WEB DESIGN

Website maintenance: what breaks, what it costs, why it matters

Your website was not "done" at launch. It is software, and software ages. Here is what actually needs maintaining, the silent failures that cost leads, and how to keep a site healthy without overpaying anyone.

Share
Key Takeaways
  • A website is software, not a printed brochure. The platform, plugins, and certificates under it keep changing after launch.
  • The threat is real and growing: 11,334 new WordPress-ecosystem vulnerabilities were found in 2025, and 96% live in plugins (Patchstack).
  • Neglect is a documented attack vector: 39% of hacked CMS sites were running outdated software at the time of infection (Sucuri).
  • The failures that cost leads are silent: a broken contact form, an expired SSL certificate, stale hours and pricing. Nobody emails you when they happen.
  • Maintenance is getting less optional: SSL certificates now max out at 200 days and drop to 47 days by 2029 (CA/Browser Forum), so renewal must be automated.
  • The right routine is boring: a monthly 30-minute ritual plus platform-appropriate technical care. Boring upkeep beats expensive emergencies.
11,334
new WordPress-ecosystem vulnerabilities found in 2025
96%
of WordPress vulnerabilities are in plugins, not core
39%
of hacked CMS sites ran outdated software at infection
47
days max SSL certificate lifetime by 2029, down from 398

Does a website need ongoing maintenance? Yes, because it is software. It runs on a platform that ships updates, plugins that develop holes, certificates that expire, and services that change their rules. Leave all that alone for two years and the site does not stay the same. It quietly gets worse.

The good news is that the actual work is small and predictable. Most of what goes wrong on small business sites is not exotic; it is a short list of known failure points that nobody was watching. This article is the list, what neglect costs, and the realistic split between what you can do yourself and what is worth paying for.

Why does "set it and forget it" fail?

Because the ground under the site keeps moving. Your website depends on a stack of things you did not build: a CMS, plugins, a theme, a hosting environment, an SSL certificate, a form service. Every one of them changes on its own schedule, and the site inherits every change whether you are paying attention or not.

The scale of that churn surprises people. Patchstack catalogued 11,334 new vulnerabilities across the WordPress ecosystem in 2025 alone, up 42% from the year before, and 96% of them were in plugins rather than WordPress itself. A brochure printed in 2024 still says the same thing today. A website built in 2024 is running on parts with two years of known holes unless someone patched them.

What actually needs maintaining?

Six things. Not fifty. If these are handled, the site is healthy, and everything else a maintenance plan sells is polish:

The six-point upkeep list

Everything a small business site actually needs. Toggle between the job and what neglect looks like.

Show:

Notice what is not on the list: redesigns, new features, weekly blog posts. Maintenance is not growth work, it is keeping the machine you already paid for running. Confusing the two is how owners end up paying growth prices for oil changes.

Which failures cost leads silently?

The ones with no error message. A down site announces itself; these do not:

  • The dead contact form. A plugin update or an email provider change breaks delivery, the form still says "thanks for your message," and every enquiry vanishes. We have seen forms that were quietly dead for months. The monthly self-test exists because of this one.
  • The expired certificate. An SSL certificate (the thing behind the padlock) lapses and every browser greets visitors with a full-page security warning. Most people do not click through those; they click back.
  • Stale information. Old hours, old pricing, a service you stopped offering. Each one costs a call or creates an awkward one.
  • Speed creep. Every uncompressed photo and bolted-on widget adds weight. No single change hurts; two years of them do.

The pattern: the site keeps looking fine from your chair while behaving badly for customers. That is why the checks are scheduled instead of triggered, because nothing will trigger them. If your site health has already drifted, the spring-clean guide covers the recovery pass.

How bad is the security risk really?

Bad enough to plan for, and boring enough to plan away. The attacks on small business sites are almost all automated: bots scanning for known holes in outdated plugins, then injecting spam or malware into whatever they find. Sucuri's remediation data shows 39% of hacked CMS sites were running outdated software at the time of infection, and Patchstack found 43% of new vulnerabilities need no login at all to exploit. Nobody targeted you. A script found you.

The hole count keeps climbing

New vulnerabilities found in the WordPress ecosystem per year. Toggle to see where they live.

View:

And the industry is quietly forcing the maintenance issue. SSL certificates used to last over a year; under the CA/Browser Forum's new schedule they now max out at 200 days, drop to 100 next year, and hit 47 days by 2029. Manual renewal stops being an option at that pace; your host either automates it or your padlock keeps expiring.

Certificates are expiring faster on purpose

Maximum SSL certificate lifetime under the CA/Browser Forum schedule. Toggle the unit.

