Most WordPress sites do not fail dramatically. There is no single moment of collapse. Instead, there is a slow accumulation of unpatched plugins, an outdated PHP version nobody noticed, and a backup that has not been tested since the site launched. By the time something goes wrong, every available option is expensive. Calling in a developer at emergency rates, recovering data, or rebuilding from a backup that turns out to be incomplete will always cost more than a year of preventive maintenance.

A WordPress maintenance contract is supposed to prevent exactly that sequence. This guide explains what a proper one covers, what most providers leave out, what is typically excluded, and how to evaluate a provider before you sign.

At a glance

  • A proper WordPress maintenance contract covers core, plugin, and theme updates, daily off-site backups with tested restoration, uptime monitoring, security scanning, and a defined support Service Level Agreement (SLA)
  • Most contracts do not cover new features, third-party plugin license fees, malware removal, content changes, or after-hours incidents unless specified
  • The most reliable signal of a quality provider is their answer to two questions: do they test updates on a staging environment, and when did they last test a backup restoration

Why WordPress maintenance is not optional

According to WordPress.org, WordPress powers over 43 percent of all sites across the web. That dominance makes it the single most targeted CMS by attackers. The exposure does not come from WordPress core. It comes from the plugin and theme ecosystem around it. Security vulnerabilities in that ecosystem are disclosed regularly, and the window between a public disclosure and active exploitation is measured in hours. Most site owners take days or weeks to apply updates and that gap is where breaches happen.

A compromised site is typically flagged by Google's Safe Browsing system within hours to days. Recovery from a Google Safe Browsing flag takes days, sometimes weeks. Downtime during a breach costs revenue if your site generates leads or sells online. Data exposure carries legal liability, particularly for sites collecting personal information under GDPR or equivalent privacy frameworks. And recovering a hacked WordPress site from scratch costs far more than a year of maintenance fees. Neglected WordPress installations are the norm, not the exception.

What a proper WordPress maintenance contract covers

A proper WordPress maintenance contract covers core, plugin, and theme updates applied on a defined schedule, daily off-site backups with tested restoration, uptime monitoring with an alert protocol, malware and integrity scanning, performance monitoring, and a defined support response SLA. Providers vary significantly in scope. Always verify the specific items in writing before signing.

Here is what each element should include in practice:

Core, plugin, and theme updates. WordPress core, all installed plugins, and the active theme should be updated on a defined schedule, at minimum monthly, and immediately for critical security releases. Updates should be applied in a staging environment and tested before going to production.

Automated daily backups with verified restoration. A backup that has never been tested is not a backup. It is an assumption. Backups should run daily, be stored off-site (not on the same hosting server), and be tested for successful restoration at least quarterly.

Uptime monitoring. The contract should specify a monitoring interval (every one to five minutes is standard) and define a response protocol for when the site goes down.

Security scanning. Regular malware and integrity scanning detects injected code, file changes, and known indicators of compromise before they escalate.

Performance monitoring. Page load time degrades as plugins accumulate and content grows. Baseline performance should be tracked and alerts set when thresholds are exceeded.

Support response time SLA. The contract should define what "support" means: what types of requests are covered, what the response time commitment is for different severity levels, and what is excluded.

Monthly or quarterly reporting. A maintenance provider should be able to show you what they did. A brief summary of updates applied, backup status, uptime, and any flagged issues is the minimum.

What most maintenance contracts leave out

Updates, backups, and uptime monitoring are the floor. Most providers offer them. The difference shows up in what they do beyond that baseline.

A staging environment. When a provider applies plugin updates directly to your live site, they are using your production environment as their test environment. A compatibility conflict between two plugins, or between a plugin and the current version of PHP, will break the live site immediately. A proper workflow applies updates to a staging copy first, verifies the result, and only then pushes to production. This step is skipped by a large share of low-cost providers because it adds time to every update cycle.

Database maintenance. WordPress accumulates overhead silently: post revisions, orphaned metadata, expired transient cache entries. Over months and years, this adds up. Queries slow down, page generation takes longer, and the performance degradation is gradual enough to go unnoticed until something flags it. Regular database cleanup is not glamorous work, but it belongs in any serious maintenance routine.

Deployment documentation. If your provider leaves, or you need to move the site, you should be able to hand a new developer a clear picture of how the site is configured, what the deployment process looks like, and what was changed and when. Most providers do not maintain this record. When it is missing, transitions become expensive investigations. If you need to find and brief a new provider from scratch, our guide on preparing a web project for an agency covers what to include.

An annual security audit. Automated scanning catches known signatures. An audit catches the things that scanners miss: user accounts with excessive permissions, abandoned admin logins that were never revoked, outdated authentication setups. We have reviewed sites maintained by established agencies for two or three years where nobody had checked the user table. It is a common oversight, and no malware scanner will flag it.

When reviewing a contract, ask the provider specifically about each of these four points. The answers tell you more about their process than any service page will.

