Your website launched, everyone celebrated, and the invoice was paid. A
year later, the contact form has been silently failing for six weeks, the
donation plugin is four versions behind, and nobody knows when the last
backup ran — or whether it can be restored.
Nobody did anything wrong. That’s the uncomfortable part: this is simply
what happens to WordPress sites that nobody is paid to watch.
The drift is structural, not bad luck
WordPress powers over 40% of the web, which makes it the most attacked
platform on the internet — not because it’s weak, but because it’s everywhere.
The ecosystem responds with a constant stream of updates: core releases,
plugin patches, theme fixes, PHP versions. Each one exists because something
was broken or breakable.
An unmaintained site doesn’t stay where you left it. It moves backward
relative to the threats and standards around it — like a boat that isn’t
anchored, drifting whether or not anyone is aboard.
The three failure modes
- Break-ins. Most compromised WordPress sites are hacked
through known, already-patched vulnerabilities — the digital equivalent of a
lock the manufacturer recalled months earlier. Cleanup costs routinely run
into four figures, and that’s before counting the blocklisting, the spam
pages in your search results, and the donor who saw the warning screen. - Breakage. Plugins update against new WordPress versions;
old ones quietly conflict. The classic outcome isn’t a crashed site — it’s a
form that stops sending, discovered weeks later by counting the silence. - Decay. Databases bloat, images pile up, speed erodes a
little each month. Nobody notices day to day; visitors notice immediately.
(We’ve written about what
that slowness costs.)
The math
Put numbers to it. A care plan at $99/month is $1,188 a year. Against that:
- One emergency cleanup after a hack: commonly $500–$2,500,
plus days of downtime. - One failed-form month for a site that generates five leads: whatever five
leads are worth to you, times the months until discovery. - One lost site with no restorable backup: the cost of rebuilding
everything.
The plan doesn’t have to prevent much to pay for itself — and unlike the
emergency, it’s a number you can budget. Organizations that run on trust have
an extra line in this ledger: the hacked church site and the broken donation
form don’t just cost money, they spend credibility you can’t buy back quickly.
What a real care plan includes
“Maintenance included” can mean anything, so here’s the checklist worth
holding any provider to — including us:
- Updates staged and smoke-tested, not blindly auto-applied.
- Daily offsite backups — and proof they restore, tested quarterly.
- Uptime monitoring and security scanning, with a human reading the results.
- Forms actually submit-tested monthly — the most common silent failure.
- A monthly report in plain English showing the work done.
- No hostage infrastructure: hosting and domain stay in your name.
That last line matters most. A care plan should make you safer, not more
dependent. It’s how we structure
our care plans — cancel
with 30 days’ notice, because the work should earn the renewal, not the contract.
Not sure what state your site is actually in? Get a
free 5-minute video review —
we’ll tell you what we see, including the maintenance red flags.