Shopping for a WordPress care plan feels a lot like buying insurance. You’re comparing things you hope you never need, using terms you’re not sure mean what you think they mean, from companies whose prices range from $15 a month to $300 a month with no obvious explanation for the difference.
I’m going to try to fix that. This is a plain-English breakdown of what a WordPress care plan is, what it should include, what most discount plans skip, and what we actually do for the businesses on ours.
Why “WordPress maintenance” is such a vague term
Ask five WordPress agencies what maintenance means and you’ll get five different answers. Some mean “we update plugins once a month.” Others mean “we have a dashboard that shows your site is up.” Others mean a full-time person watching your site, testing updates before applying them, and calling you when something looks wrong.
All of them are sold under the same label. This makes comparison shopping genuinely difficult. The $15 plan and the $150 plan can both claim to include “updates and monitoring” while covering completely different things.
The way to cut through it: ask exactly what happens when something goes wrong. That’s where most cheap plans reveal themselves.
What should a WordPress care plan include? The non-negotiables
These are the minimum. A plan that doesn’t cover all of these is not a maintenance plan. It’s a dashboard subscription.
Daily backups with off-server storage
Backups stored on the same server as your site are not backups. If the server is compromised, the backups go with it. Backups need to be stored separately, on Amazon S3, Google Drive, or a similar off-server location, and they need to be recent enough to matter. Daily is the minimum for most business sites. Weekly is not acceptable.
Equally important: backups should be tested periodically to confirm they actually restore. A backup file that can’t be restored isn’t a safety net.
Plugin, theme, and core updates
This is the most important maintenance task and the one most often done badly. WordPress core, themes, and plugins should be updated regularly, not “when we get to it.” Outdated plugins are the leading cause of hacked WordPress sites. The vulnerability exists; attackers scan for it.
What separates good maintenance from checkbox maintenance here is testing. Major version updates (going from WooCommerce 8 to WooCommerce 9, for example) can break things. A good care plan applies major updates in a staging environment first and tests the site before pushing to production.
Uptime monitoring
Your site should be monitored for downtime every few minutes. When it goes down, someone should know immediately, not when you happen to check it or when a client calls you. Uptime monitoring with alerting is a basic requirement. Tools like Uptime Robot or Better Uptime ping your site every 5 minutes and send an alert the moment it stops responding.
Security scanning
Malware doesn’t always take a site down visibly. Often it runs quietly, redirecting specific visitors, harvesting form data, or using your server to send spam, while the site looks normal to you. Daily malware scanning catches infections in hours rather than weeks. Without scanning, you may not know your site is infected until Google flags it.
What most cheap WordPress maintenance plans don’t include
Here’s where the $15-per-month plans typically cut corners:
Testing updates before applying them
Applying every update automatically without testing is faster and cheaper to operate. It’s also how sites break. If a plugin update conflicts with your theme and nobody tests it, visitors see a broken page. Most discount plans apply updates automatically and reactively fix breakage, which means your site may be broken for hours or days before anyone notices.
Malware removal when something goes wrong
Many basic plans include malware scanning but charge extra (often significantly) for actual cleanup if something is found. Check whether malware removal is included or quoted separately. A plan that alerts you to malware but bills you to remove it has a different value proposition than one that handles it as part of the service.
A real person to contact
This one matters more than most people expect until something goes wrong. When your site is down at 8am before a big presentation, you want to call or text someone who knows your site. Not submit a ticket to a support queue for a service handling 10,000 clients.
Small agency care plans usually include direct access to the people maintaining your site. Big discount plans usually don’t.
What Team 218’s care plan actually includes
I’ll be direct here. Our WordPress care plan is $60/month and covers:
- Daily off-server backups
- Weekly plugin, theme, and WordPress core updates (major updates tested in staging)
- Daily malware scanning with cleanup included if anything is found
- Uptime monitoring with immediate alerts
- Content changes (small text and image updates, no extra charge)
- Direct access to Kim or Chuck: phone or text
We don’t charge extra for malware removal on care plan clients. If your site is hacked while it’s on our watch, we fix it. That’s what “care” means.
The 12-months-free-with-every-build model
Every site we build comes with 12 months of care at no additional cost. We do this because the maintenance period is when most of the learning about a site happens: what it needs, how it performs, what the client calls about. It’s also when sites are most vulnerable: brand new, not yet indexed, plugins not yet settled in.
After 12 months, care continues at $60/month. That’s our only plan. We don’t have a tiered structure because we don’t think the things in the tier above yours should be optional.
Questions to ask any WordPress care provider before signing up
Before committing to any plan, ask these directly:
- Where are backups stored: on the same server as my site, or off-server?
- How often are backups taken?
- Do you test major plugin updates before applying them?
- Is malware removal included, or is it an additional cost?
- Who do I contact when something is wrong: a ticket system or a direct person?
- What’s the SLA for responding to a site-down situation?
The answers tell you what you’re actually buying.
Frequently asked questions
Do I need a care plan if my site doesn’t change often?
Yes. Maintenance need isn’t driven by how often your content changes. It’s driven by how often WordPress, your plugins, and the threat landscape change. A static site with outdated plugins is just as vulnerable as a frequently updated one. The risk doesn’t pause because you’re not posting.
What happens if I cancel a care plan?
Nothing immediate. Your site keeps running. But without ongoing updates and monitoring, it will gradually accumulate security risk and performance debt. Most clients who cancel and then come back do so after something breaks. We’re happy to restart a plan at any time.
Can I do WordPress maintenance myself?
Some of it. Plugin updates, basic backups via your hosting dashboard, and uptime monitoring via free tools are all manageable for a non-developer. The parts that require judgment, knowing which major updates to test first, recognizing when a plugin conflict caused a breakage, or reading a malware scan report, are where most non-developers get stuck.
Is your care plan right for sites you didn’t build?
We take on care plan clients for sites we didn’t build, but we always do a site audit first. We need to understand what’s there before we commit to maintaining it. Some sites have technical debt that would make ongoing maintenance difficult to price at our standard rate.
If you’re thinking about a new site altogether, or your current site has accumulated enough problems that maintenance alone won’t solve them, take a look at our WordPress services for Iowa businesses.
More from this series
When your site feels broken
Why is my WordPress site slow? A plain-English guide for business owners
Security emergency
Your WordPress site got hacked. Here's exactly what to do.
Understand your options
WordPress care plans explained: what's actually included (and what isn't)
The pattern Coming Soon
Why most WordPress sites fail within 3 years (and what the ones that don't have in common)







