Skip to content
Service

Security updates

We keep the WordPress core, every plugin, and every theme updated — without crashing your site in the process. Three layers of protection: staging tests, automated rollback, and a human reviewing the result the day after.

Why this matters

Roughly 96% of all hacked WordPress sites have an outdated component as the entry point — usually a plugin or theme that hasn't been updated in months. Security updates aren't complicated themselves, but they're one of the things most easily put off "until I have time". And that's exactly when things break.

We take that work off your calendar entirely. When an update lands, we're the ones handling it — properly, at the right time, with a fallback if something goes wrong.

What's included

  • WordPress core — every minor and security release applied within 24 hours of release. Major releases (e.g. 6.4 → 6.5) ship after we verify your theme engine and premium plugins are compatible.
  • Plugins — every active plugin is monitored. Security patches get prioritised; other updates roll up in weekly batches to minimise risk.
  • Themes — both parent and child themes. We don't touch your custom child-theme code.
  • Compatibility reading — before we roll an update we read the changelog. If a plugin update looks suspicious we pause it and reach out.

How it goes — without drama

  1. We take a backup. Not a scheduled one — a specific snapshot right before the update.
  2. We test in staging (Pro and Enterprise). The plugin or core is updated in a copy of your site, automated smoke tests run (homepage, key landing pages, a checkout flow if there is one), and if anything fails we abort.
  3. We roll out to production. The site stays up the entire time — the update applies in 1–3 seconds.
  4. We monitor for 30 minutes after. If error rates in the logs spike noticeably, automatic rollback to the backup.
  5. A human reviews the result the day after. Not just at the server level — we actually load your homepage.

What if an update goes wrong?

It happens. Rarely, but it happens — often because two plugins interact unexpectedly. When it does:

  • Automatic rollback to the backup (usually within 60 seconds).
  • You get an email: "We paused the X update because Y. We're looking into it."
  • We read through the issue, contact the plugin author if needed, and schedule a new attempt when the path is clear.
  • You haven't had to do anything.
No overnight rollbacks We never trigger a rollback during a checkout-in-progress or your peak hours. Update windows match your business hours where it's relevant.

What this isn't

  • It's not WordPress's built-in auto-updates. The native function runs without backups, without testing, and without escalation when something breaks. We do the job better — that's the whole point.
  • It's not a major-version upgrade without a decision. For major releases (e.g. 5.x → 6.x) we reach out beforehand, walk through breaking changes, and ship with your sign-off.
  • It's not updating pirated plugins or abandoned themes. If you have one of those, we'll suggest alternatives.

Which plans include it?

Security updates are included in every plan — Basic, Pro, and Enterprise. The difference is how much testing happens before rollout:

  • Basic: Security updates within 24 hours, backup before, 30 min monitoring after. No staging test.
  • Pro: Everything above + a staging environment where plugin updates are tested before they reach production.
  • Enterprise: Everything above + custom update windows (e.g. "not during the April campaign week").

See the full comparison on the pricing page →

Questions & answers

How fast does a critical security patch ship?

Within 24 hours for documented critical issues (CVSS 7.0+). In practice usually 4–6 hours — we monitor WordPress security feeds 24/7.

What if I have a custom plugin that doesn't auto-update?

We talk to you first. If it's an internally developed plugin we can help set up an internal release process. If it's an abandoned third-party plugin we suggest alternatives with similar functionality.

Do updates affect my visitors?

No. Updates apply atomically in 1–3 seconds, and WordPress handles incoming requests while the core updates. If we ever see an update that requires longer downtime, we reach out beforehand and schedule a window.

Can I pause updates temporarily?

Yes — we have a "freeze" mode for periods when you absolutely don't want anything changing (e.g. product launches). Security patches still ship, but non-critical updates pause.

Get started

Security updates start the day we install the WEBBELi worker plugin on your WordPress. That typically takes 24 hours from order to first update run.

See plans and pricing

GDPR

GDPR — how we handle your data.

We built Oden C.A.M around data minimization, EU hosting, and full transparency — not as an afterthought.

01

Where your data lives

All Oden data (control panel, logs, backups) is stored in Cloud Run and Firestore in the Finland region (europe-north1). Your WordPress sites run on whichever hosting you choose — if you want to move to us, we offer WEBBELi as an add-on (Scandinavian servers in Sweden). Backups are AES-256 encrypted and stay inside the EU. We use no subprocessors in the US or other non-EU/EEA countries — which means Schrems II concerns simply don't apply.

02

What data we process

Only what's needed to run your WordPress: your sites' URLs, plugin and theme versions, update history, and cryptographic keys. We never touch your visitors' data — there's no tracking pixel and no ads module.

  • Site metadata (URL, version, status)
  • Operations logs (security events, updates)
  • Backup archives (encrypted, 30 days)
  • Operator identity (your email, for support)
03

How it's protected

The connection between your WordPress and Oden goes via the WEBBELi worker plugin we install on your site — TLS 1.3 with Ed25519 keys. Stored secrets are envelope-encrypted (Cloud KMS). Audit logs are write-only and kept for 12 months.

04

Your rights

You can request access to, correction of, or deletion of your data. Email hello@oden.cam and we'll respond within 30 days (usually within 48 hours). At termination, all customer data is permanently erased within 60 days — except what we must retain under Swedish bookkeeping law (7 years).

05

Data incidents

If we confirm an incident affecting your personal data, we'll contact you within 72 hours with an initial report, in parallel with our notification to IMY (the Swedish DPA). The report covers what happened, what was affected, and what mitigations we're applying.

06

Data Processing Agreement (DPA)

A standard DPA is automatically included — no separate paperwork. It stipulates EU hosting, sub-processors (list available on request), and Swedish law as the applicable jurisdiction. Larger procurements can sign an extended agreement: hello@oden.cam.

Controller: NNi Solutions, Sweden. Questions? hello@oden.cam
Service

Get Oden C.A.M