If you are reading this, something probably prompted you. A plugin conflict. A slow page. A letter about accessibility. A question from your attorney about cookie consent. Here is what website maintenance actually covers in 2026, what it does not, and when it is worth the monthly fee.
This is not a sales pitch. We run maintenance for small and mid-sized businesses. We will be honest about when maintenance is the right answer and when it is not. Sites with structural problems do not get better with maintenance. They need a rebuild. Sites with healthy foundations benefit substantially from ongoing maintenance. Sites in between need a conversation about which side they are on.
What Website Maintenance Actually Includes in 2026
Maintenance in 2026 is different from maintenance in 2019. The list of what is covered has grown, because the compliance and performance surface has grown.
Security patching. The CMS, the plugins, the themes, and the underlying PHP runtime all receive security updates throughout the year. Uninstalled updates are the leading vector for site compromise in small-business WordPress. Patching is not a monthly event. It is continuous.
CMS and plugin version management. As of 2026, the WordPress.org official position recommends PHP 8.3 or higher. PHP 8.4 is the current production-safe version. PHP 8.5 has beta support as of WordPress 6.9. PHP 8.1 and earlier are end-of-life. PHP 8.2 is in security-only mode and reaches end-of-life on December 31, 2026. Any site still running PHP 8.1 or lower has lost active support. Any site running PHP 8.2 will lose it before the end of the year.
WordPress core is at 6.8 as of April 2026, with 6.9 adding PHP 8.5 support and 7.0 proposed in beta February 2026 for full release April 2026. Maintenance tracks these versions and schedules safe upgrades in test environments before production.
The plugin profile drives a meaningful share of maintenance complexity. Sites running fewer than fifteen plugins from reputable vendors are typically the cleanest to maintain. Sites running thirty or more plugins routinely take double the maintenance time of a comparable lean site, because the surface for plugin-to-plugin conflict, abandoned-plugin risk, and update-cascade failure scales with count rather than scaling linearly with traffic. Specific plugin categories sit higher on our maintenance risk register: legacy caching plugins still configured for pre-PHP-8 environments, abandoned form plugins past their last security update, page builders running on themes the builder vendor no longer formally supports, and any plugin that has not received an update in more than twelve months. The first action of a real maintenance audit is the plugin inventory and the cull of plugins that should not be in production at all.
Backup verification. Backups that have never been restored are not backups. They are a false sense of security. A working backup discipline includes off-site storage separate from the production host, versioned backups going back at least thirty days for a typical site (longer for regulated content), automated daily backups for active sites, and a periodic restore test on a staging environment. Restore tests at least quarterly are the threshold below which the backup discipline cannot honestly be called working. Many small-business WordPress sites have automated backups running and have never tested whether the backup is actually usable, which means the discipline exists on paper only.
Uptime monitoring. Automated alerts if the site goes down, with response protocols for who handles restoration, ideally with a defined response window for paying maintenance clients.
Core Web Vitals monitoring. Largest Contentful Paint, Interaction to Next Paint (which replaced First Input Delay in March 2024), and Cumulative Layout Shift are the three metrics Google measures for page experience signals. The 2026 thresholds are not exactly the same as the 2024 thresholds. Google’s March 2026 update tightened LCP, dropping the “good” cutoff from 2.5 seconds to 2.0 seconds, which moves any page in the 2.0 to 2.5 second range from passing to “needs improvement.” INP remains officially “good” under 200 milliseconds, with practical operator targeting closer to 150 milliseconds for ranking stability. CLS remains under 0.1.
The March 2026 update also moved Core Web Vitals from purely page-by-page evaluation toward site-level aggregate scoring. In practice, a few slow template pages can drag down rankings on pages that individually pass every threshold. Industry analysis from 2026 suggests that when more than 25 percent of a site’s URLs fall into “Poor” or “Needs Improvement” on any single metric, the site-wide aggregate is likely being penalized. That is an unforgiving bar for a WordPress site with a bloated theme, a dozen plugins, and a few legacy landing pages nobody has touched in two years.
CWV monitoring catches drift before it costs ranking. The pass-rate gap between platforms is also worth knowing: WordPress sites cluster around 45 percent mobile pass rates without active optimization, managed platforms like Webflow and Duda sit in the 65 to 85 percent range, and well-built static sites can reach 95 percent and above. The platform alone does not determine the outcome, but the platform sets the ceiling that maintenance has to work within.
SSL and TLS management. TLS 1.3 is the current standard. TLS 1.0 and 1.1 are deprecated. Certificates renew, and the renewal sometimes does not happen cleanly without monitoring.
Broken link auditing. Internal and outbound links break over time. Routine audit and repair maintain the site’s link graph.
Form and checkout testing. Forms break silently. Periodic functional testing of every form on the site prevents the “we stopped getting leads three weeks ago and nobody noticed” pattern.
