This question is about how to deal with ongoing WordPress site maintenance, for security. While we have some understanding of security, we are not experts and would like to know what other people think, especially if security is their area of expertise.
We make WordPress websites, usually quite small, for clients with relatively small budgets. They do not have budgets for anything other than very basic maintenance.
Where we have maintenance arrangements, in terms of security we confine ourselves to dealing with issues reported by the iThemes security and Orion ManageWP plugins. What this usually amounts to is ensuring that plugins are kept up to date.
However, when checking sites in Google Lighthouse, we have noticed that security issues are often reported that the plugins have not picked up on.
It is not in our current maintenance agreements to keep an eye on these issues or respond to them in any way. However, we would like to know more about this to decide whether we should reconsider our maintenance agreements.
Thank you in advance for any feedback.