WordPress maintenance is one of those services where the gap between what’s marketed and what actually matters is enormous. Some agencies sell “monthly maintenance” packages for $300/month and do almost nothing. Others charge similar amounts and do real work. Here’s what should actually be in a maintenance plan.
What’s mandatory
These items aren’t optional. If your site doesn’t have them in place, you’re one bad day from a problem.
WordPress core, theme, and plugin updates. Run weekly, ideally with a one-day delay so any catastrophic plugin update gets caught by other people first. Updates fix security vulnerabilities — running outdated WordPress is the most common reason WordPress sites get compromised.
Daily backups. Off-site (not on the same server as your website). Tested at least quarterly by actually restoring from one. Most “we have backups” claims fall apart the day someone tries to use them.
Security monitoring. Wordfence, Sucuri, or Patchstack scanning for malware and unauthorised changes. A compromised WordPress site can hit Google’s blacklist within hours of compromise — speed of detection matters.
SSL certificate management. Auto-renewal where possible. The day your SSL expires, every visitor sees a “Not Secure” warning and your traffic collapses.
What’s strongly recommended
Performance monitoring. Watch for Core Web Vitals regressions and slow page loads. New plugins, image-heavy posts, or themed updates can quietly degrade performance.
Uptime monitoring. Free tools like UptimeRobot ping your site every 5 minutes and alert you when it goes down. Sounds basic, and it is, and most sites without it find out about outages from customer complaints.
Database optimisation. Monthly. Removes spam, transients, and old revisions that slowly bloat WordPress. A clean database is a fast database.
Broken-link checks. Monthly automatic scan. External sites change URLs constantly — links rot. Our free broken link checker handles this on demand.
What’s marketed but rarely matters
Some maintenance items get heavy marketing weight despite being mostly busywork:
- “Spam comment cleanup.” Akismet handles this automatically and free. If your maintenance plan is charging for this, they’re padding.
- “Theme customisation included.” A vague promise that means almost nothing in practice. Real customisation is scoped work, not a maintenance line item.
- “Monthly performance reports.” A PDF summary nobody reads. Useful if it surfaces actionable issues, useless if it just reports the same metrics every month.
- “24/7 support.” What does this actually cover? Read carefully — usually it means they’ll respond within 24 hours during business days, not that someone is on call.
Three options for handling maintenance
You have three realistic approaches.
DIY. Set up automated updates, off-site backups, security plugin, uptime monitoring. Spend 30 minutes a month checking everything is working. Cost: $0–$25/month for the tools. Right for technically comfortable owners with simple sites.
Managed hosting. Kinsta, WP Engine, Pressable. Hosting that includes most maintenance tasks. Cost: $30–$200/month. Right for businesses that want one bill and one phone number for hosting and basic maintenance.
Maintenance plan with a developer. Real human handles updates, monitors performance, and fixes things when they break. Cost: $80–$500/month depending on site complexity. Right for businesses where the website matters enough that downtime costs money.
The contract test
If you’re evaluating a maintenance plan, ask the vendor to write down exactly what’s included and what isn’t, with response-time commitments. Anything they won’t put in writing isn’t really being delivered.
Honest plans look like this: weekly updates with a 24-hour delay, daily off-site backups retained 30 days, security scanning daily, uptime monitoring with email alerts within 5 minutes, monthly database optimisation, response within 4 business hours for issues, included development time of N hours per month for small fixes.
That kind of plan, run honestly, is worth $150–$300/month for most B2B service businesses. Pay less, get less. Pay more, you should be getting genuine development capacity included.
For broader context on what running a WordPress site well looks like, our build comparison covers the upfront decisions, and our WordPress service includes a 90-day maintenance window with every build.
