We get a hacked WordPress customer site every once in a while, even though after installing ModSecurity and tweaked our firewalls everything is a lot better.
We are helping our customers with hacked sites by restoring them from a working backup and helping them hardening their site. It takes from the time of the admins, but it is worth leaving a customer happy!
We had customers switching over to us, because their sitest are hacked and their host would not help them. So we moved over their Joomla website, upgraded the client's Joomla to the latest version and hardened it. Customer haven't had issues since, it's been about 3 months for them now and they said that before they used to get hacked every second week!
It really depends on the circumstances, if for example, they hadn't updated their version for WordPress or other CMS in a while then that would primarily be their own fault. (If it is just a regular non-managed shared account)
However, if the fault is found to be caused by the company (which is very rare these days) then steps are taken depending on the severity of the issue. An example would be to give credit, or in more severe cases a refund.
Also, having a good policy on the website is most definitely a requirement in the case of those events.
In my experience, mostly yes.
We have top security though so at the current stage if we couldn't stop the attack there's not many that could (without severely limiting features/functions) we have a few clients who are simply targets due to either their site content or the software they use - in this case we can only advise them to upgrade/change software, but if they choose not to there's no forcing, we just make clients aware that is has no effect on our servers at all, so upgrading/changing software is only for their own benefit.
Either way though I've no issues with reverting to backups, or helping secure scripts, if they use a software that's important to their operations. As long as they're aware of the risks/vulnerabilities they must keep in mind.
Is the manufacturer of your automobile responsible for your car's theft if you leave your door unlocked and the key in the ignition?
Running a web hosting server is the same concept. As the server manager, you are responsible to keep the system software secure. You are not responsible for your customer's website files.
If your customer uses old software that is insecure, then you could perhaps advice them of this fact (it's easy to run scripts to find old software on your servers)... but ultimately, it is the customer's files and so it is their responsibility to keep their website files secure.
However, if you advertise or offer additional security services for your customer's website files... then of course this is different since then you are making yourself responsible for their website file's security.
Want to sell domain names? Sign up today for an eNom.com reseller account from a trusted eNom ETP provider. * We provide support and service to over 3245 happy eNom domain name and SSL certificate resellers!