Cost

What's Actually on a WordPress Maintenance Invoice

PressFixer April 27, 2026 7 min read

A Real Invoice, Line by Line

A client shared their monthly WordPress maintenance invoice with us before migrating. $400 per month, paid consistently for three years. Total spend: $14,400. Here's what was on it.

Plugin updates — 2 hours at $85/hr: $170. Running updates on the active plugin stack, checking that nothing breaks after each update, and rolling back the two or three that do break something every month. This is real work, but it exists entirely because WordPress plugins are maintained by third parties who update on their own schedule, often introducing breaking changes.

Security scan and malware check — 1 hour at $85/hr: $85. Running Wordfence or Sucuri, reviewing the log, clearing flagged files. Again: real work, but work that exists because WordPress is the most attacked CMS on the internet. A static HTML site has no attack surface that requires weekly scanning.

Backup verification — 0.5 hours at $85/hr: $42.50. Checking that the automated backup completed and is restorable. The backup itself is handled by a plugin ($10/month). The labour to confirm it worked is billed on top.

Uptime monitoring review — included. A $15/month tool that pings the site every five minutes. Included in the retainer. Alerts go to the developer, not the client.

Performance check — 0.5 hours at $85/hr: $42.50. Running a PageSpeed Insights test, noting any degradation, not necessarily fixing anything unless it's billable as a separate project.

Monthly report — 0.5 hours at $85/hr: $42.50. A PDF summarising the above. Sent to the client. Rarely read.

Total labour: 4.5 hours at $85/hr = $382.50. Rounded to $400 plus the $25/month in tools. Reasonable hourly rate, reasonable scope. The question isn't whether the work is being done. It's whether the work needs to exist.

What All of This Work Is Actually For

Every line item on that invoice exists to manage risk that is inherent to WordPress, not inherent to having a website.

Plugin updates exist because WordPress's architecture depends on third-party code maintained by thousands of independent developers. That code changes, conflicts, and breaks — constantly. The maintenance retainer is the cost of managing that fragility.

Security scanning exists because WordPress runs PHP on a server, queries a database, and processes user input — all of which create attack vectors. A static HTML file served from a CDN has none of these. There's nothing to scan because there's nothing to exploit.

Backup verification exists because WordPress sites are known to fail in ways that make the backup the last line of defence. A static HTML site's backup is a folder of files you already have a copy of.

"You're not paying for maintenance. You're paying for the ongoing cost of a platform that was never designed to be low-maintenance."

Three years. $14,400. The client's site had not changed materially in that time. No new pages. No new features. Just the ongoing cost of keeping a complex system from falling apart.

What the Alternative Looks Like

A static HTML site on Cloudflare Pages has no plugin ecosystem to update, no PHP runtime to patch, no database to secure, and no server-side attack surface. The security scan line item is zero because there's nothing to scan. The backup verification line item is zero because the files are in a Git repository you already own. The performance check is simpler because static files on a global CDN are fast by default.

The remaining cost is domain renewal ($15–20 per year) and, if you want to update the site yourself without a developer, an optional AI agent subscription ($990/year). That's the full cost structure.

$990 per year versus $4,800 per year. For a site that stopped changing in 2022 anyway.

The maintenance retainer is not a scam. It's legitimate work for a genuinely high-maintenance platform. The question is whether you should be on that platform at all.

Frequently Asked Questions

Is a WordPress maintenance plan worth the cost?

It depends entirely on what your site is doing. For an ecommerce store with active transactions, a membership site with regular user activity, or a publication updating daily, ongoing maintenance is necessary and the cost is justified. For a stable brochure site with five to ten pages that changes a few times a year, the maintenance cost typically exceeds the value of what's being maintained.

Can I maintain a WordPress site myself without paying a developer?

Yes, with caveats. Running plugin updates yourself is straightforward until something breaks — at which point you need to know how to roll back changes, debug conflicts, and restore from backup. Security monitoring requires understanding what the alerts mean and how to respond. Most small business owners can handle simple updates but benefit from professional help when things go wrong, which happens more frequently than the hosting companies advertise.

What does a WordPress site actually cost per year all-in?

For a typical small business brochure site: hosting $150–240, domain $15–20, premium theme $50–80 annually, essential plugins (security, backup, SEO, forms) $150–300, and maintenance labour if you're not doing it yourself $2,400–6,000. A realistic annual total sits between $2,800 and $6,600 — not the $200–300 that introductory hosting prices suggest.

See What WordPress Is Costing You

Use our free calculator — enter your real numbers and see the 3-year comparison.

Do the Math →