The hidden risks of cheap WordPress maintenance plans

I get the same email every few months. A site has been hacked, defaced, locked out or quietly siphoning data and the owner is trying to work out how. They had a maintenance plan. Updates were running. They were paying a monthly fee. They thought they were covered.

When I look at the plan, I see the same shape every time. A few pounds a month, automated updates, a backup somewhere. No human looking at anything until the day something breaks. The plan was technically running. The work was not happening.

This piece is about the incentives that produce cheap maintenance plans and why what they save you in pounds, they cost you in risk. It is opinionated, because the market does not need another neutral take.

Why cheap plans exist

WordPress maintenance is a volume game at the bottom of the market. Sell the same low monthly fee to enough sites, automate everything, hire one or two people to handle the inevitable support tickets, profit on the spread between the fee and the cost to serve.

This works as a business model. It does not work as a maintenance service. The maths only adds up if the per-site time per month is measured in minutes. The work that prevents incidents is measured in hours.

So the cheap plans skip the slow parts. They run automated updates and call it maintenance. They take backups and never test them. They install a security plugin and never review the alerts. They generate a monthly report from a dashboard and email it to you. The brand promise is maintenance. The work is mostly automation that you could install yourself in an afternoon.

The work that gets skipped

When a real human reviews a site each month, the work has shape. Updates get sequenced, tested in staging where possible and rolled back if something breaks. Vulnerability disclosures are read by a person rather than scraped from a feed. Plugin choices get audited periodically because some plugins become risky over time without anyone noticing. Backups get restored to verify they actually work. Incident response procedures get rehearsed.

None of this is glamorous. All of it is what separates a site that survives a bad week from a site that becomes the bad week.

Updates without review

Automated updates are good. Automated updates without review are a coin flip on stability. Plugin updates regularly introduce bugs. Sometimes the bug breaks a checkout. Sometimes it breaks an admin screen. Sometimes it changes a database schema in a way that conflicts with another plugin.

A maintenance plan that runs updates at 3am and emails you a green tick has not done maintenance. It has done a coin flip and not told you the result. Real review means a person looking at the changelog, knowing the site, knowing what to test and rolling back if something feels off.

The April 2026 EssentialPlugin supply chain attack is a useful reference. A backdoor sat dormant in over thirty plugins after a quiet acquisition, then activated and began injecting malicious code on sites that had auto-updated to the compromised version. The sites that updated without review were the casualties. The sites with a staging window and a human pair of eyes had a chance to catch it before it reached production.

Incident response that does not exist

Cheap plans usually have no incident response. They have a support email and a SLA on first response. They do not have someone who has rehearsed taking a compromised WordPress site offline, identifying the entry point, restoring from a known good backup, rotating credentials, scanning for residual malware and re-deploying with the vulnerability closed.

When the day comes, this is the work that matters. It is also the work that costs the most because it cannot be automated and the people who do it well are senior. A maintenance plan that does not include incident response is a maintenance plan with the most expensive feature priced out.

For the signals that should trigger that call, see when to call an emergency WordPress developer. Most plans bury that decision until the site is already down.

Restoration drills nobody runs

A backup that has never been restored is not a backup. It is a hopeful file sitting in a bucket. The number of plans that take daily backups and never test them is uncomfortable.

Restoration is where you discover that the backup is corrupt, that it is missing the uploads directory, that the database dump was incomplete, that the host has changed the PHP version and the old code will not boot, or that the credentials in the backup are no longer valid. You want to learn all of that on a Tuesday in a staging environment, not on a Sunday with a live incident.

A maintenance plan that runs a quarterly restore drill is doing the boring expensive work. Most cheap plans do not.

Security feeds without subscription

There are good security feeds for WordPress. Patchstack publishes the state of WordPress security each year. WPScan and Wordfence both maintain vulnerability databases. A maintenance partner who reads these every week knows which plugin you have just had a vulnerability disclosed against, days before automated scanners would catch it.

The baseline work behind those reads lives in the WordPress security hardening checklist: configuration steps, file permissions and credential hygiene that most cheap plans never touch.

Cheap plans rely on the scanner. The scanner picks up the vulnerability after it is widely known and indexed. By then it has been exploited at scale. The window between disclosure and indexing is the window where the human-reviewed plan adds value.

Plugin audits that never happen

Every WordPress site I have looked after has plugins that were a fine choice three years ago and a bad choice now. The plugin author stopped responding. The plugin changed hands. The plugin was abandoned but still works, so nobody touched it. The plugin started bundling features it should not.

A periodic plugin audit asks the question that automation cannot. Should this plugin still be here. The answer is sometimes no, replace with a maintained alternative, or no, write the functionality directly. Cheap plans never do this. The plugin list grows over time and the risk surface grows with it.

What you save and what you pay

A cheap plan saves you tens of pounds a month. The bill arrives when the site goes down, gets defaced, leaks data or gets used to send phishing in your name. The cost of a serious incident is rarely under four figures by the time you have paid for emergency response, downtime, customer trust and the regulatory questions that follow if personal data was involved.

The maths is not complicated. A maintenance plan priced like a magazine subscription is a magazine. A maintenance plan priced like a junior developer day per quarter, plus a small monthly retainer, is closer to actual maintenance.

I am not saying everyone needs the senior end of the market. I am saying the cheapest end of the market is usually false economy for any site that earns money or carries brand weight.

What to look for instead

A plan worth paying for tells you who reviews your updates and when. It includes incident response in writing, with a response time you can hold them to. It runs restoration drills and shows you the results. It maintains a current plugin inventory with notes on why each one is there. It subscribes to security feeds rather than scanners alone. And it gives you a named contact, not a ticket queue.

If the plan brochure does not mention any of this, ask. If the answer is vague, you have your answer about the work.

For a fuller breakdown of what your monthly fee should be buying, see what you are actually paying for when you buy WordPress maintenance. For the hardening side of the picture, see the WordPress security hardening checklist. For how I structure ongoing work, see WordPress support and maintenance.