The WordPress sites we get called in to rescue almost always have one thing in common: nobody had touched them in over a year.
WordPress runs roughly 40% of the entire web. That popularity is what makes it so flexible, so well-supported, and such a sensible choice for most business websites. It’s also what makes it a permanent target. Automated bots are scanning every WordPress site on the internet right now, looking for known vulnerabilities in old plugins and out-of-date core. If your site is six months behind on updates, it’s being scanned this minute. The bots don’t care who you are.
But security is only half the story. An unmaintained WordPress site quietly costs you in other ways too — and in our experience, those slower, less-visible costs are usually what actually puts a business in trouble.
What “unmaintained” actually means
Most business owners we speak to assume their WordPress site is “fine” because it’s still loading and the contact form still works. That’s a low bar. Here’s what’s actually happening behind the scenes when a WordPress site goes a year without proper attention:
- WordPress core releases every few months with security patches, performance improvements and bug fixes. Skipping them adds up fast.
- Plugin updates are released constantly. Each one might fix a security hole, add a feature, or resolve an incompatibility with a newer version of WordPress.
- PHP versions go end-of-life on a published schedule. When your hosting provider eventually upgrades the server PHP version (and they will), incompatible plugins or themes can break the site overnight.
- Themes and page builders stop being supported. Old code keeps working, until one day it doesn’t.
- The database grows with every post revision, expired transient and abandoned plugin table. Performance suffers gradually.
None of this is dramatic. The site doesn’t collapse all at once. It just gets slower, flakier, and more expensive to deal with.
The real cost of skipping maintenance
When something does eventually go wrong on an unmaintained WordPress site, the bill is rarely small. The most common scenarios we see:
1. Security incidents
The businesses we see get hacked are almost never the ones being targeted. They’re running an out-of-date plugin from 2022 that an automated bot crawled past and noticed. Cleanup costs typically run into the hundreds or low thousands — sometimes more if customer data is involved or you need to notify the ICO. The downtime alone, especially for an e-commerce store, can dwarf the cleanup bill.
2. White-screen Mondays
A plugin auto-updates overnight. The new version isn’t compatible with another plugin, or with the theme, or with the PHP version on the server. Your site goes white. Your customers can’t reach you. Your developer is suddenly very busy on a Monday morning. None of this happens if updates are tested in a staging environment first — which is what proper maintenance does.
3. Slow, painful performance decline
This one is the most expensive in the long run because it’s invisible. Pages get slower by half a second a year. Bounce rates creep up. Conversion rates drift down. Google quietly demotes you in search results. By the time you notice the traffic loss, the rot has been compounding for two years.
4. The “I’d rather just rebuild it” trap
We’ve inherited countless WordPress sites where the right answer was a partial rebuild rather than a fix — purely because so much had drifted out of date that fixing one thing kept breaking three others. A few hundred pounds a year in maintenance would have prevented a few thousand pounds in rebuild costs.
What good WordPress maintenance actually looks like
Maintenance isn’t glamorous. There’s no big launch moment, no dramatic before-and-after. It’s the kind of work you only notice when it stops happening. But done well, it covers:
- Regular WordPress core, theme and plugin updates — applied in a staging environment first, never directly on live for anything significant.
- Automated backups — daily or weekly, kept for long enough to roll back from a problem you didn’t notice immediately.
- Security monitoring — known-vulnerability scanning, login protection, file-change detection.
- Performance checks — Core Web Vitals, server response times, database health.
- PHP and database version management — upgraded on a schedule, with compatibility tested first.
- An annual deeper review — checking forms still work, contact details are right, broken links, sitemap health, and anything else that has drifted.
- A real human to call when something does go wrong, who knows your site already.
You can do most of this yourself if you’re technical and disciplined. Most business owners are neither, and that’s fine — it’s not what you should be spending your time on.
How often should WordPress be maintained?
Our rule of thumb for the sites we look after:
- Monthly for any e-commerce store (WooCommerce or otherwise) and any site that has more than basic plugins.
- Quarterly for brochure sites with a small plugin footprint.
- Annually at the absolute minimum — and if you’re at this level, expect bigger jumps and more chances of compatibility issues each time.
Anything less frequent than annually is essentially “no maintenance,” and you’re betting on luck.
The bottom line
Proper WordPress maintenance is the single highest-return investment most business owners can make in their website. It costs a fraction of what a single security incident or rebuild would, and it keeps the asset you’ve already paid for actually working.
If you can’t remember the last time your WordPress site was updated, that’s the warning sign. The longer you leave it, the more expensive the catch-up.
At Red Web we’ve been maintaining WordPress sites for Cambridge businesses for over 20 years. Our managed plans cover updates, backups, performance checks and security — so the call you don’t want to make never has to happen.
Find out more about WordPress development and maintenance with Red Web →