“Website maintenance” is one of those phrases that gets used to mean almost anything. Some providers use it to describe little more than keeping a server running. Others include a comprehensive layer of security, performance, and technical care that makes a genuine difference to how well your site performs and how safe your business data is.
If you’re paying for maintenance – or considering it – this guide is designed to help you understand what a professional service should actually cover, and how to tell the difference between something substantive and something that’s mostly just a label.
I’m Ed, I run EJK Web Solutions and I look after WordPress websites for small businesses across the UK. I’ll be clear about what we include and why, but the goal here is to give you a framework for evaluating any provider, not just us.
Actually Includes?
Before we get into the detail, it’s worth establishing a floor. There are things that should be present in any maintenance plan worth paying for, regardless of price point. If a provider can’t confirm these, you’re not really buying maintenance.
Plug in and theme updates, reviewed before going live. WordPress plug ins are the primary attack vector for the overwhelming majority of hacks. Keeping them updated is essential – but the updates need to be checked for compatibility before they’re applied to your live site. Auto-updates that push changes overnight without review are a shortcut that occasionally breaks things badly.
Daily backups stored off site. Not weekly. Not on the same server as your site. Daily, and stored somewhere completely separate so that if your hosting environment is compromised, your backup isn’t affected too.
Uptime monitoring. If your site goes down, your provider should know about it before you do. Uptime monitoring sends an alert the moment a site becomes unreachable – without it, downtime only gets noticed when a customer mentions it.
SSL monitoring. An expired SSL certificate turns your site’s address bar from a padlock to a warning. It’s an entirely avoidable problem but it happens more often than it should to unmaintained sites.
Security scanning. Active malware scanning to catch problems before they become incidents. This is different from having a security plug in installed – it means someone is actually reviewing the results.
What separates a basic plan from a professional one
Once you’re satisfied the baseline is covered, the next question is what else is included – because this is where providers diverge significantly.
Performance monitoring. Core Web Vitals – Google’s measurements of page load speed, layout stability and interactivity – are a ranking factor. A professional maintenance service keeps an eye on these and acts when they start to deteriorate, rather than waiting for rankings to slide before investigating.
Technical SEO housekeeping. This is the layer most people don’t realise maintenance should be covering. Broken links, redirect chains, crawlability issues, duplicate pages created accidentally by plug in updates – these accumulate quietly and erode search visibility over time. Catching them early is far easier than fixing months of compounded problems.
Google Search Console monitoring. Google tells you a lot about how it sees your site – crawl errors, manual actions, coverage issues – but only if someone is actually checking. On a managed plan this should be covered as a matter of course.
Google Business Profile management. For local businesses, your GBP listing is often the first thing a potential customer sees. Keeping it accurate, responding to reviews, and ensuring it reflects your current services is maintenance in a broader sense – and it matters for local search visibility.
Reporting. A professional provider should be able to tell you what they did last month, what they found, and what they’re watching. If you’re never told what’s happening, there’s a reasonable question of whether anything is.
Security in depth - what it actually looks like
Security deserves more than a line item on a features list. For context, here’s what a properly secured WordPress site should have in place.
An application-level firewall. Not just a server firewall – a web application firewall that sits in front of WordPress itself and filters malicious requests before they reach your site. We use NinjaFirewall across all managed sites, which operates at the application level rather than as a plug in, making it significantly harder to bypass.
Vulnerability scanning. Separate from malware scanning, vulnerability scanning checks whether any installed plug ins or themes have known security issues that need addressing. We run this through Jetpack Protect alongside NinjaFirewall.
Security headers. HTTP security headers tell browsers how to handle your site’s content and protect against common attack vectors like cross-site scripting and clickjacking. A properly configured set of headers will score an A+ rating on securityheaders.com. Most WordPress sites have none of these configured at all.
Two-factor authentication. Enforced on all wp-admin logins. Brute force attacks against WordPress login pages are relentless – 2FA stops them cold even if a password is compromised.
