- A website is software, not a printed brochure. The platform, plugins, and certificates under it keep changing after launch.
- The threat is real and growing: 11,334 new WordPress-ecosystem vulnerabilities were found in 2025, and 96% live in plugins (Patchstack).
- Neglect is a documented attack vector: 39% of hacked CMS sites were running outdated software at the time of infection (Sucuri).
- The failures that cost leads are silent: a broken contact form, an expired SSL certificate, stale hours and pricing. Nobody emails you when they happen.
- Maintenance is getting less optional: SSL certificates now max out at 200 days and drop to 47 days by 2029 (CA/Browser Forum), so renewal must be automated.
- The right routine is boring: a monthly 30-minute ritual plus platform-appropriate technical care. Boring upkeep beats expensive emergencies.
Does a website need ongoing maintenance? Yes, because it is software. It runs on a platform that ships updates, plugins that develop holes, certificates that expire, and services that change their rules. Leave all that alone for two years and the site does not stay the same. It quietly gets worse.
The good news is that the actual work is small and predictable. Most of what goes wrong on small business sites is not exotic; it is a short list of known failure points that nobody was watching. This article is the list, what neglect costs, and the realistic split between what you can do yourself and what is worth paying for.
Why does "set it and forget it" fail?
Because the ground under the site keeps moving. Your website depends on a stack of things you did not build: a CMS, plugins, a theme, a hosting environment, an SSL certificate, a form service. Every one of them changes on its own schedule, and the site inherits every change whether you are paying attention or not.
The scale of that churn surprises people. Patchstack catalogued 11,334 new vulnerabilities across the WordPress ecosystem in 2025 alone, up 42% from the year before, and 96% of them were in plugins rather than WordPress itself. A brochure printed in 2024 still says the same thing today. A website built in 2024 is running on parts with two years of known holes unless someone patched them.
What actually needs maintaining?
Six things. Not fifty. If these are handled, the site is healthy, and everything else a maintenance plan sells is polish:
The six-point upkeep list
Everything a small business site actually needs. Toggle between the job and what neglect looks like.
Notice what is not on the list: redesigns, new features, weekly blog posts. Maintenance is not growth work, it is keeping the machine you already paid for running. Confusing the two is how owners end up paying growth prices for oil changes.
Which failures cost leads silently?
The ones with no error message. A down site announces itself; these do not:
- The dead contact form. A plugin update or an email provider change breaks delivery, the form still says "thanks for your message," and every enquiry vanishes. We have seen forms that were quietly dead for months. The monthly self-test exists because of this one.
- The expired certificate. An SSL certificate (the thing behind the padlock) lapses and every browser greets visitors with a full-page security warning. Most people do not click through those; they click back.
- Stale information. Old hours, old pricing, a service you stopped offering. Each one costs a call or creates an awkward one.
- Speed creep. Every uncompressed photo and bolted-on widget adds weight. No single change hurts; two years of them do.
The pattern: the site keeps looking fine from your chair while behaving badly for customers. That is why the checks are scheduled instead of triggered, because nothing will trigger them. If your site health has already drifted, the spring-clean guide covers the recovery pass.
How bad is the security risk really?
Bad enough to plan for, and boring enough to plan away. The attacks on small business sites are almost all automated: bots scanning for known holes in outdated plugins, then injecting spam or malware into whatever they find. Sucuri's remediation data shows 39% of hacked CMS sites were running outdated software at the time of infection, and Patchstack found 43% of new vulnerabilities need no login at all to exploit. Nobody targeted you. A script found you.
The hole count keeps climbing
New vulnerabilities found in the WordPress ecosystem per year. Toggle to see where they live.
And the industry is quietly forcing the maintenance issue. SSL certificates used to last over a year; under the CA/Browser Forum's new schedule they now max out at 200 days, drop to 100 next year, and hit 47 days by 2029. Manual renewal stops being an option at that pace; your host either automates it or your padlock keeps expiring.
Certificates are expiring faster on purpose
Maximum SSL certificate lifetime under the CA/Browser Forum schedule. Toggle the unit.
When did someone last check your site?
Run the free RMCM audit. It reads your site's health signals in 30 seconds, including the basics a maintenance plan should be covering.
START WITH A FREE AUDITWhat is DIY and what is worth paying for?
Split it by who feels the problem first. You notice stale content before any developer will, so content is yours. A professional notices a vulnerable plugin before you will, so the technical layer is theirs, if your platform has one that needs watching.
| Job | Who | Cadence |
|---|---|---|
| Hours, pricing, photos, services | You | As the business changes |
| Contact form self-test | You | Monthly, takes one minute |
| Google Business Profile updates | You | Monthly, alongside the form test |
| CMS, plugin, and theme updates | Pro (or managed hosting) | Weekly to monthly |
| Backups and security monitoring | Pro (or managed hosting) | Automated, verified quarterly |
| Speed and health check | Either | Quarterly |
The honest caveat from our side of the fence: the size of the paid layer is a platform choice, not a law of nature. This is part of why RMCM builds static sites on modern hosting; there is no plugin stack to patch and the certificates renew themselves, so the chore list above shrinks to forms, content, and renewals. WordPress is not wrong, but its maintenance bill is part of its price tag, and you should see it before you choose, not after.
What is a realistic cadence and budget?
Thirty minutes a month from you, plus whatever the platform demands. The owner ritual: submit the contact form, click the phone number on your own mobile, skim the homepage for anything now untrue, and glance at the padlock. Twelve of those a year catch nearly every silent failure on the list.
On budget, ranges beat promises: care plans for small business sites typically land between $30 and $150 a month depending on platform and what is bundled, with plugin-heavy sites at the high end and static sites often needing no plan at all. Judge any plan by whether it names the six jobs above. "Unlimited updates" that never mentions backups, form tests, or renewals is a subscription, not maintenance. And every renewal it touches should live in accounts your business owns; who owns your website covers why that matters more than the plan itself.
Frequently asked questions
Does a website need ongoing maintenance?
How much does website maintenance cost?
What happens if I never update my website?
Do static or custom-coded websites need maintenance too?
Should I do website maintenance myself or pay someone?
Boring upkeep beats expensive emergencies
Every maintenance task on this page is dull, and that is its selling point. The alternative versions are exciting: the Saturday the site shows a malware warning, the month you realize the form was dead, the renewal notice that went to a designer who retired. Emergencies cost multiples of the upkeep that would have prevented them, and they always pick their own timing.
So put the boring version on the calendar this week: the 30-minute monthly ritual, auto-renew on the domain and certificate, and a straight answer about who patches what on your platform. If nobody has looked under the hood in a year, the free audit is the fast way to find out what state it is actually in, and if the honest answer is that the platform itself is the maintenance problem, that is a rebuild conversation, not a bigger care plan.