheel and hope nothing goes wrong. Or you can have a team that’s watching, maintaining, and ready to act the moment something looks off.
If You’re Thinking About This
We’re happy to take a look at your current setup and tell you what we see – no obligation, no pressure. But if you’ve already had an incident, or you’re managing multiple practice websites and losing sleep over whether they’re actually secure, let’s talk.