Most business owners think about website maintenance when something breaks. That's the wrong time to think about it.
By then, the site may have been serving broken pages to visitors for days. An unpatched security vulnerability may have already been exploited. A dependency update may have silently broken a contact form that nobody checked. Reactive maintenance costs more and causes more damage than planned maintenance — in every field, and websites are no different.
What Website Maintenance Actually Includes
Security Updates
Security is the most urgent maintenance category, and the most neglected.
WordPress-based sites are the highest-risk category. WordPress core, themes, and plugins release security patches regularly because the platform is a constant target. A WordPress site that hasn't been updated in six months has known vulnerabilities. Not theoretical ones — known, published, actively exploited ones. Attackers run automated scans across the internet looking for outdated installations. Your site will be found.
Even for sites not built on WordPress, underlying server software, runtime environments, and third-party packages need regular patching. Security maintenance isn't a one-time task. It's a standing responsibility.
Framework and Dependency Updates
Software has dependencies — packages and libraries that other packages are built on. These update frequently: to fix bugs, close security holes, or improve performance. A site built in 2022 that hasn't had its dependencies updated is running on software that may be years behind the current state.
Dependency updates don't always go smoothly. Sometimes a major version update breaks something. That's why maintenance includes testing after updates, not just running the update command and closing the ticket.
Hosting and Uptime Monitoring
If your site goes down at 11pm, how do you find out? For most businesses, the answer is "when a client calls to say they can't find us" or "when someone from the team tries to access it the next morning."
Uptime monitoring tools check your site every minute and alert you when it goes down. Response time monitoring catches degraded performance before it becomes a full outage. These are basic tools that should be part of any maintenance arrangement.
In Indonesia, sites hosted on cheap shared hosting plans experience reliability issues more frequently than businesses assume. Shared hosting means your site shares server resources with hundreds or thousands of other sites — if one site on the server gets a spike in traffic or runs a poorly-written script, every other site on the server slows down or goes offline. Monitoring won't fix this, but it will tell you it's happening and give you the data to justify a hosting upgrade.
Performance Monitoring
Sites slow down over time. Images accumulate without being optimized. Third-party scripts get added — chat widgets, analytics tools, advertising pixels — and each one adds load time. Content management systems accumulate database bloat.
Performance monitoring tracks your page load times over time and alerts when they degrade beyond a threshold. A site that started loading in 1.8 seconds and now takes 4.2 seconds has lost a measurable number of visitors — and the business owner usually has no idea it happened.
Content Updates
Service descriptions change. Team members join and leave. Business hours, pricing, and contact details need to stay current. An outdated website that still references a product you no longer offer, or a team member who left 18 months ago, erodes trust.
Content updates are part of maintenance — not a separate project every time a detail changes.
Bug Fixes from Real-World Usage
Testing catches most bugs before a site launches. It doesn't catch all of them. Real-world usage surfaces edge cases that test environments miss: a contact form that fails on certain mobile keyboards, a page that breaks when the content is a certain length, a checkout flow that fails with a specific combination of products.
These need to be fixed when they're found, not queued for the next theoretical redesign.
What Happens Without Maintenance
The consequences aren't always dramatic. Sometimes a site just quietly gets slower and less secure over years until it's clearly broken and needs rebuilding from scratch — at far more cost than the maintenance would have been.
More dramatically: exploited security vulnerabilities result in sites being defaced, used to send spam, or having visitor data stolen. Hosting migrations — when a server is moved or upgraded — can break sites that depend on specific server configurations that were never documented. Plugin updates cascade into visual breakage that makes the site unprofessional when clients try to view it.
A site that worked fine in 2023 and hasn't been touched since is not a site that's "fine." It's a site that's accumulating risk.
What a Monthly Maintenance Contract Should Cover
A reasonable maintenance retainer for a business website covers:
- Monthly security and dependency updates with post-update testing
- Uptime and performance monitoring with alert response
- Minor content updates (changing text, swapping images, updating contact info)
- A defined number of hours for bug fixes per month
- Monthly reporting on uptime, performance, and changes made
What it typically doesn't include: new pages, new features, or redesign work. Those are separate projects with their own scope and cost.
The cost of maintenance is consistently less than the cost of a crisis. Building it into the budget from day one — rather than treating it as optional — is simply the correct way to manage a website as a business asset. For a full picture of what a website costs beyond the initial build, including maintenance, the true cost of a business website breaks it down over a realistic time horizon.
CERIS offers maintenance contracts for websites we build and for sites built by others. See our web development service or get in touch and we'll assess what it needs.
