Maintenance Plans.

Most agency relationships end at launch. The site goes live, the invoice is paid, and you don't hear from anyone until something breaks — at which point you discover the firm has moved on, the developer who built your site has left, and a new quote is coming your way. This is the industry norm. It shouldn't be.

WordPress requires ongoing maintenance. Not because it's poorly built, but because it runs software — and software has updates, vulnerabilities, compatibility gaps, and performance drift. A WordPress site left unattended for 12 months accumulates risk that's invisible until it's expensive. This guide walks through what a proper care plan includes, what it should cost, and how to spot the plans that don't actually protect you.

01Why WordPress needs ongoing maintenance.

1.1What actually happens to a WordPress site with no maintenance?

In the first 90 days: not much visible. In 6–12 months: plugins fall behind current versions, compatibility issues emerge, some features stop working as expected. In 12–24 months: the WordPress version itself may be unsupported; plugins no longer receive security patches; the site's PHP version may be end-of-life on the hosting server. In 2–3 years: a site that launched on a well-configured server is now running outdated software, potentially flagged by security scanners, possibly blacklisted by Google for hosting malware. This timeline is not hypothetical — it's the pattern we see consistently in rescue projects.

1.2How frequently are WordPress core and plugin updates released?

WordPress major versions release 2–3 times per year. Minor security releases release as needed — sometimes weekly during active vulnerability periods. Plugins update independently, with active plugins often releasing multiple updates per month. A typical WordPress site with 15–20 plugins might have 30–50 available updates at any given time if left unmonitored for 60 days. Not every update needs immediate application — testing compatibility is part of a responsible update workflow — but leaving updates unapplied indefinitely is how vulnerabilities accumulate.

1.3What are the real security risks of an outdated WordPress site?

The most common attack vectors on WordPress sites: outdated plugins with known CVE vulnerabilities (exploitable by automated bots that scan for specific version patterns), brute-force login attacks on the wp-admin endpoint, XML-RPC exploitation, and file injection through vulnerable form processors. Most successful WordPress compromises are automated — bots scanning for specific plugin versions with known vulnerabilities, not targeted human attacks. Keeping plugins updated closes the majority of these vectors. Adding login protection (2FA, login URL obscuring, rate limiting) closes most of the rest.

1.4Can WordPress updates break a site?

Yes — which is why "apply all updates immediately without testing" is not a maintenance plan; it's a liability. A responsible update workflow uses a staging environment: apply updates to the staging copy of the site, test critical functionality (forms, checkout, booking flows, key pages), confirm nothing broke, then apply to the live site. This workflow takes more time than clicking "update all" — and it's the difference between maintenance and reckless clicking. Any care plan that doesn't mention staged testing is skipping the most important step.

1.5What happens when a plugin is abandoned by its developer?

An abandoned plugin stops receiving security updates. The WordPress plugin directory marks plugins as not tested with current WordPress versions. At some point, the plugin becomes a liability — it may have known vulnerabilities with no patch forthcoming, or it may conflict with newer versions of PHP or WordPress core. A maintenance provider should monitor the plugin status of every active plugin and flag abandonments proactively — either finding a replacement plugin or recommending removal. This is a judgment call that requires someone actively watching, not just applying updates.

02What a care plan should actually include.

2.1What are the non-negotiable items in any care plan?

The absolute floor for a legitimate WordPress care plan: monthly WordPress core and plugin updates (tested on staging before live application), daily offsite backups with at least 30-day retention, uptime monitoring with alert response within 1 hour, SSL certificate monitoring (expiration alerts + renewal), and security scanning (automated malware detection, login protection). These five items are the minimum viable care plan. Below this floor, you're paying for the appearance of maintenance, not the substance of it.

2.2What does "backup retention" actually mean and why does 30 days matter?

Backup retention is how long backup copies are kept before being overwritten. 30-day retention means you can restore to any point in the last 30 days — critical for discovering a compromise that happened two weeks ago and wasn't immediately visible. Seven-day retention only gives you a week of recovery window. Backups stored only on the same server as the site are also not real backups — a server failure or compromise that affects the site often affects the backup too. Offsite backups (Amazon S3, Dropbox, Backblaze) are the standard. Ask explicitly where backups are stored.

2.3What is uptime monitoring and what response time is acceptable?

Uptime monitoring checks whether your site is responding at regular intervals — typically every 1–5 minutes — and alerts when it goes down. Tools like Uptime Robot, Better Uptime, or Pingdom provide this. The maintenance provider should have their own monitoring on all client sites, independent of what you run yourself. Alert response means: when the site goes down at 2am, someone on the maintenance team is notified and investigates. A care plan with "uptime monitoring" but no defined response time is monitoring for its own benefit, not yours. Ask what the SLA is for a downtime alert.

2.4What about performance monitoring — is that part of maintenance?

It should be at the standard tier and above. A site that launches scoring 85 on mobile Lighthouse doesn't stay there indefinitely — new plugins add JavaScript, media accumulates, database bloat slows queries, hosting configurations drift. Quarterly performance checks — running PageSpeed Insights, checking Core Web Vitals in Google Search Console, reviewing database size — are part of keeping a site competitive. A maintenance provider who only checks "is it up" and "are plugins updated" is maintaining the site's existence, not its performance.

