Most sites don't fail loudly. They fail quietly — a contact form that stopped emailing three weeks ago, an SSL cert that expired over the weekend, a plugin CVE published fourteen days before the exploit arrives. A good website maintenance company is the difference between catching those in an hourly check and finding out from a customer who.
Most sites don't fail loudly. They fail quietly — a contact form that stopped emailing three weeks ago, an SSL cert that expired over the weekend, a plugin CVE published fourteen days before the exploit arrives. A good website maintenance company is the difference between catching those in an hourly check and finding out from a customer who couldn't check out. This is about what real maintenance covers, what care plan theater looks like, and how to tell them apart.
Why Unmaintained Sites Break Slowly, Not All at Once
A fresh website launch is the healthiest that site will ever be. Every week after launch, small gaps open: a plugin ships an update you don't install, a WordPress core patch closes a vulnerability yours still has, a third-party API changes its response format, a hosting provider migrates PHP versions. None of these take the site down on day one. They compound.
Sucuri's 2024 hacked website report found that 39% of infected WordPress sites had at least one outdated plugin at the point of compromise. Wordfence tracks around 4,500 new plugin and theme vulnerabilities per year. The median time from public disclosure to mass exploitation is roughly 14 days — which is exactly the window most "we'll update next month" plans leave wide open.
The Four-Layer Maintenance Stack
Real website maintenance isn't one checklist. It's four separate disciplines running on different clocks. A plan that collapses them into one monthly visit is missing three of them.
Layer 1: Security Patching
Core, plugins, themes, server packages, and TLS certificates. The rule we use: any critical CVE gets patched within 24 hours of disclosure, high-severity within 72, everything else on a weekly cadence. Patches run on a staging clone first, then production, then a 10-minute smoke test. No "auto-update everything and hope" — auto-updates break sites quietly too.
Layer 2: Verified Backups
A backup you haven't restored is a rumor. Daily offsite backups with 30-day retention is the baseline. The part most plans skip: a monthly restore drill to a staging environment to confirm the backup actually works. The 3-2-1 rule — three copies, two media types, one offsite — applies to database dumps and file archives separately.
Layer 3: Performance and Uptime Monitoring
Uptime checks every 60 seconds from multiple regions. Core Web Vitals tracked weekly against a fixed baseline so regressions surface before Google does. Database query logs reviewed monthly — plugin bloat and slow queries are the two most common causes of a site that "just feels slower" after a year.
Layer 4: Functional QA
The layer everyone forgets. Contact forms. Checkout flows. Newsletter signups. Search. Login. These break silently when a third-party service updates its API or an SMTP provider rotates keys. A real plan tests the critical user paths every week with real submissions, not just a "site loads" ping.
If your maintenance report shows uptime and nothing else, you have monitoring, not maintenance. Ask to see the last plugin patch log, the last restore test, and the last form submission test. If those don't exist, neither does the maintenance.
What Care Plan Theater Looks Like
A lot of monthly retainers bill $99 to $299 for what amounts to a dashboard screenshot. Here's how to spot one.
- Reports that only show uptime. Uptime percentage is the easiest metric to surface and the least diagnostic. 99.9% uptime with a broken checkout form is still a broken site.
- "Updates applied" with no list. A real report names the plugins, versions, and CVE IDs addressed. "15 updates applied" is a number, not an audit trail.
- No staging environment. If patches go straight to production, every Tuesday is a small gamble. Staging is table stakes.
- Backups "included" with no restore log. Ask when the last restore was tested. If the answer is "we can run one if needed," it has never been tested.
- No response-time SLA. "Business hours support" means nothing at 11pm Friday when a payment form goes down.
The Real Cost of Downtime and Drift
The Ponemon Institute puts average downtime cost at roughly $9,000 per minute for mid-market businesses, and IBM's 2024 breach report pegs the average cost of a web-facing breach at $4.88 million. Those are enterprise numbers. For a small business, the numbers are smaller but the proportional hit is brutal: a 48-hour outage on a site doing $40,000/month in online revenue costs about $2,600 in direct sales, plus whatever Google penalizes for the reliability dip.
The other cost is drift. A site untouched for two years doesn't just have security debt — it has design debt, accessibility debt, and Core Web Vitals debt. Rebuilding to catch up often costs more than two years of proper maintenance would have.
Drift also shows up in SEO. Google's algorithm treats stale technical signals as decay: a Largest Contentful Paint that drifted from 2.1 seconds at launch to 3.8 seconds after eighteen months of plugin bloat costs organic traffic even when nothing about the content changed. Same for schema markup that no longer validates after a Google spec update, or robots.txt rules pointing at URL patterns that changed when a plugin was swapped. None of this shows up on a "site is loading" uptime report.
The third hidden cost is lost institutional memory. A site neglected for two years loses the context of why things were configured a certain way. The developer who knew that one custom function in the theme is gone. The Stripe webhook documentation is in an email nobody can find. Regular maintenance preserves that context in commit logs and change records — emergency recovery does not.
The cheapest website maintenance plan is the one that exists. The most expensive one is the one that exists only on paper.
What to Ask Before Signing a Care Plan
- What's your SLA for critical security patches? Anything over 24 hours is a miss.
- Can I see a sample monthly report from a real client? Redacted is fine — the structure matters.
- How often do you test backup restores, and where's the log?
- What functional tests run weekly on my site? Ask for the specific list of paths.
- Is there a staging environment included, or is that extra?
- What's the response time for a production-down ticket outside business hours?
- What's the escalation path if a patch breaks something and the site needs a rollback at 2am?
If any answer is vague or the provider gets defensive, that's the answer.
Where a Serious Website Maintenance Company Earns Its Fee
A good website maintenance company is the quietest vendor you work with, because nothing is on fire. You'll see plugin update logs you don't need to read, backup verifications you don't need to check, and uptime numbers that stay flat. The value shows up the one week a critical CVE drops and your site was patched before you heard about it — or the Tuesday a form submission breaks and gets fixed before a single lead is lost. At Revenue Group, care plans include the four-layer stack, a real staging environment, weekly functional QA, and a patch log you can actually read. Maintenance is a discipline, not a dashboard.
Is Your Site Quietly Falling Behind?
Get a free maintenance audit — we'll check your patch status, backup integrity, Core Web Vitals, and the forms you haven't tested in six months.
Get My Free Audit →