“We’re not just your hosting provider. We’re your support team, your troubleshooting partner, your safety net.”
In a world where support tickets often trigger chatbot replies and plugin errors are met with a link to an FAQ, BigScoots is taking a different path. One that puts people, not just platforms, first.
We sat down with Zach Aufort, Performance Engineer at BigScoots, to find out what it really means to be a human-first managed WordPress host in 2025.
From conference support desks to plugin patching to quietly fixing problems before customers even know about them, Zach offered a refreshingly candid look into how BigScoots operates behind the scenes.
Getting to Know Zach
Zach’s route into the industry started early. “I was that kid who ran a web hosting company over summer break,” he laughs. “People made fun of ‘summer hosts’ back in the day, but that’s where I learned Linux and how to support customers.”
He started out sweeping floors at a data center in high school. Over time, he picked up server skills and began handling tickets and infrastructure tasks. After serving in the military for seven years – and taking on Linux admin work on the side – he returned to the tech industry. His own local IT business eventually gave way to his current role at BigScoots, which he joined in 2021.
“Everyone who leaves hosting eventually comes back to it,” he jokes. “It’s an industry that pulls you back.”
He’s comfortable in the hosting world. “It’s changed a lot. There used to be 50 or 60 people working in a data center. Now, with automation, you’re lucky if you see two.”
Starting with a Human Focus in Hosting
“Most of our customers aren’t super technical. They’re focused on running their business. So we step in to handle the technical parts that would otherwise derail them.”
Zach describes BigScoots as much an application support company as a hosting company. While many providers shy away from plugin conflicts and WordPress-level issues, BigScoots leans in.
“If there’s a plugin conflict, we’ll investigate it. We’ll go through logs, isolate the issue, and even prepare a full technical breakdown our customers can send to the plugin developer.”
They often reach out to plugin authors directly and resolve the issue on the customer’s behalf.
“It’s a hands-on approach. If we can figure it out, why force a non-technical user to chase a plugin dev from five years ago?”
And solving these issues has a multiplier effect. “If I fix something for one customer and thousands of other sites are using that plugin, we all benefit.”
No Scripts. No Escalation Tiers.
Unlike most hosts, BigScoots doesn’t rely on macros or tiered escalation. “The person you talk to first is the one who helps you. If I need to speak with our network engineer, I will – but the customer never feels like they’re being passed around.”
Zach manages the performance and security team, and still spends hours on support tickets. The same goes for the CEO, Scott Stapley, and other team leads.
“There are no silos. Everyone talks to customers. Everyone writes tickets. Nobody’s above it.”
That also means fewer delays and fewer handoffs. “We just get it done. And if I don’t know the answer, I’ll go find it – but I’ll still be the one replying.”
Support in the Real World
“We don’t go to conferences just to hand out business cards. We show up with laptops.”
At events like Tastemaker (a major food influencer gathering), Zach set up shop with his laptop and helped customers live on-site.
“We weren’t pitching. We were fixing. People brought SEO questions, Search Console warnings, WP admin issues – even general advice. And if I couldn’t solve it, I called my team and we knocked it out together.”
They rented a table in a room filled with salespeople. “All the couches filled up with people waiting for us. Not the other vendors. Just us.”
Next year, they’re planning to bring even more staff.
A Security Stack That Works Quietly
Zach walks us through BigScoots’ multi-layered security setup:
- Physical control over their data center hardware in Chicago
- Cloudflare Magic Transit DDoS protection for all customers
- Isolated virtualized environments per customer – not shared hosting
- Application-level hardening: directory restrictions, PHP execution limits
- Rate limiting on login URLs like /wp-admin
- Cloudflare Enterprise WAF rules and bot protections
- Patchstack integration for vulnerability alerts and virtual patching
- MFA and VPN usage across the support team
- Offsite backups in geographically redundant locations
“We take it seriously. We try to keep everything locked down – from servers to staff devices.”
