Is maintenance really necessary if my website is running fine?

It runs fine, but only until the first incident. WordPress receives 4-6 core updates per year on average, plus dozens of plugin updates. 53% of successful WordPress infections come from outdated plugins. A site that works today may, in six months, have 20+ outdated components, and one of them with a critical vulnerability.

What is the difference between Basic, Pro and All-In?

Basic (199 PLN/month) is the minimum security baseline: updates, backups, SSL, uptime monitoring. Pro (399 PLN) adds: security monitoring, hardening, monthly reports, ticket priority. All-In (699 PLN) is full care: small content edits (up to 1h/month), proactive suggestions, growth consultations, 4h response SLA.

Can I cancel maintenance at any time?

Yes. Maintenance is monthly, with no lock-in contracts. After cancellation I hand over documentation with passwords and access. The client keeps a fully working website that they can maintain themselves or pass to another developer.

What if the website gets hacked despite the maintenance?

In my portfolio of 84 websites under continuous care, I have had zero successful infections in the last 12 months. But when it does happen: with Pro and All-In packages, infection cleanup is included. A standard cleanup without maintenance costs 800-2000 PLN plus 1-3 days of downtime.

My website is not built by you. Will you take it under maintenance?

Yes, in 90% of cases. I start with a free audit (code quality check, update status, security, access). If the website is in a maintainable state, we sign maintenance. If it needs significant repairs, I price those separately first.

Does maintenance include hosting and domain?

Hosting and domain are separate costs (you pay the provider directly, in your name). Maintenance is the work on the website - updates, backups, monitoring, small fixes. In Pro and All-In packages I also advise on hosting and help with migration if your current one underperforms.

Website maintenance - what you actually get and what it should cost

Check your website in 60 seconds

Log into your WordPress dashboard (or call whoever maintains it for you). Open Updates. Check:

When was WordPress core last updated? If you see a version older than 6 months, you have a problem.
How many plugins are waiting for updates? If more than 5, you have a problem.
When was the last backup? If you don't know or it's older than a week, you have a problem.
When was the last infection, suspicious login, or 500 error? If you don't check, you have a problem.

Each of these alone may be an unintentional oversight. Four out of four is the scenario where your website has one foot in failure. The question isn't "if", it's "when".

What is maintenance - 4 minimum elements

Website maintenance is regular, planned work that keeps the site usable. Not the same as "I'll call when something breaks". It's proactive, not reactive.

Four minimum elements:

Updates - WordPress core, plugins, theme, PHP. At least once a month, ideally weekly.
Backups - automatic, daily, stored off the server (on infrastructure separate from the hosting itself). Restore tested, not just saved.
Monitoring - uptime (is the site running), security (any suspicious changes), performance (Core Web Vitals). Alert when something goes wrong.
Hardening - blocking common attack vectors: login limits, XML-RPC disabled, hidden WP version, application-level firewall.

This is the absolute minimum. Anything below this isn't maintenance, it's a parody of maintenance.

Why most companies don't do this

Because they don't know they need it, until they get the first big failure.

Statistics worth knowing:

"53% of successful WordPress infections result from outdated plugins."

Source: Wordfence Annual Threat Report 2024

"96.55% of websites receive no traffic from Google."

Source: Ahrefs Content Study 2024

"Only 22% of SMBs are satisfied with the conversion of their website."

Source: Pipeline Velocity SMB Report 2024

These data points fit one pattern. A website built once and left alone starts working against the owner. An old PHP version slows page load. Outdated plugins open the door to attackers. The lack of backups means a failure is the end, not a problem to solve.

And yet people don't invest in maintenance, because they only see the monthly cost: 200-700 PLN. They don't see the other side of the ledger, the cost of the failure they didn't have.

The cost of one ransomware infection on WordPress: 1500-5000 PLN (cleanup) plus 1-7 days of site downtime. The cost of losing Google rankings after an outage: three months of organic traffic decline, sometimes three years. The cost of a site that loads in 5 seconds instead of 1.5: 53% of mobile visitors leaving before the page even loads.

The annual cost of Pro maintenance is 4 800 PLN. The cost of one outage without maintenance is often higher, plus stress, plus loss of customer trust.

My own perspective

I run continuous maintenance for over 80 client websites, most of which have been under my care for 3-5 years or longer. The statistic I know best: in the last 12 months I had zero successful infections in my portfolio. One DDoS attack repelled without traffic loss. One serious database problem after a hosting outage, resolved in 3 hours thanks to a backup from 6 hours earlier.

