What Is Included in a Website Maintenance Package
What Is Included in a Website Maintenance Package
Most businesses buying a website maintenance package have a vague sense that it covers “updates and backups.” The reality is more detailed, and the details matter. What’s included determines how much protection you actually get.
This guide breaks down every service that belongs in a complete maintenance package, what good execution looks like for each one, and how to spot plans that cut corners.
Plugin and Theme Updates
Plugin and theme updates are the most frequent maintenance task and the most important security measure for most CMS-based sites. WordPress alone processes thousands of plugin vulnerability patches per year. Staying current is the primary defense.
Good execution: updates are run on a staging copy of your site first. The provider verifies that the site loads correctly, key pages render, and critical functions (contact forms, checkout, login) work before pushing changes to your live site. Update results are logged and included in your monthly report.
Cut-corner execution: updates are applied directly to the live site with no testing. Sometimes an automated tool runs them overnight with no human review.
Core CMS Updates
WordPress, Drupal, Joomla, and other CMS platforms release regular updates. WordPress releases minor security patches frequently and major versions two to three times per year. Each requires a different approach.
Minor security releases can often be auto-applied safely. Major version updates require testing because they sometimes introduce breaking changes with specific themes or plugins. A maintenance provider should test major core updates on staging and verify compatibility before the live push.
PHP version management also falls here. As PHP versions reach end-of-life, hosting providers phase them out. Running outdated PHP means running unsupported, vulnerable software. Your provider should proactively test and manage PHP version transitions before they become forced upgrades.
Daily Backups
Backups are your recovery plan. For an active site, daily backups are the minimum. A weekly backup schedule leaves you exposed to losing up to six days of content, orders, or form submissions if something goes wrong on day seven.
A complete backup covers both your database (posts, pages, settings, orders, customer data) and your files (theme files, plugin files, uploads directory). Both halves are needed to fully restore a site. Plans that back up only the database or only the files are only half protected.
Off-site storage is non-negotiable. Backups stored on the same server as your site don’t protect you if the server itself fails or gets compromised. Reputable providers store backups on Amazon S3, Google Cloud, Dropbox, or another independent location. Retention of 30 days or more gives you a realistic window to discover and recover from a problem that wasn’t caught immediately.
Security Scanning
Security scans check your site’s files and database against known malware signatures, verify that WordPress core files haven’t been tampered with, look for unauthorized admin accounts, and check for known-vulnerable software versions.
Most plans run security scans weekly. Premium plans run them daily. Tools like Wordfence, Sucuri, MalCare, and iThemes Security cover these checks well.
Critical distinction: confirm whether malware removal is included if something is detected. Many entry-level plans include scanning but not remediation. Finding the problem and not fixing it isn’t protection. Get explicit confirmation that removal is covered before you sign a plan.
Uptime Monitoring
Uptime monitoring pings your site from external servers every one to five minutes. If the site returns an error code or goes offline, you and your provider receive immediate notification. Without monitoring, you could have a site that’s been down for hours before anyone notices.
Basic plans include monitoring with email alerts. Premium plans include response protocols: when the alert fires, the provider investigates the cause and works to resolve it, not just forwards you an email.
Check whether the monitoring covers just your homepage or multiple pages including key transactional pages (checkout, contact form, booking). A homepage that loads while checkout is broken is a problem that basic monitoring might miss.
Database Optimization
WordPress databases accumulate overhead over time. Post revisions pile up (WordPress saves a revision every time you save a draft), spam comments queue, expired transient data accumulates, and unused metadata builds up from deleted plugins.
Monthly database optimization removes this overhead: clearing post revisions beyond a sensible limit (typically 3 to 5 per post), purging spam and trash, removing orphaned metadata, and clearing expired transients. The result is smaller, faster database queries.
For high-volume ecommerce sites, database optimization frequency should increase to weekly because order and customer data accumulate faster.
Spam Cleanup
Comment spam and form spam are ongoing realities for any active site. Comment spam that isn’t cleared bloats your database and creates a low-quality content footprint. Spam form submissions fill inboxes and make it harder to identify real inquiries.
Maintenance plans should include regular spam comment cleanup, spam filter configuration, and protection measures for contact forms (CAPTCHA, honeypot fields). This is a minor task individually but compounds into real overhead if ignored for months.
Speed and Performance Checks
Site speed isn’t a one-time optimization. Plugin updates can introduce performance regressions. New image uploads that aren’t optimized slow page loads. Cache configurations that worked at launch sometimes need adjustment as the site grows.
Premium maintenance plans include periodic performance reviews: checking Core Web Vitals scores, reviewing page load times, verifying caching is working correctly, and identifying new bottlenecks introduced by recent changes. This is separate from a full site speed optimization project but catches degradation before it compounds.
Content Edits and Support Hours
Support hours are included in most plans above the basic tier. Standard plans include one to two hours per month. Premium plans include four to eight hours. These hours cover small but necessary tasks: updating phone numbers, fixing broken links, adjusting page content, replacing outdated images, tweaking form logic.
Get clear on what counts toward a support hour. Updating a line of text takes five minutes. Adding a new page section takes an hour or more. Some providers count all tasks in 15-minute increments; others use a minimum billing unit of 30 minutes. These distinctions matter when your monthly allowance is small.
Monthly Activity Reports
A monthly report should tell you exactly what was done during the period: which plugins were updated, when backups ran and verified successfully, security scan results, uptime percentage, and support hours used. This documentation serves two purposes: it holds your provider accountable, and it gives you a record if something goes wrong and you need to trace back what changed.
If a provider can’t or won’t provide documented monthly reporting, walk away. The absence of reporting is often a signal that the work isn’t actually being done.
SSL Certificate Management
SSL certificates expire. When they do, browsers display security warnings that scare visitors away and hurt your search visibility. Certificate management means monitoring expiry dates and renewing before the warning triggers.
Most managed hosting platforms handle this automatically. On standard shared hosting, it sometimes requires manual renewal. Maintenance plans should include SSL monitoring and renewal as a baseline service.
Full Checklist: What a Complete Maintenance Package Includes
- Weekly plugin updates tested on staging, verified on live
- Weekly theme updates with compatibility check
- WordPress core updates tested on staging for major versions
- PHP version monitoring and transition management
- Daily database and file backups stored off-site, 30-day retention
- Weekly malware and security scans
- Malware removal included if detected
- Uptime monitoring every 1-5 minutes with alerts
- Monthly database optimization
- Spam comment and form cleanup
- SSL certificate monitoring and renewal
- Support hours for content changes and bug fixes
- Monthly activity report with all tasks documented
Redefine Web Website Maintenance Packages
Redefine Web’s maintenance plans cover every service on the list above at appropriate tier levels. Every plan includes monthly reporting so you can see exactly what was done. Support hours are included at every level, and malware remediation is part of our coverage, not an add-on.
For a full breakdown of what’s included at each tier, visit our website maintenance packages page.
Book your free 30-minute strategy call.
No spam, no sales rep. We use your email to schedule your call with a senior strategist. That is it.