2.5Should a care plan include content updates?

Standard plans typically don't include content updates — those are a separate billed service. Premium plans often include a set number of content update hours per month (30–60 minutes is common). Content updates mean: updating service descriptions, adding team photos, making copy changes, publishing blog posts. For businesses that generate frequent content changes, bundled update time is valuable. For businesses with stable content, it's a nice-to-have. What matters more is whether there's a fast, responsive way to request updates when you need them — and what the hourly rate is for work outside the included hours.

03How to evaluate what you're being offered.

3.1What questions should I ask a prospective care plan provider?

These five questions will surface more than most: (1) Where are backups stored, how frequently are they taken, and how long are they retained? (2) Do you test updates on a staging environment before applying to the live site? (3) What's your response time SLA when the site goes down? (4) Who specifically will be managing my account, and what happens if that person leaves your firm? (5) Can you show me an example of a monthly maintenance report? Firms that have clean answers to all five are running a real maintenance program. Vague answers to any of them signal a product that was packaged for sale, not built for reliability.

3.2What should a monthly maintenance report include?

A legitimate monthly report documents: updates applied (which plugins, which versions), uptime percentage for the month, security scan results, backup verification (confirming backups completed and are restorable), and any issues found and addressed. The report should be specific — not "we updated your plugins" but "updated WooCommerce 8.4 to 8.5, Yoast SEO 21.2 to 21.4, Contact Form 7 5.7 to 5.8" — tested on staging before live. If you're receiving a monthly email that says "your site is healthy," you're receiving a marketing email, not a maintenance report.

3.3How do I know if updates are actually being applied, not just claimed?

Request version history. Your WordPress admin (Dashboard > Updates or a plugin like Simple History) logs update activity with timestamps. A maintenance provider should be able to show you the log of what was updated when. You can also check specific plugin version numbers in your Plugins > Installed Plugins list against the current version on WordPress.org — if you're consistently several versions behind, updates aren't being applied. Proactive clients who ask for this log tend to get better service from marginal providers.

3.4What's the difference between a hosting provider's maintenance and a care plan?

Hosting providers (WP Engine, Kinsta, Flywheel) typically handle server-level maintenance: PHP version management, server security, automatic WordPress core updates (sometimes), and daily backups. They don't handle plugin updates, theme testing, staging-based update workflows, or respond to site-specific issues with a real human. A care plan from a web agency handles the application layer — the plugins, theme, and site-specific configuration — that the hosting provider doesn't touch. You need both: a good managed host and a care plan that manages the WordPress application on top of it.

3.5Should I use the firm that built my site for maintenance, or can I switch?

The firm that built your site has context advantages — they know the codebase, the plugins, the custom configurations. That context has real value when something breaks or needs modification. But you can switch maintenance providers if the original firm has disappeared, stopped communicating, or priced their care plan unreasonably. A responsible care plan handover includes documentation of the stack, plugin list with versions, custom configurations, and access credentials. If the original firm refuses to provide this, that's a different problem — and a signal about whether they ever planned to support you long-term.

04Red flags in maintenance contracts.

4.1What are the most dangerous contract clauses in care plan agreements?

Ownership clauses are the most dangerous: language that grants the agency ownership of or control over your domain registration, hosting account, or website files. Some agencies register domains in their own account and host sites on their own servers by default — when you leave, they hold your domain hostage or demand handover fees. You should own your domain (registered in your own account at Namecheap, GoDaddy, or Cloudflare), your hosting account (or have direct access credentials), and your WordPress database. The agency manages these assets; they don't own them.

4.2What does "automatic annual renewal" actually mean in practice?

It means the contract renews by default without action required from you — and some contracts have a defined cancellation window (typically 30–60 days before renewal) after which you're locked in for another year. This is a standard SaaS practice; it's less appropriate in an ongoing services relationship where the quality of service should justify renewal. Ask what the cancellation terms are before signing. A provider confident in their service offers monthly cancellation or a reasonable annual commitment with a clear out. A provider burying cancellation restrictions in the boilerplate is planning for the moment you want to leave.

4.3What does vague scope language actually protect?

Vague scope language protects the provider, not the client. "We maintain your WordPress site" could mean weekly updates applied immediately without testing, or it could mean a monthly scan that checks if the site is live. Without defined scope — specific update frequency, backup specifications, response time SLAs, what's included in "support hours" — you have no basis for a conversation when the service doesn't meet expectations. A well-written care plan agreement defines everything: what tasks are performed, how frequently, with what methodology, and what the client receives as documentation. If you can't find those specifics in the contract, they don't exist.

4.4What should I look for in the fine print about liability?

Two specific areas: liability for a compromised site and liability for data loss. Some contracts explicitly exclude the maintenance provider from any liability if the site is hacked or data is lost — even if it results from their negligence in not applying a known security update. This is worth reading carefully. You're hiring them specifically to prevent these outcomes. A completely liability-free contract on security issues is a provider saying: "We'll apply updates when we remember to, but if anything goes wrong, it's your problem." That's not a care plan; it's a billing relationship.