How BigScoots Integrates Patchstack to Protect Hosting Users from Vulnerabilities
BigScoots integrates Patchstack deeply into their managed WordPress service – not just behind the scenes, but in how customers interact with it.
“We show customers Patchstack alerts right inside the portal. They can see which plugin is vulnerable, what version they’re on, and what they need to do. Even if they haven’t paid for extra security, we still surface that data.”
Zach acknowledges that transparency comes with trade-offs. “There’s a fine line. Show too little and customers feel ignored. Show too much and they panic. We want to keep them informed without overwhelming them.”
This balance is part of the human approach – not just securing infrastructure, but helping users understand what’s happening and why.
Customers Fall Into Two Camps
“About half are really proactive. They update plugins, question admin access, set up 2FA. The other half don’t think about any of this until something breaks.”
Instead of selling through fear, BigScoots positions itself as a guide.
“If something’s out of date or a vulnerability is detected, we let them know. We explain the risk. And if they’re using an old plugin that can’t be updated, Patchstack helps us virtually patch it while they plan a fix.”
This use of Patchstack – not just for prevention but to buy time – is one of its biggest benefits. Zach explains, “It gives customers breathing room. They don’t need to scramble or go dark. They stay protected while preparing for the long-term fix.”
When Vulnerabilities Hit
Zach describes what happens when a zero-day plugin vulnerability surfaces.
“First, we’ll notice a few strange support tickets. Redirects. Errors. Then Patchstack will post a disclosure, and we’ll realize a major plugin is affected. From there, it’s triage.”
They search their infrastructure to see how many sites are running the plugin. If safe to do so, they push a mass update. If not, they deploy server-level WAF rules or Cloudflare patches.
“We prefer not to touch customer plugins unless we have to. WAF rules are our first choice. But if needed, we’ll act fast.”
Zach also notes the added benefit of Patchstack’s vulnerability feed, giving them a head start on understanding what’s at risk and where to act.
Attacks Getting Smarter
Zach shared two examples of memorable attacks:
- One used JS redirects but hid from hosting providers by whitelisting known IPs. “We’d check the site and see nothing. But the customer saw redirects. It was smart.”
- Another case involved a freelance developer using the same admin email and password on hundreds of sites. When those credentials leaked, an attacker changed affiliate links across all of them. “It took weeks for anyone to notice. They weren’t breaking anything – just silently rerouting revenue.”
These stealth attacks are harder to catch, and harder to clean.
The Limits of Shared Hosting
Zach points out that BigScoots customers don’t share hosting environments – every site runs in its own isolated container.
“It’s not strictly a security feature, but it does help. If one customer’s site has a traffic spike or gets hit with something malicious, it doesn’t affect anyone else. That kind of separation is rare – and valuable.”
It also protects performance, ensuring that no one site can drag others down, whether through accident or attack.
Malware Scanning Isn’t Enough
“People think it’s like antivirus in the 2000s. Scan, detect, delete, done. But that’s not how web security works anymore.”
Zach points out that scanners usually detect issues after damage is done.
“If a scanner finds malware, the redirect already happened. Visitors were already affected. It’s too late.”
Instead, BigScoots focuses on prevention: vulnerability detection, patching, access control, and customer education.
People think it’s like antivirus in the 2000s. Scan, detect, delete, done. But that’s not how web security works anymore.
– Zach Aufort, Performance Engineer at BigScoots
Final Thoughts
Zach doesn’t claim BigScoots is perfect. But they are different.
“Hosting is often faceless. We just try to make it human again. That means solving problems when they come up – and helping customers avoid them altogether.”
In an industry dominated by automation and aggressive sales, BigScoots is proving that showing up, listening, and solving real problems still works.
And if you want to make sure your or your users’ WordPress sites are protected from vulnerabilities — before they’re exploited — Patchstack gives you visibility, virtual patching, and peace of mind.