Accessibility review. WCAG 2.2 became an ISO standard in October 2025. The US Department of Justice Title II rule requires WCAG 2.1 Level AA for state and local public entities serving populations of 50,000 or more by April 24, 2026. Private Title III lawsuits hit 3,117 federal filings in 2025 — a 27 percent increase over 2024 — and the trajectory continues into 2026. Approximately 67 percent of those lawsuits target companies with under $25 million in annual revenue. The litigation risk is no longer concentrated on enterprise.
Privacy compliance review. Consent management platform configuration, cookie scan accuracy, consent choice respect, Global Privacy Control signal handling. The CMP layer is where most small-business sites have the largest gap. Different consent platforms handle GPC differently in practice: enterprise platforms like OneTrust and Cookiebot honor GPC by default with proper configuration, lighter-weight options like Termly require explicit setup to send the right signal back, and homegrown banner solutions almost universally ignore GPC entirely. The configuration question is not “do we have a CMP” but “does our CMP do the right thing when a Firefox or Brave user with GPC enabled visits the site.”
Minor copy and content updates. Correcting small errors, updating contact information, refreshing time-sensitive copy. Not major content work, which is separate.
The Real Cost of Not Doing It
The business case for maintenance lives in concrete scenarios, not abstract risk.
A plugin conflict takes your site offline during business hours. You lose inquiries for the duration. Support takes six hours to diagnose and fix. For a business generating leads through the site, the lost revenue plus the emergency fix cost exceeds six months of proactive maintenance fees.
A security vulnerability in an unpatched plugin leads to site defacement or malware injection. Google deindexes your site for malware distribution. Recovery requires clean-up, a malware scan, a Google reconsideration request, and several weeks before organic traffic returns. The traffic loss plus recovery cost commonly exceeds years of maintenance fees.
Core Web Vitals decay reduces your ranking for your core commercial queries. The decay is rarely sudden. It accumulates over months as plugins are added, images are uploaded at native resolution rather than optimized, and third-party scripts pile up. The visible signal is a gradual decline in organic traffic that a non-technical owner often attributes to “Google changing the algorithm again” when the actual cause is the site’s own technical drift. Recovery requires a performance audit and a rebuild of the slow assets. The traffic loss is invisible until revenue data catches it.
An ADA Title III complaint lands in your mailbox. The settlement spectrum is wide and well-documented in 2026 case data. Demand-letter resolutions cluster between five thousand and fifteen thousand dollars. Out-of-court settlements average closer to twenty-five to thirty thousand dollars and can reach seventy-five thousand for messier cases. Litigated cases reach a median around seventy-five thousand for the judgment alone. Defense legal fees stack on top in every category, commonly five to one hundred thousand dollars depending on the firm handling it. The remediation work that satisfies the settlement adds another budget line. None of this counts the second-order risk that 45 percent of 2025 federal filings targeted defendants who had been sued before, because the underlying code never got fixed. Getting sued once and not remediating raises rather than lowers the probability of being sued again.
A state attorney general opens an inquiry about your cookie consent configuration. Your CMP is misconfigured. The inquiry costs legal hours regardless of outcome. The configuration issue should have been caught in routine maintenance review.
Maintenance is not a subscription trap. It is insurance against concrete failure modes. The cost of the insurance is lower than the cost of any one of these scenarios playing out.
The 2026 Regulatory Reality
The regulatory landscape that maintenance has to respect has expanded substantially.
As of 2026, twenty US states have active comprehensive privacy laws: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. Each imposes its own notice, consent, and opt-out requirements. Businesses operating nationally deal with the twenty-state patchwork. Three of these laws became active on January 1, 2026 (Indiana, Kentucky, Rhode Island). More states are likely to pass similar laws in 2026 and beyond.
California CPRA and ADMT regulations activated in January 2026, adding risk assessments, cybersecurity audits, and automated decision-making disclosure obligations under specific conditions.
Eleven or more states now require websites and ad stacks to honor the Global Privacy Control signal as a valid universal opt-out. Ignoring GPC is non-compliance in those states. Many small-business sites still do not implement GPC handling.
ADA Title II (state and local public entities serving 50,000+ populations) requires WCAG 2.1 Level AA by April 24, 2026. WCAG 2.2 became an ISO standard in October 2025 and is required in California and in the European Union.
Sites referencing Universal Analytics in their tracking stack still surface in audits regularly. Universal Analytics shut down in July 2023, and Google deleted historical data in July 2024. Any site still running UA tags is reporting nothing usable, regardless of whether the dashboard appears to populate.
This is an operational summary. It is not legal advice. Consult a privacy attorney for compliance questions specific to your business. We can flag a privacy law gap during a free digital consult and help you decide whether your current setup is the kind of risk your counsel needs to look at.
What Maintenance Looks Like at Southern Digital Consulting
Our maintenance engagements are monthly and tied to the specific technical profile of the site.
Standard cadence. Weekly automated checks (uptime, broken links, security), monthly human review of performance and compliance drift, quarterly deep review of accessibility and regulatory fit, and on-demand handling of client-initiated updates and incidents.