Show:

When did someone last check your site?

Run the free RMCM audit. It reads your site's health signals in 30 seconds, including the basics a maintenance plan should be covering.

START WITH A FREE AUDIT

What is DIY and what is worth paying for?

Split it by who feels the problem first. You notice stale content before any developer will, so content is yours. A professional notices a vulnerable plugin before you will, so the technical layer is theirs, if your platform has one that needs watching.

JobWhoCadence
Hours, pricing, photos, servicesYouAs the business changes
Contact form self-testYouMonthly, takes one minute
Google Business Profile updatesYouMonthly, alongside the form test
CMS, plugin, and theme updatesPro (or managed hosting)Weekly to monthly
Backups and security monitoringPro (or managed hosting)Automated, verified quarterly
Speed and health checkEitherQuarterly

The honest caveat from our side of the fence: the size of the paid layer is a platform choice, not a law of nature. This is part of why RMCM builds static sites on modern hosting; there is no plugin stack to patch and the certificates renew themselves, so the chore list above shrinks to forms, content, and renewals. WordPress is not wrong, but its maintenance bill is part of its price tag, and you should see it before you choose, not after.

What is a realistic cadence and budget?

Thirty minutes a month from you, plus whatever the platform demands. The owner ritual: submit the contact form, click the phone number on your own mobile, skim the homepage for anything now untrue, and glance at the padlock. Twelve of those a year catch nearly every silent failure on the list.

On budget, ranges beat promises: care plans for small business sites typically land between $30 and $150 a month depending on platform and what is bundled, with plugin-heavy sites at the high end and static sites often needing no plan at all. Judge any plan by whether it names the six jobs above. "Unlimited updates" that never mentions backups, form tests, or renewals is a subscription, not maintenance. And every renewal it touches should live in accounts your business owns; who owns your website covers why that matters more than the plan itself.

Frequently asked questions

Does a website need ongoing maintenance?
Yes, because a website is software, not a printed brochure. The platform, plugins, certificates, and integrations it depends on all change underneath it. The core jobs: security updates, backups, testing the contact form, keeping the domain and SSL certificate renewed, watching speed, and keeping hours and pricing current. How much of that applies depends heavily on the platform; a plugin-heavy WordPress site has a longer chore list than a static custom-coded one.
How much does website maintenance cost?
For a typical small business site, care plans run roughly $30 to $150 a month depending on platform and what is included; DIY costs nothing but an hour or so a month plus the risk of missing something. The bigger lever is the platform itself: a plugin-heavy WordPress site needs weekly attention while a static site mostly needs form tests and content updates. Whatever you pay, it is small next to a hacked site, a dead form, or an emergency rebuild.
What happens if I never update my website?
It decays quietly, then fails loudly. Outdated software is a documented attack vector; Sucuri found 39% of hacked CMS sites were running outdated software at the time of infection. Before a hack, you get the quiet failures: a contact form that stops sending, an SSL certificate that expires and triggers a full-page browser warning, stale hours and pricing that cost trust, and speed that degrades until visitors stop waiting. None of these announce themselves; you find out from a customer, or you do not find out at all.
Do static or custom-coded websites need maintenance too?
Less, but not zero. A static site has no plugins to patch and modern hosts renew SSL certificates automatically, which removes most of the weekly chore list. What remains: keep the domain renewed in your own account, test the contact form monthly, keep content current, and check analytics still fire. This lighter load is a real argument for static builds for small business sites; the maintenance risk is mostly designed out.
Should I do website maintenance myself or pay someone?
Split it. Owners are the right people for the content jobs: updating hours and pricing, adding photos, and the monthly one-minute contact form test, since you will feel a stale page before anyone else. Pay a professional for the technical layer, updates, backups, security monitoring, and speed, if your platform needs weekly attention. If maintenance costs are becoming a reason to dread your own website, that is a platform problem worth fixing at the next rebuild.

Boring upkeep beats expensive emergencies

Every maintenance task on this page is dull, and that is its selling point. The alternative versions are exciting: the Saturday the site shows a malware warning, the month you realize the form was dead, the renewal notice that went to a designer who retired. Emergencies cost multiples of the upkeep that would have prevented them, and they always pick their own timing.

So put the boring version on the calendar this week: the 30-minute monthly ritual, auto-renew on the domain and certificate, and a straight answer about who patches what on your platform. If nobody has looked under the hood in a year, the free audit is the fast way to find out what state it is actually in, and if the honest answer is that the platform itself is the maintenance problem, that is a rebuild conversation, not a bigger care plan.