These numbers don't come from magic. They result from three things:

Updates done before the attack, not after. When a CVE drops on Thursday, the patch goes live in my portfolio on Friday morning, before the bots start scanning the internet on Saturday.
Backups tested, not just saved. Once a month I do a restore test of a randomly chosen client on a staging environment. If the backup doesn't restore, it isn't a backup.
Hardening above the standard. Every website has blocks on common attack vectors, file change monitoring, and an alert on suspicious activity.

I bring this up because maintenance isn't magic. It's the discipline of repeating the same boring things regularly and predictably. Most providers don't do this, because it's not glamorous. And yet that's exactly the work that keeps a website alive.

5 red flags - check yours

If even one of the following is "yes", you have something to work on.

1. You don't know when core was last updated. Open Updates in the dashboard. If you see a version older than 6 months, you're a real target.

2. No backup schedule. "I have a hosting backup" is not a backup. A real backup must be daily, automatic, stored off the server, and tested for restore.

3. PHP version 7.x or lower. Current, supported versions are 8.2 and 8.3. Anything below means no security patches from the vendor. Check in your hosting panel or ask your developer.

4. No SSL on every page. Type your domain into a browser. If you see a "Not secure" warning or the padlock is missing, you have a critical trust and SEO problem.

5. No monitoring. How do you know the site is working right now? How does it tell you when it's down? If the answer is "the customer told me", monitoring doesn't exist.

Four out of five = a standard small business website. Five out of five = a case to resolve this month.

What should be in the package - 4 levels

Pricing is always individual, but these are the typical levels I offer in 2026.

Basic - 199 PLN/month

The minimum that makes sense. For a small business card site, blog, simple portfolio.

Core, plugin, theme updates once a month
Daily backups (stored off the hosting, 30-day retention)
Uptime monitoring with email alerts
SSL renewal and monitoring
Quarterly report of completed work

Pro - 399 PLN/month

For a business website that generates inquiries, an online store, a website critical to the business.

Everything in Basic, plus:
Weekly updates (instead of monthly)
WordPress hardening (blocks, firewall, hidden version)
Security monitoring with alerts on suspicious changes
Infection cleanup included (should it happen)
Monthly report
Ticket priority (24h response time)

All-In - 699 PLN/month

Full maintenance for clients who treat the website as a sales channel.

Everything in Pro, plus:
Small content edits (up to 1h/month)
Growth consultations (quarterly, 30 minutes)
Proactive suggestions (what to improve, what to remove, where to shorten the conversion path)
Core Web Vitals monitoring with monthly reports
4h response SLA during business hours

Enterprise - from 1 200 PLN/month

For clients with high traffic, stores with integrated inventory, public sector portals, websites with compliance requirements (WCAG, GDPR, EAA).

Everything in All-In, plus dedicated SLA, dedicated support, quarterly audits, integrations on request.

Each level is concrete, not a bundle of abstract promises. The client knows what they get for their money, and can move up or down at any time.

How to choose a good maintenance provider

Seven questions worth asking anyone before you sign:

How many websites do you currently maintain?

A good provider answers with a specific number. If they say "a dozen or so" or "I have experience", that's a red flag.
Where do you store my backups?

"On the hosting" is a red flag. Backups must be off the website's infrastructure (S3, Backblaze, Wasabi, your own server in a different DC).
What happens when my website gets hacked?

A good provider has a process. They say: "Cleanup included, restore from backup, post-incident report within 24 hours".
Who has access to my website, whom do I see in the admin panel?

It should be your login, theirs, end of list. No shared accounts.
Will I get a monthly report?

And will I get one even when "nothing happened". No report means no transparency.
What if I want to cancel?

They should hand over documentation, access and passwords, without resistance or delay. "Keys in the client's hand" is the foundation of trust (more in the article Hostage website).
Do we sign a written contract?

Always yes. With a specific scope of work, price, response times and termination terms.

If anyone avoids any of these questions or gives vague answers, walk away. A good provider knows their numbers by heart and speaks concretely.

What to do now

If you have a website and you don't know whether it's under maintenance, start with the checklist at the top of this article. Sixty seconds.

If the checklist result is concerning or you're looking for a second opinion, book a free 30-minute consultation. I'll show you exactly what needs attention and which level of maintenance fits your scale. If you'd rather first see the concrete packages and pricing, visit the Maintenance page.

The most common reaction I get from clients after six months of maintenance: "I don't remember the last time I had to think about it". That's the goal.