What a WordPress maintenance contract does not cover

No vendor article will tell you this section honestly, because it describes what you will pay extra for. Understanding what is out of scope is as important as understanding what is included.

Most standard WordPress maintenance contracts explicitly exclude the following:

New features and development work. Maintenance covers the upkeep of what exists. Building new pages, adding functionality, or integrating third-party systems is development work and is priced separately, usually at an hourly or project rate.

Third-party plugin and theme license fees. Many providers include plugin updates in their scope but charge separately for the annual renewal of premium plugin licenses: WooCommerce extensions, form builders, SEO tools, page builders. Always ask whether license renewal fees are included in the contract or billed separately.

Malware removal and incident response. Some contracts include basic malware scanning but exclude the remediation. If your site is compromised, cleaning it up may trigger a separate invoice. Ask explicitly: "Is malware removal included in the contract, or is it an add-on?"

Content changes and copywriting. Updating text, uploading articles, replacing images, and managing editorial workflows are content management tasks, not maintenance tasks. Some providers offer a small hours allowance for minor content changes. Confirm the scope in writing.

Emergency response outside business hours. Standard SLAs typically apply during business hours in the provider's time zone. After-hours response, weekend coverage, and holiday support may require a premium tier or incur surcharges.

Issues caused by client actions. If a team member installs an incompatible plugin, accidentally deletes a database table, or applies changes directly to production, the remediation is generally not covered by the standard maintenance fee.

Before signing, ask the provider to provide a written exclusion list alongside the scope of work.

How to evaluate a WordPress maintenance provider

Before signing a contract, ask these questions directly. The answers reveal more than any sales page will.

1. Do you use a staging environment before applying updates?
A clear "yes" with an explanation of the workflow is a strong positive signal. A vague or evasive answer is not.

2. Where are backups stored, and when did you last test a restoration?
Off-site storage is essential. If they cannot tell you when a restoration was last tested, they have not tested it.

3. What is your response time SLA for critical issues?
Get this in writing. "We respond quickly" is not a contract term. Four hours, eight hours, next business day: those are contract terms.

4. What does your monthly report include?
If the answer is nothing, or a vague summary email, that is a sign of a passive service, not an active one.

5. Do you conduct a security audit at the start of the contract?
A provider who takes on a new client without auditing the existing installation is accepting liability they cannot quantify. You should want them to understand what they are inheriting.

6. What is explicitly out of scope?
Content updates, new features, third-party integrations, and major redesigns are typically excluded. Confirm where the boundary is before you need it.

If you are not confident your WordPress site is properly maintained, send us the site URL and we will tell you in one email whether your current setup has any obvious gaps. No call, no commitment.

Frequently asked questions (FAQ)

What does WordPress maintenance include?

A proper WordPress maintenance contract covers core, plugin, and theme updates applied on a defined schedule, daily off-site backups with periodic restoration testing, uptime monitoring with an alert protocol, malware and integrity scanning, performance monitoring, and a support response SLA. Scope varies widely between providers. Read the contract, not the sales page.

What happens if I do not maintain my WordPress site?

An unmaintained WordPress site accumulates unpatched vulnerabilities in plugins and themes. Security disclosures in the WordPress ecosystem are frequent, and attackers scan for newly disclosed vulnerabilities within hours of public disclosure. An unpatched site risks compromise, Google blocklisting, data exposure, and recovery costs that far exceed what prevention would have cost.

Do I need a WordPress support contract?

If your site generates leads or revenue, collects personal data from users, receives meaningful traffic, or would cause operational disruption if it went offline, a support contract is justified. Brochure sites with no business-critical function can sometimes be maintained in-house, but only if someone is genuinely doing it on a consistent schedule.

What does a WordPress maintenance contract NOT include?

Standard contracts do not cover new features or development work beyond a small hours allowance, third-party plugin license fees, malware removal beyond basic scanning, content changes and copywriting, after-hours emergency response unless specified in the SLA, or issues caused by client-side actions. Always request a written exclusion list from any provider before signing.

What is the difference between a WordPress care plan and a retainer?

A care plan covers a fixed scope of recurring maintenance tasks: updates, backups, monitoring, and basic support. A retainer is a broader arrangement that typically bundles maintenance with a reserved block of development hours each month. Care plans are simpler and more affordable. Retainers make sense when you need ongoing feature work alongside maintenance. Many providers use the terms interchangeably, so the only reliable way to understand what you are buying is to read the full scope of work.

A contract is only as good as what it specifies

Most WordPress sites are not maintained badly out of negligence. They are maintained badly because neither party defined what "maintained" actually means. A clear contract protects both sides. It sets expectations, gives you a baseline to measure against, and tells you exactly what will happen when something goes wrong.

If you are evaluating whether WordPress remains the right platform for your organization's current needs, our guide to choosing a CMS can help frame that decision.

If you want an independent perspective on your current setup or on what a proper contract should contain for your specific site, our consulting and advisory service is built for exactly this. And if you are looking for a team to handle WordPress maintenance directly, contact us.