Deliverables. Monthly report covering site uptime, any patches applied, any performance changes, any compliance items flagged, and any upcoming concerns. The report reads as a status document, not as a marketing piece.
Client communication. Direct access to the maintenance team for urgent issues. Ticketed handling for routine updates. Quarterly review call for the broader picture.
Escalation paths. Security incidents, compliance letters, and performance emergencies escalate to senior review with defined response times.
For clients on maintenance retainer, the work is continuous. The monthly fee buys ongoing attention, not a periodic inspection. Sites come off maintenance rarely, and usually because the business is moving to a different technology stack.
For a deeper look at the infrastructure side that pairs with maintenance, see our secure web and email hosting page.
When Maintenance Is NOT Worth It
This is the honest section. Not every site benefits from ongoing maintenance.
The decision is rarely a feeling. There are quantifiable signals that suggest the right answer is rebuild rather than maintenance: a site running PHP 8.1 or below, a plugin count above forty, a theme that has not seen a vendor update in more than two years, three or more security incidents in the last twelve months, mobile Core Web Vitals failing more than 25 percent of URLs, or an underlying CMS that the original vendor has stopped actively supporting. When two or more of these stack together, maintenance becomes the wrong tool. The cost of monthly patching does not produce durable improvement on a foundation that needs replacing.
Sites planning a redesign in the next six months also fall on the rebuild side of the line. Interim maintenance can be reduced to security-only patching while the rebuild project runs in parallel. The maintenance budget is better spent on the rebuild scope.
A static informational page that has not been updated in five years and generates no inquiries does not need the same maintenance envelope as an active lead-generating site. The question is whether maintenance preserves or grows the commercial value of the site. If the page is not commercially active, security patching at a minimum scope is enough.
Sites on managed e-commerce platforms that handle core updates already have a narrower maintenance scope than custom WordPress installs. Do not pay for layers the platform already covers. The maintenance scope on a Shopify Plus site is mostly app management, theme updates, and conversion optimization, not core platform patching.
If a rebuild is the right answer, we will say so. We point clients in that position to our Atlanta website design work or our technical SEO services page for the diagnostic side, rather than selling a maintenance retainer that cannot fix the underlying problem.
Pricing Ranges and What Drives Them
Pricing scales with the site. Fitting a single number to every WordPress install would be dishonest, so the realistic framing is by site profile.
A brochure site running fewer than fifteen plugins on a current PHP version, with no e-commerce and a standard compliance profile, sits in the low-to-mid three figures per month for full-scope maintenance. Most small business sites fit this category.
A site with e-commerce or membership functionality, integration with a CRM, payment gateway under PCI scope, or a higher transaction volume sits in higher three figures to low four figures per month, depending on transaction count and integration complexity.
A site with high traffic, complex integrations, or regulated-industry compliance scope (HIPAA, finance, legal services with bar oversight) sits in low-to-mid four figures per month. The scope at this tier includes dedicated compliance audit time, integration monitoring, and higher-frequency attention with shorter response windows.
What pushes price up: site complexity, traffic volume, e-commerce, compliance scope, integration count, uptime requirements, response-time commitments, plugin count above thirty, and any regulated-industry layer. What keeps price in line: clear scope, single-platform stack, standard compliance profile, predictable update cadence, and a well-maintained plugin inventory.
See our website maintenance and support service page for scope detail.
FAQ
What happens if my site breaks outside business hours? Incident response protocols define who handles what and when. For maintenance clients, urgent issues (site down, security incident) have defined response times rather than waiting for business hours.
Do you handle accessibility remediation or just review? Both. The scope depends on the engagement. Review and prioritization is the baseline. Remediation work on identified issues is typically scoped separately for larger projects and included in standard cadence for smaller fixes.
What about performance issues that are really content issues? Maintenance addresses the technical side. If the performance issue is an overweight image library or a content structure that is slow by design, we flag the content-side fix. Content-side rework is separate from maintenance scope.
Does an accessibility overlay (the widget that adds an icon to the corner of a site) replace this work? No. Overlays became a category of their own concern in 2025 when the Federal Trade Commission settled with a major overlay vendor for $1 million over compliance claims that did not hold up. Plaintiff firms also actively target sites with overlays installed. Real accessibility work happens at the source code and content level, not in a widget loaded on top of an inaccessible page.
Can we do maintenance ourselves? You can. For small sites with stable stacks and a technical owner on the team, in-house maintenance works. Most of our clients do not have a technical owner with the bandwidth to stay ahead of the 2026 compliance and security surface. That is the specific gap maintenance retainers fill.
If you are deciding between maintenance and rebuild, or your current maintenance arrangement does not cover the compliance scope above, start with a free digital consult. We will look at your stack and tell you honestly which side you are on.
Informational only. This post describes operational obligations created by specified laws as we understand them. It is not legal advice. Consult a privacy attorney or ADA counsel for compliance questions specific to your business.
Informational only. This post describes operational obligations created by specified laws as we understand them. It is not legal advice. Consult a privacy attorney or ADA counsel for compliance questions specific to your business.