4.5What are signs a care plan is designed for billing rather than service delivery?

Bundled plans with no customization options (every client gets the same plan regardless of site complexity). No monthly reports. Included "hours" that roll over but can't be redeemed for specific work (hours that accumulate but can't actually be used). Communication only happens when you initiate it. The provider can't name the specific tools they use for backups, uptime monitoring, or security scanning. These aren't edge cases — they're the business model for care-plan revenue that's collected without care-plan work being delivered. The worst version: a client paying $150/month for three years for a plan that's essentially a billing line item with no associated work.

05What maintenance costs and how it's priced.

5.1What's a realistic price range for a WordPress care plan?

A legitimate care plan for a standard service business WordPress site runs: Basic ($100–$150/month) covers updates, backups, uptime monitoring, and a monthly report. Standard ($150–$250/month) adds performance monitoring, security hardening, priority support response, and 30 minutes of included update time. Premium ($250–$400/month) includes development hours for content changes, monthly SEO reporting, WooCommerce-specific maintenance, and faster SLA response. Plans priced below $75/month for a full-featured site are either automating everything without human review, or the scope is narrower than advertised. Plans priced above $500/month should come with development hours and dedicated account management.

5.2What determines where on the range a site falls?

Site complexity is the primary driver. A 10-page static service site with 8 plugins is lower complexity than a 30-page site with WooCommerce, 5 WooCommerce extensions, a booking system, and a membership plugin. More plugins means more update testing. WooCommerce means testing the checkout flow after every update. Custom code means update compatibility requires developer judgment, not automated clicking. A transparent provider will assess your site before quoting a monthly rate — a provider quoting the same flat rate for every site regardless of complexity is applying the same (minimal) process to every client.

5.3Is paying for maintenance on top of hosting double-paying?

No — they cover different layers. Hosting covers the server: hardware, network, PHP execution environment, and server-level security. A care plan covers the application: WordPress, plugins, theme, and site-specific configuration. Managed WordPress hosting (WP Engine, Kinsta) provides better infrastructure than shared hosting and sometimes handles WordPress core updates automatically — but it doesn't update your plugins, test updates for compatibility, respond to site-specific issues, or send you a monthly report. You need both layers. A good managed host ($50–$100/month) plus a real care plan ($150–$250/month) runs $200–$350/month total — the cost of keeping a business-critical digital asset running properly.

5.4What does a "site hack" cost without maintenance in place?

Malware removal and site restoration after a successful compromise typically costs $300–$800 for a clean removal, plus any hosting cleanup fees, plus Google Search Console remediation (removing malware blacklist status), plus reputation damage if customers received phishing emails from your domain. If the site was used to send spam, email domain reputation may take months to recover. A successful hack can cost more in a single incident than 12 months of a care plan. The math on care plan value is straightforward once you've been through a site recovery — it changes the conversation from "is this worth paying for" to "why didn't we have this earlier."

06What a real maintenance relationship looks like.

6.1What communication should I expect from a care plan provider?

Monthly: a maintenance report. Proactively: a note when something requires your attention (a plugin is abandoned and needs replacement, a major WordPress update requires custom testing, a performance issue was found and resolved). Reactively: prompt response when you reach out with a question or notice something wrong. The standard of "you hear from us at least monthly, and you can reach us when something comes up" sounds simple. It's not universal. Many providers are invisible until invoice time. A provider who communicates proactively — not just when billing — is demonstrating that they're actually managing the site, not just billing for the concept of managing it.

6.2What's a reasonable emergency response time?

For a critical failure — site down, checkout broken, form not sending — 1–2 hours during business hours, 4–8 hours outside business hours. This is the SLA range for a standard care plan. Premium plans offer faster response. Plans with no defined SLA offer no commitment. The service-business context matters: a med-spa whose online booking is down on a Saturday loses appointments in real time. An HVAC company whose site is down during a July heat wave in Tucson loses emergency service calls. Know your own business's tolerance for downtime before agreeing to an SLA that won't meet it.

6.3What's the value of a long-term maintenance relationship beyond keeping the site running?

A provider who knows your site for 2–3 years accumulates context that's genuinely valuable: they know why certain configurations were made, where the custom code lives, which plugins are temperamental, and what your business's growth trajectory means for the site's technical needs. This context makes troubleshooting faster, changes safer, and proactive advice more relevant. It's the difference between a vendor you reset the relationship with every year and a partner who knows your digital infrastructure like their own. The value compounds over time. New providers start from zero; long-term providers know where everything is.

6.4How should a care plan relationship handle major work — redesigns, new features, migrations?

Major work should be scoped and quoted separately from the care plan. The care plan covers ongoing stewardship; new features are development work with their own scope, timeline, and price. A good care plan relationship makes this transition smooth — the provider already knows the site, so scoping new work is faster and more accurate. The watch-out is a provider who uses the care plan as a funnel to charge for every small request at premium hourly rates. Minor content fixes, simple form updates, and small copy changes should be included in standard or premium plans. Anything requiring developer time beyond that should be clearly scoped and agreed before work starts.