WordPress care plans - your site properly looked after

What a WordPress care plan actually covers

The phrase "care plan" is used loosely by a lot of providers. Some mean little more than automatic hosting backups and the occasional plugin update email. What I offer is active maintenance - the kind of work that requires a person to check compatibility, test updates before they go live, review security scan results, and make decisions rather than just run a cron job.

Most WordPress sites run between 20 and 30 plugins. With 7,966 new vulnerabilities discovered across the WordPress plugin ecosystem in 2024 - a 34% increase on the year before - the chances of at least one of your installed plugins developing a critical security issue over a 12-month period is not theoretical. It is near-certain. The question is whether those patches get applied promptly, correctly, and without breaking something else on your site.

The real cost of not maintaining a WordPress site

The objection I hear most often is: "I'll just do the updates myself." This works fine - until a plugin update conflicts with another plugin, or a major WooCommerce version breaks the checkout process, or a security patch for a plugin you have never heard of turns out to be critical. The issue is not applying the update; it is knowing what to do when something breaks afterwards. Most business owners do not have that knowledge, and the update that looked harmless at 9am on a Tuesday can mean a non-functional contact form or a broken product page by lunchtime.

The second objection is cost: "It seems expensive for what it is." This framing disappears after one incident. Wordfence data puts the average WordPress hack recovery at around £2,000 - and that figure assumes you detect the breach quickly. The average time from infection to discovery is considerably longer than most business owners expect. During that period, your site may be redirecting visitors to other sites, running spam email campaigns using your server resources, serving malicious code to anyone who visits, or all three simultaneously. Then there is the Google Safe Browsing flag, which triggers browser-level security warnings and - in 45% of cases - a drop in organic traffic that the site never fully recovers from.

Against that, £45 a month looks like reasonable insurance.

What maintenance actually involves - specifically

Updates are not click-and-forget

The average WordPress site runs 20 to 30 plugins. In 2024, 96% of WordPress vulnerabilities were in plugins - not the core platform. When a security patch drops for a plugin you have installed, applying it is the right thing to do, but applying it and then walking away is a risk. A new plugin version can conflict with another plugin, break a custom function written into your theme, or interact badly with a particular PHP version. On the Professional plan, updates are applied to a staging copy of your site first. I verify the site works as expected before pushing anything to the live environment. On the Essential plan, a full backup is taken immediately before every update run, giving an instant rollback if anything goes wrong.

Database optimisation is not optional for older sites

WordPress stores a revision in the database every time you save a post or page. On a site that has been running for two or three years with regular content updates, this can accumulate to tens of thousands of redundant database entries. Add expired transient data (temporary records left behind by plugins that often never get cleared), deleted posts still sitting in the trash, and spam comments in the comment queue, and the database bloat becomes meaningful. In a documented example, removing 13,779 revisions from one site reduced the database from 297MB to 65MB - a direct improvement in server-side query speed and a measurable impact on Time to First Byte, which feeds into Core Web Vitals and Google rankings. This is included in the Professional plan as a monthly task.

Security monitoring is active, not passive

A malware scanner that runs once a week and emails a green tick is not security monitoring. Real monitoring involves file integrity checking - watching for unexpected changes to core WordPress files that indicate unauthorised code injection - alongside login protection (rate limiting and brute-force blocking), SSL certificate validity tracking, and cross-checking your domain against Google Safe Browsing and major email spam blacklists. A site that appears to load normally can still be serving malicious code to visitors while the file integrity monitor has flagged a change that nobody has looked at. Monitoring is only useful if someone acts on what it finds.

Uptime monitoring catches server failures - not application failures

A 99.9% uptime guarantee sounds reassuring. That figure translates to roughly 44 minutes of downtime per month or 8.7 hours per year. Uptime monitoring checks whether your site responds at all - but a site that loads its homepage while serving a broken contact form, a non-functional WooCommerce checkout, or a blank page on the portfolio section is technically "up" and will pass an uptime check. Both layers need attention: the hosting infrastructure and the WordPress application running on it.

