Web Development

What Does Website Maintenance Actually Cost? (And What Happens If You Skip It)

You paid for a website. It's live. Job done? Not quite. Here's what ongoing maintenance actually involves, what it costs in the UK, and what goes wrong when you ignore it.

#Website Maintenance #Small Business #Web Development #Website Costs
What Does Website Maintenance Actually Cost? (And What Happens If You Skip It)

I get calls from people whose websites have been hacked, and the conversation almost always goes the same way. “It was fine for ages.” “I didn’t think I needed to do anything.” “My developer built it three years ago and I haven’t touched it since.”

A website isn’t a leaflet. You don’t print it and forget about it. It’s software, running on a server, connected to the internet, and things need updating. When they don’t get updated, things break. Or worse, they get broken for you by someone in another country who found your outdated WordPress plugin.

I’ve written about how much it costs to build a website. This is about what happens after that. The ongoing costs that nobody mentions until something goes wrong.

What “website maintenance” actually means

When developers talk about maintenance, they mean a few different things. Some of them are essential. Some are nice to have. Some are a waste of money for a small business site.

Security updates. This is the non-negotiable one. Your website runs on software, and that software has vulnerabilities that get discovered over time. WordPress releases security patches regularly. Plugins get updated. Server software gets patched. If you’re not applying these updates, you’re leaving the front door unlocked.

Backups. If your site goes down or gets hacked, you need a recent copy to restore from. Ideally automated, ideally stored somewhere separate from your hosting. Some hosting providers include backups. Many don’t, or they only keep them for a few days.

Uptime monitoring. Knowing when your site goes down. You’d be surprised how many small business websites go offline for hours or days without the owner noticing. If a customer visits and the site is down, they don’t come back. They go to the next result on Google.

Content updates. Changing a phone number, adding a new service, updating prices, swapping out photos. The stuff that keeps your site accurate. Some businesses handle this themselves. Others want their developer to do it.

Performance checks. Websites slow down over time. Images get added without being optimised. Plugins accumulate. Third-party scripts pile up. A site that loaded in two seconds when it launched might take five seconds a year later. And as I wrote in my guide to fixing slow websites, those extra seconds cost you visitors.

SSL certificate renewal. Your site needs HTTPS. The certificate that enables it needs renewing, usually annually. Most modern hosting handles this automatically through Let’s Encrypt, but older setups sometimes don’t, and an expired SSL certificate means browsers will warn visitors your site isn’t safe. That kills trust instantly.

What it costs in the UK

Maintenance pricing varies a lot depending on who you’re paying and what’s included. Here’s what I see in the market:

DIY (£0 to £50/year). If your site is built on a modern static framework and hosted on something like Cloudflare Pages or Netlify, the hosting is free and there’s very little to maintain. You’ll pay for your domain name (around £10 to £15/year) and maybe a privacy-friendly analytics tool (£5 to £9/month). That’s it. The site doesn’t have a database to hack, plugins to update, or a CMS that needs patching.

Basic managed plan (£30 to £100/month). This is the typical range for a freelancer or small agency looking after a WordPress site or similar CMS. Usually includes security updates, backups, uptime monitoring, and a set number of content updates per month (often 30 minutes to an hour). This is what most small businesses need.

Agency-level support (£200 to £500/month). Bigger agencies charge more and usually include priority support, regular performance audits, SEO monitoring, and more content update time. Worth it for businesses that rely heavily on their website for leads or e-commerce, but overkill for a five-page brochure site.

Emergency fixes (£50 to £150/hour). If you don’t have a maintenance plan and something breaks, you’ll pay for ad-hoc fixes. Developers charge more for emergency work because it means dropping other projects. A hacked WordPress site typically costs £300 to £800 to clean up properly, plus the time your site is offline while it’s being fixed.

For context, I offer a plan at £69/month that covers hosting, maintenance, security, backups, and content updates. It’s designed for small business sites that need looking after but don’t need an enterprise support contract.

What happens when you skip maintenance

This isn’t hypothetical. I’ve cleaned up enough neglected sites to know exactly how it plays out.

The security scenario. A WordPress plugin hasn’t been updated in eighteen months. A vulnerability is discovered and published. Automated bots scan the internet for sites running that plugin version. Your site gets compromised. Sometimes it’s obvious: the homepage gets replaced with spam, or visitors get redirected to a dodgy pharmaceutical site. Sometimes it’s subtle: malware gets injected into your pages and starts infecting your visitors’ browsers. Google detects it, flags your site as dangerous, and your search rankings vanish overnight.

