TLDR: A WordPress maintenance plan should cover updates, backups, and basic security hardening. It should not be expected to cover custom development, SEO, content changes, or emergency recovery from neglect. Knowing the difference protects your budget and your expectations.
Why This Conversation Matters
WordPress powers a significant portion of the web, and the businesses that rely on it range from solo tradespeople to mid-sized organizations managing complex sites. Most of them share something in common: they signed up for a maintenance plan without fully understanding what it covers.
That gap in understanding leads to frustration on both sides. A business owner expects something to be handled, the provider says it is out of scope, and trust erodes quickly. The solution is not a better contract. It is a clearer conversation before the agreement is signed.
This post explains what a reasonable WordPress maintenance plan should include, what it reasonably should not, and how to think about the difference. It is written for business owners making decisions, not for developers negotiating deliverables.
What a WordPress Maintenance Plan Should Include
A well-structured plan addresses the ongoing technical health of your WordPress site. These are not one-time tasks. They are recurring activities that keep your site stable, secure, and functional over time.
Core Software Updates
WordPress releases regular updates to its core software. Themes and plugins do the same. These updates often include security patches, bug fixes, and compatibility improvements. Letting them stack up creates risk.
A maintenance plan should include scheduled updates to WordPress core, your active theme, and all installed plugins. This should happen on a predictable schedule, not just when something breaks. Some providers update weekly, others monthly. What matters is that it happens consistently and that someone is checking for conflicts after updates are applied.
Compatibility conflicts after updates are a real concern. A plan that includes updates should also include a basic check that the site is still functioning properly afterward. If the provider only pushes updates without verifying the result, that is not a complete service.
Automated and Verified Backups
Backups are one of the most important and most misunderstood parts of maintenance. Many hosting environments include some form of automated backup, but hosting backups and maintenance backups are not the same thing.
A maintenance plan should include independent, regularly scheduled backups that are stored off-site or in a separate environment from your hosting account. If your hosting account is compromised, a backup stored in the same account may be compromised too.
The plan should also specify how long backups are retained and whether they are tested. A backup that has never been restored is an untested assumption. At minimum, your provider should be able to confirm backups are completing successfully and that restoration has been verified at some point.
Security Monitoring and Basic Hardening
WordPress sites are frequent targets for automated attacks. Bots scan for outdated plugins, weak login credentials, exposed configuration files, and known vulnerabilities. Security monitoring means that someone, or something, is watching for these threats on an ongoing basis.
A maintenance plan should include malware scanning, login protection such as limiting failed login attempts and enabling two-factor authentication where possible, and basic hardening steps such as removing unused plugins and themes and keeping file permissions in order.
This is not the same as a full security audit. It is the routine hygiene that keeps your site from becoming an easy target. The distinction matters because a security audit is typically a one-time engagement with a specific deliverable, while security monitoring is an ongoing, lower-intensity activity built into the maintenance rhythm.
A Basic Performance Check
Site speed and performance affect how visitors experience your website. A maintenance plan may include periodic performance checks to identify obvious issues such as large unoptimized images, caching problems, or plugin conflicts that are slowing load times.
This is not the same as a full performance optimization engagement. It is a monitoring function, not a redesign. If your site has structural performance problems, those are typically addressed through a separate optimization or rebuild project.
Reporting
You should receive a regular summary of what was done. A simple monthly report showing what was updated, whether backups completed, and whether any issues were flagged is a reasonable expectation. It does not need to be lengthy. It needs to be consistent and honest.
If a provider cannot tell you what they did last month, that is a problem.
What a WordPress Maintenance Plan Should Not Be Expected to Cover
This section may be more useful than the one above. Scope creep is one of the most common sources of conflict between business owners and maintenance providers, and it usually begins with an assumption, not a request.
Custom Development Work
Adding new features, building out new pages, integrating third-party tools, or modifying how your theme functions are all development tasks. They require planning, scoping, testing, and often significant time. None of these belong inside a maintenance plan at a flat monthly rate.
If you need something built or changed, that is a project. It should be scoped and quoted separately. A maintenance plan keeps your existing site healthy. It does not build new things.
Content Updates and Copywriting
Updating the text on your service pages, writing blog posts, adding new photos, or changing pricing information are content tasks. These are editorial decisions that require your input and approval. They are not maintenance tasks.
Some providers offer content update packages as an add-on. That is a separate service with its own scope. Do not assume your maintenance plan includes content changes unless it is explicitly stated and priced accordingly.
SEO Management
Search engine optimization is a strategic discipline that involves keyword research, content planning, link building, technical analysis, and ongoing measurement. It is not a function of maintaining a website's technical health.