Is managed hosting the same thing as a care plan?

No - and conflating the two is a common source of confusion. Managed hosting services like WP Engine, Kinsta, or Cloudways manage the server infrastructure: the hardware, network, caching layers, and in some cases automatic WordPress core updates applied at the server level. They do this well and it is a reasonable choice for the hosting layer.

What managed hosting does not cover is the WordPress application layer. It does not test whether your 27 plugins all still work together after an update. It does not clean your database. It does not run security scans specific to your site's configuration. It does not check whether your contact form is functioning, whether your WooCommerce checkout is processing correctly, or whether the booking plugin you rely on for appointments has a newly disclosed critical vulnerability that needs patching this week. And when something does break, the support team you reach is dealing with thousands of customers - not one developer who knows your site personally.

WP Engine's entry plan costs around £20-25 per month and handles the server layer. A care plan at £45 per month handles both layers. For most small business sites, that comparison is straightforward.

WordPress, UK GDPR, and what a breach actually costs

Most UK business owners are aware of GDPR in general terms but less aware of the specific obligations that apply when a website is hacked. If a WordPress site stores personal data - contact form submissions, customer names and email addresses, order histories, booking records - and that data is exposed in a breach, UK GDPR requires notification to the ICO within 72 hours of becoming aware of the breach. Not 72 hours from when you eventually get around to calling your developer - 72 hours from discovery.

The ICO actively enforces this. In 2025, DPP Law received a £60,000 fine partly for failing to notify the ICO within the required window. Central YMCA was fined £7,500 for a comparatively minor breach. The maximum fine is £8.7 million or 2% of global turnover. For a small business, even a fine at the lower end of the scale - combined with the reputational consequences of notifying customers that their data may have been accessed - is a significant event.

Proactive maintenance does not guarantee a site will never be compromised. It does reduce the attack surface substantially, ensures known vulnerabilities are patched quickly, and means that if something does go wrong, there is a recent clean backup and a clear record of what the site's state was before the incident.

What "you deal with me directly" actually means in practice

The alternative to a freelance care plan is an agency maintenance contract or a managed service with a support queue. Agency contracts are priced to include account managers, project managers, and the overhead of a physical office. The person who understands your site is rarely the person you can contact when something needs attention. You submit a ticket, it gets a reference number, it enters a queue, and it reaches the right person eventually.

With a care plan through me, there is one developer who has either built your site or carried out a full audit before taking it on. That person knows why your contact form works the way it does, why a specific plugin is installed rather than a more obvious alternative, and what the quirks of your setup are. When you send a message about something behaving oddly, you get a direct response from that person - not a boilerplate reply asking you to describe the issue in more detail and attach a screenshot.

This is a genuine practical difference. It is not a marketing claim - it is a consequence of working with one person rather than a service desk.

Transferring an existing site onto a care plan

If your site is currently hosted elsewhere, moving it onto a care plan involves a pre-migration audit, a full server migration, DNS cutover, and SSL configuration. I handle all of this at no extra charge. Most migrations complete within a working day with no downtime - the site stays live on the old host until the new environment is verified, then DNS is updated.

The pre-migration audit covers current PHP version compatibility, plugin vulnerability status, database size and condition, and whether the site has any existing security issues that need addressing before migration. If there are problems, I flag them with a clear description of what they are and what fixing them involves, before anything moves.

I serve businesses across Surrey and West Sussex - including Caterham, Croydon, Reigate and Redhill, East Grinstead, Haywards Heath, Burgess Hill, Horsham, Oxted, Epsom, Dorking, Woking, Guildford, and Camberley. Location does not affect the service; everything is managed remotely.

WordPress care plans by location

If you want more detail about how a care plan applies to your specific area - including local business context, common sectors, and any area-specific considerations - the location pages below go into more depth.