Getting the site back involves cleaning the infection (which sometimes means rebuilding from scratch if there’s no backup), patching the vulnerability, requesting a Google review to remove the “dangerous site” warning, and waiting weeks for your rankings to recover. I’ve seen businesses lose months of enquiries over something that a £30/month maintenance plan would have prevented.

The slow decay scenario. Nothing dramatic happens. The site just quietly gets worse. Pages load slower each year. The design starts looking dated compared to competitors. The contact form stops working because a third-party service changed its API. The SSL certificate expires and nobody notices until a customer mentions they got a security warning.

No single event is a crisis. But after two or three years of neglect, the site is doing more harm than good. It’s turning people away rather than bringing them in. And at that point, the fix isn’t maintenance. It’s a rebuild. Which costs a lot more than keeping things running would have.

The compliance scenario. Laws change. Cookie rules change (I’ve just written about the 2026 cookie updates). GDPR requirements evolve. Accessibility standards tighten. A website that was compliant when it launched might not be compliant two years later, and nobody told you because nobody was checking.

What you can handle yourself

Not everything needs a developer. If you’re comfortable with the basics, here’s what you can do yourself:

Content updates on WordPress or similar CMS platforms are designed to be done by non-developers. Changing text, adding images, publishing blog posts. If your developer built the site properly, there should be a straightforward editing interface.

Checking your site loads properly takes ten seconds. Open it on your phone. Does it look right? Does it load fast? Do the links work? Do this once a month. You’ll catch problems before your customers do.

Running a free speed test at PageSpeed Insights or GTmetrix will tell you if your site has performance issues. You might not be able to fix them yourself, but you’ll know they exist.

Backing up your content is something you should do even if you have a maintenance plan. Export your posts and pages periodically. Download a copy of your media files. If the worst happens, you want your own copy.

What needs a professional

Security updates and patches. Unless you genuinely know what you’re doing, don’t apply WordPress core updates, plugin updates, or server-level patches without understanding what they change. I’ve seen well-meaning site owners break their own sites by clicking “Update All” on a bunch of outdated plugins at once. Updates should be done one at a time with a backup taken first.

Fixing broken functionality. If a form stops working, a page won’t load, or something looks wrong on mobile, that’s a developer job. Poking around in code you don’t understand usually makes things worse.

Performance optimisation. Getting a slow site fast again often involves image compression, code cleanup, caching configuration, and sometimes restructuring how third-party scripts load. It’s technical work.

Security incident response. If your site gets hacked, don’t try to fix it yourself. You need someone who can identify what was compromised, clean it thoroughly, and close the vulnerability. A half-cleaned hack will get reinfected.

How to evaluate a maintenance plan

If you’re shopping around for website maintenance, here’s what to look for:

What’s actually included? “Maintenance” means different things to different providers. Get a specific list. Does it include security updates? Backups? Uptime monitoring? Content changes? How many hours of content changes per month?

Where are the backups stored? If the backups are on the same server as your website, they’re useless in a server failure. Backups should be stored separately.

What’s the response time? If your site goes down at 9am on a Monday, how quickly will someone look at it? Same day? Same hour? Next week? This matters more than most people realise.

What’s the cancellation policy? Avoid long lock-in contracts. If a provider won’t let you leave without six months’ notice, that’s a red flag.

Do you own your site? This is the big one. Some maintenance plans come bundled with hosting in a way that means if you stop paying, you lose access to your website. Make sure you own your domain, your content, and your code regardless of whether you’re paying for maintenance.

What I’d do

If I were running a small business and wanted to keep costs down, I’d want a site built on a modern framework that doesn’t need much maintenance in the first place. Static sites built with tools like Astro or Next.js, hosted on platforms like Cloudflare Pages, have a much smaller attack surface than WordPress. There’s no database to compromise, no plugins to patch, no admin panel to brute-force.

The trade-off is that content updates usually need a developer rather than a CMS interface. But if you’re only updating your site a few times a year, that’s a better deal than paying to maintain infrastructure you don’t need.

For WordPress sites or anything with a CMS and database, a basic maintenance plan is worth having. The cost of prevention is always less than the cost of cleanup.


Want to know what your site actually needs in terms of ongoing maintenance? Drop me a message and I’ll give you an honest assessment. If the answer is “not much,” I’ll tell you that too.

9 min read