Most budget maintenance plans cover none of this in any meaningful depth. It’s worth asking specifically what security measures are in place, not just whether “security” is listed as a feature.
Hosting - why it matters who's running it
Not all maintenance plans include hosting, and not all hosting is equal. If hosting is bundled into your maintenance package, it’s worth understanding what you’re actually getting.
Server location matters for GDPR. UK-based hosting means your data is processed and stored under UK law. This matters for compliance and for the peace of mind of your customers.
Performance matters for rankings. Server response time is a component of Core Web Vitals. Cheap shared hosting on overcrowded servers will undermine the performance work happening at the application level.
Uptime guarantees matter for reliability. 99.9% uptime sounds good until you work out that it allows for around 8 hours of downtime per year. 99.99% allows for less than an hour. The difference is meaningful for a business-critical site.
We host all managed sites on Fasthosts Pro – UK-based, 99.99% uptime, 100% renewable energy. It’s not the cheapest option and it’s not meant to be.
UK-based servers
99.99% uptime
100% renewable energy
every 24 hours
Encrypted in transit
Encrypted transfer
Swiss data protection law
What good maintenance looks like month to month
It’s easy to describe a list of features. It’s worth also being concrete about what this actually looks like in practice.
Every site I manage is monitored through a MainWP dashboard that gives me live visibility across all clients simultaneously. When a vulnerability is disclosed publicly – and in 2025 there were over 11,000 new vulnerabilities in the WordPress ecosystem according to Patchstack – I can see immediately which sites are affected and act accordingly. I don’t wait for a client to notice something’s wrong.
Updates go through a review process before they’re applied. For major version updates I test on a staging environment first. Minor updates get a compatibility check and a post-update review. If something breaks, fixing it is my responsibility – it doesn’t come back to the client as an extra charge.
Every month, Growth and Professional plan clients get a report covering what was updated, what was found, and what’s being monitored. It’s not a long document – it’s a clear summary that keeps you informed without requiring you to understand the technical detail.
The standard you should hold any provider to
If you take one thing from this guide, let it be this: maintenance is not a passive service. It requires someone who is actively watching your site, not just running automated processes and billing you monthly.
The questions to ask any provider are straightforward – what exactly is included, are updates manual or automated, where are backups stored, what are the response times, and who specifically will be looking after your site. A provider who can answer all of these clearly and in writing is one worth considering. One who can’t usually has a reason for that.
If you want a structured checklist for evaluating providers, the choosing a maintenance provider guide has eight specific questions to ask before signing anything.
Every site we maintain is manually monitored via our MainWP dashboard - no automated updates that break things overnight. Just careful, hands-on care that keeps your site secure, fast and working properly.
- UK SSD hosting (Fasthosts Pro)
- Manually reviewed plugin & theme updates
- Daily backups
- Malware scanning
- SSL & uptime monitoring
- Image optimisation
- Minor content changes included
- Next business day response
- Active PageSpeed & Core Web Vitals fixes
- Technical issue scanning
- Google Search Console monitoring
- Google Business Profile management
- Monthly performance report
- Quarterly check-in call
- Priority same-day response
- Already on an SEO package? Ask us about bundling
- Advanced malware protection & clean-up
- 4-hour emergency response
- Monthly strategy call
- SEO monitoring
- Enhanced GBP optimisation
- Monthly analytics review
10% Off Annual Payment
Pay annually and save 10% on any maintenance package. Toggle the switch above to see your annual price.
10% Off Your Website Build
Taking out a 12 month maintenance package at the same time as your new website? We'll take 10% off your website build cost too.
All plans include UK-based hosting on Fasthosts Pro - 99.99% uptime, 100% renewable energy, daily site backups with encrypted storage.
EJK Web Solutions provides WordPress website maintenance, design and SEO services to small businesses across the UK.
Sources:
- Patchstack State of WordPress Security 2026 – patchstack.com
- securityheaders.com – for HTTP security header grading