A maintenance plan may include keeping your sitemap functional, ensuring your site is indexable, and flagging obvious technical issues that could affect crawling. That is as far as it goes. If you want active SEO work, that is a separate engagement with its own scope and expectations.
Design Changes
Changing your layout, updating your branding, redesigning your homepage, or adjusting how your navigation works are design tasks. These belong in a design or rebuild project, not a maintenance plan.
If you want to refresh the look of your site, speak to your provider about a separate design engagement. Trying to accomplish design changes through a maintenance plan will lead to either unmet expectations or work being done outside the agreed scope.
Recovery from Years of Neglect
This one is worth naming directly. If a site has not been updated in two or three years, has dozens of outdated plugins, a deprecated theme, and accumulated security issues, bringing it into a stable state is not a maintenance task. It is a remediation project.
A provider should be able to take on ongoing maintenance for a site in reasonable health. A site that requires significant cleanup before it can be maintained properly may need a one-time stabilization engagement first. That work should be scoped separately and completed before a maintenance plan begins.
Providers who accept any site into a maintenance plan without assessing its condition are either not doing thorough work or are setting themselves up to absorb costs they have not planned for. Neither outcome serves you well.
Emergency Response Outside Agreed Terms
If your site is hacked, goes down due to a hosting failure, or is broken by a plugin conflict at midnight on a Saturday, the response to that situation depends entirely on what your plan specifies.
Emergency response is a specific service with specific terms around response times, hours of availability, and what actions are included. A standard maintenance plan may not guarantee after-hours response. It may not include full malware cleanup as part of the flat rate. Read the terms carefully and ask directly what happens in an emergency before you are in one.
Special Considerations for Certain Organizations
Some organizations have needs that go beyond the typical scope of a maintenance plan but that are worth thinking through at the outset.
First Nations organizations managing websites for band administration, program delivery, or community services often need particular attention to content accuracy, governance transparency, and community access. A maintenance plan does not address these directly, but the provider you work with should understand that changes to program information, governance documents, or community-facing content carry weight beyond what a standard content update request implies. Clear communication protocols and defined approval processes matter here.
Trades businesses, medical practices, and other regulated sectors may have specific requirements around how contact forms handle data, how long certain records are retained, or what third-party tools are permitted on their sites. A maintenance provider should be able to work within those constraints, but the business owner is ultimately responsible for knowing what those requirements are.
How to Evaluate a Maintenance Plan Before You Sign
Ask these questions before committing to any WordPress maintenance plan:
- What is updated, and how often?
- Where are backups stored, and how long are they retained?
- Are backups tested?
- What security monitoring is included?
- What happens if my site goes down?
- What happens if my site is hacked?
- What is not included?
- Will I receive a monthly report?
- What does a content change or development request cost outside the plan?
A provider who can answer these clearly and without hedging is a provider who understands their own service. Vague answers to these questions are a signal worth taking seriously.
Matching the Plan to the Site
Not every site needs the same level of maintenance. A simple five-page brochure site for a local trades business has different needs than an e-commerce site processing daily transactions or a membership site with active user accounts.
A reasonable provider will offer tiered options or at least have a conversation about what your site actually requires. A single flat-rate plan presented to every client regardless of site complexity is a sign that the service has not been designed with your situation in mind.
Think about your site's purpose, its traffic level, how frequently you update it, and what the cost of downtime would be to your business. Those factors should guide the level of maintenance you invest in.
For businesses that rely on their website for lead generation, bookings, or transactions, the cost of an appropriate maintenance plan is modest compared to the cost of an outage or a security incident during a busy period.
A Word on Hosting and Maintenance
Hosting and maintenance are related but separate services. Your hosting environment provides the infrastructure your site runs on. Your maintenance plan manages the software and health of the site itself.
Some providers bundle both. That can be convenient, but it also means that if you are unhappy with one, you may need to address both at the same time. It is worth understanding which parts of your setup are tied to which provider and what migration would involve if you needed to make a change.
If you are evaluating a bundled hosting and maintenance arrangement, ask how each component is priced, what happens to your site if you cancel, and whether you retain full ownership of and access to your files and database at all times.
The Bottom Line
A WordPress maintenance plan is not a catch-all service contract. It is a defined set of recurring technical tasks designed to keep your site stable, secure, and up to date. When the scope is clear on both sides, it works well. When it is not, it becomes a source of ongoing friction.
Understanding what is and is not included protects your investment and makes the relationship with your provider more productive. The best time to have this conversation is before you sign, not after something goes wrong.
If you would like to talk through what a maintenance plan might look like for your website, contact ALPHA+V3 to discuss the options that may fit your situation.