A web designer emails her client’s hosting provider asking for a quote to enable Redis caching. The response: “This is part of hosting services.”
She then asks about adding security headers. The response: “Available free of charge for customers that want it.”
Two items from a performance audit, both assumed to be paid extras, both already included. If nobody had asked, the client would have approved hours of billable work for something they could have had with a single request.
This happens more often than you’d think.
The Gap Between What You’re Paying For and What You’re Using
Managed hosting is not the same as basic shared hosting. When you pay for managed WordPress hosting, you’re typically paying for a bundle of services that goes well beyond “a server your website sits on.”
But here’s the problem: most hosting providers are better at delivering these services than explaining them. And most business owners — understandably — don’t read their hosting plan’s feature list until something goes wrong.
The result is a gap. Your hosting includes capabilities you’ve never activated, while you’re paying freelancers or agencies to implement the same things from scratch.
Services You Might Already Have
Every hosting provider is different, but here are services that are commonly included with managed WordPress hosting and commonly paid for separately by clients who don’t realise they have them:
Object Caching (Redis or Memcached)
What it does: Stores frequently-used database queries in memory so your site doesn’t have to run them on every page load. This is particularly impactful for WooCommerce stores with large product catalogues.
What clients typically pay for instead: A developer installs and configures a caching plugin, spends time troubleshooting conflicts with other plugins, and bills 2-4 hours. Meanwhile, the hosting provider can enable Redis at the server level in minutes.
How to check: Ask your hosting provider: “Is Redis or object caching available on my plan?”
Security Headers
What they do: HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Content Security Policy) tell browsers how to handle your site’s content securely. They protect against clickjacking, content injection, and protocol downgrade attacks.
What clients typically pay for instead: A security plugin that adds headers at the WordPress level, or a developer manually editing configuration files. Both work, but if your hosting provider offers this at the server level, it’s faster, more reliable, and doesn’t add another plugin to your stack.
A word of caution: Content Security Policy (CSP) headers need testing. They control which external domains your site can load resources from. If you use Jetpack, Google Fonts, analytics tools, or payment gateways, a CSP header that’s too restrictive will block them. Your hosting provider should be able to configure these with your specific plugins in mind.
How to check: Ask: “Can you add security headers to my site? Is this included?”
Staging Environments
What they do: A staging site is a private copy of your live website where you can test changes — plugin updates, design changes, new features — without affecting what your customers see.
What clients typically pay for instead: Testing changes directly on the live site (risky), or a developer setting up a separate staging environment manually.
How to check: Ask: “Do I have a staging site available? How do I access it?”
CDN (Content Delivery Network)
What it does: Serves your site’s static files (images, CSS, JavaScript) from servers geographically close to your visitors, reducing load times.
What clients typically pay for instead: Subscribing to a separate CDN service, or a developer configuring CloudFront or Cloudflare independently.
How to check: Ask: “Is CDN included with my hosting? Is it configured for my site?”
Automated Backups
What they do: Regular snapshots of your entire site — files and database — that you can restore from if something goes wrong.
What clients typically pay for instead: A backup plugin (which uses your own server’s resources to create backups), or a third-party backup service.
How to check: Ask: “How often are backups taken? How far back can I restore? How do I request a restore?”
File-Level Security
What it does: Blocking access to sensitive WordPress files (install.php, readme.html, wp-config.php) at the web server level, before requests ever reach WordPress.
What clients typically pay for instead: Security plugins that do the same thing at the application level, or a developer editing .htaccess rules.
How to check: Ask: “Are sensitive WordPress files already blocked at the server level?”
How to Find Out What You’re Paying For
The simplest approach: email your hosting provider with this message.
Hi,
I’d like to understand what services are included with my hosting plan. Could you confirm whether the following are available and, if so, whether they’re currently active on my site?
- Object caching (Redis/Memcached)
- Security headers (HSTS, CSP, X-Frame-Options, etc.)
- Staging environment
- CDN
- Automated backups (frequency and retention)
- Server-level file access blocking
Thanks
That single email could save you hundreds of dollars in unnecessary development work.
The Web Designer’s Role
If you work with a web designer or developer, share this information with them. Many web designers are excellent at design and WordPress management but may not know the specifics of what your hosting provider offers at the infrastructure level.
In the real example that inspired this post, the web designer was the one asking the hosting provider for quotes — which is exactly the right approach. The hosting provider was able to clarify what was included (Redis, security headers) versus what required paid work (CloudFront configuration, plugin reduction).
This kind of three-way communication — business owner, web designer, hosting provider — prevents duplicate work and ensures each person is doing what they’re best at.
The Bottom Line
Your hosting plan is not just a monthly bill for server space. If you’re on a managed hosting plan, you’re paying for a bundle of services that someone has already built, tested, and maintained for you. Before you approve any performance or security work, take five minutes to check whether your hosting provider already offers it.
The most expensive hosting feature is the one you’re paying for but never using.
