01 · Essential
Uptime + security baseline.
- Uptime monitoring (24/7)
- Weekly security patches
- Daily off-site backups
- Monthly CWV snapshot
- 2 dev hours included
- 48-hour response SLA
§
§ · maintenance
Website maintenance. Preventive. Not reactive.
Monthly retainer for uptime monitoring, security patches, plugin and theme updates, daily backups, and same-day emergency fixes. Shopify, WordPress, Webflow, Next.js; no setup fee.
Maintenance before the incident.
A website is a live system. CMS versions drift out of date, plugins ship security patches on Tuesday and zero-day exploits on Wednesday, Core Web Vitals degrade as content piles up, checkout flows break after a third-party tag update. The cost of preventive maintenance is small and predictable; the cost of reactive incident response is large, unpredictable, and usually strikes at the worst possible moment. Monthly retainer trades certainty for uncertainty.
in short
- Maintenance as preventive care, not reactive incident response. Monthly retainer trades certainty for uncertainty.
- Coverage: CMS + plugins + themes + security patches + Core Web Vitals + backup verification + uptime monitoring + checkout flow tests.
- Three tiers by depth: Essential (uptime + patches, 2 dev hours), Standard (proactive optimization, 8 hours), Premium (dedicated tech lead, 20 hours). Scoped, not locked in — honest 30-day cancellation. Contact for a quote.
- Platforms supported: WordPress, Shopify, Webflow, custom Next.js / Eleventy / static. WP + Shopify cover 80% of engagements.
- Performance reviewed monthly vs Core Web Vitals thresholds. Backups tested quarterly. Honest 30-day cancellation.
Essential. Standard. Premium.
02 · Standard
Active operational support.
- Everything in Essential
- 8 dev hours included
- Weekly CWV regression alerts
- Quarterly performance review
- 4-hour emergency SLA
- Monthly written status
03 · Premium
Engineering retainer depth.
- Everything in Standard
- 20 dev hours included
- Quarterly CRO audit
- Same-day emergency SLA
- Dedicated tech lead
- Weekly check-in call
Shopify, WordPress, Webflow, Next.js.
Platform coverage is part of the retainer scope. Shopify + Plus engagements pull from our shopify-maintenance playbook. WordPress + WooCommerce uses Yoast + Rank Math + ACF. Webflow + custom static sites pull from the speed-first stack.
Every major platform we build on, we maintain. Shopify clients get the specialized Shopify Maintenance service (same underlying team, Shopify-specific SLAs around apps and checkout extensions). WordPress clients get plugin-audit, theme-update, and security-hardening with Wordfence or equivalent. Webflow and Next.js sites get deploy-pipeline monitoring, dependency audits, and performance regression alerts. If your site is on a platform not listed here, the 2-week inheritance audit determines whether we can maintain it.
Eight things that break. All on the runbook.
Every failure class has a runbook entry. Plugin update conflicts, theme upgrades that break custom code, third-party tag failures, payment gateway timeouts, backup restoration tests, DNS / SSL cert expiry, search index drift, accessibility regression. Each one has a documented response window and an escalation path.
A live website fails in patterns. Eight recur on every platform we maintain. Each has a runbook the on-call team executes when the alert fires — restoration time, escalation path, and post-mortem template are predefined, not invented in the moment.
01 · Plugin / app conflict
An app update introduces a JavaScript error or breaks checkout. Detection: Sentry alert + uptime monitor. Fix: rollback or app-vendor escalation. Mean time to restore: under 1 hour at Premium tier.
02 · Security patch
CMS core or plugin ships a CVE patch. Detection: vendor security feed + NVD watch. Fix: patch within SLA window, regression test on staging, deploy.
03 · Performance regression
CWV LCP slips above 2.5s mobile. Detection: weekly PageSpeed Insights + GSC alert. Fix: image audit, third-party script audit, render-path optimization.
04 · Backup verification
Quarterly restore-from-backup drill on a staging environment. Validates the backup actually works, not just that the file was written.
05 · SSL certificate renewal
Expired cert = browser red screen + 30-50% bounce. Auto-renewal monitored; manual fallback if Let's Encrypt or Cloudflare hits an edge case.
06 · Form or checkout failure
Form submission silently failing or checkout error rate spike. Detection: synthetic checkout test every 15 minutes + analytics conversion-funnel alert. Fix: same-day at Premium.
07 · Spam / bot abuse
Login brute-force, comment spam, fake account signups. Detection: Cloudflare bot analytics. Fix: WAF rules, rate limits, CAPTCHA tuning.
08 · Outdated dependency
Theme or app on an unsupported version. Detection: monthly dependency audit. Fix: upgrade in staging, regression test, deploy. Catches the “works on my machine until it doesn't” pattern early.
Tools we run, named.
The stack you pay for runs in your accounts, not ours. We set it up, configure it, monitor it, and hand over admin on day one. Nothing is opaque; you can audit every tool yourself.
Uptime & performance
- · Better Stack or UptimeRobot — 24/7 ping
- · PageSpeed Insights — CWV trends
- · Search Console — CWV from real users
Error monitoring
Security
- · Cloudflare WAF — bot + attack mitigation
- · Wordfence — WordPress hardening
- · NVD CVE feed — vulnerability watch
- · OWASP Top 10 — baseline audit
Backup + restore
- · Platform-native (Shopify Flow, WP Engine, Vercel)
- · Off-site to AWS S3 or equivalent
- · Quarterly restore drill (logged + signed)
- · Database + file separation
Six answers.
The questions clients ask most before starting a maintenance retainer: pricing tiers, what's covered, how incidents work, backup discipline, security patches, and 30-day cancellation.
What does website maintenance actually cover?
Five recurring activities. One, uptime monitoring (24/7 external pings with SLA-backed alerts). Two, security patches (CMS core, plugins, themes, dependencies) applied weekly or as urgent. Three, daily off-site backups with quarterly restore tests. Four, performance monitoring (Core Web Vitals, server response time) with regression alerts. Five, allocated development hours for fixes, small features, and content updates. Emergency response (broken page, failed checkout, security incident) is included at higher tiers with a same-day SLA.
How is this different from my hosting provider's support?
Hosting support covers the server and the platform: disk, memory, network, CMS core. It does not cover your plugins, your theme, your JavaScript, or your specific customizations. A typical Shopify or WordPress site has 8 to 20 installed plugins or apps; when one of them breaks checkout or introduces a JavaScript error, hosting support points to the plugin vendor and the plugin vendor points back. Website maintenance covers the gap: someone who knows your site, your plugins, and your business, on contract to fix whatever breaks.
Do you maintain sites you did not build?
Yes, with a 2-week inheritance audit first. The audit covers: platform version and update status, plugin and theme inventory with known-vulnerability check, backup and recovery setup verification, performance baseline (Core Web Vitals, time-to-first-byte), security posture (HTTPS, security headers, admin access), and a risk register. We then onboard onto the retainer; urgent issues the audit surfaces go in the first-month dev-hour allocation so you do not pay extra.
What response times do you commit to?
Essential tier: 48-hour business-hour response for non-critical items, best-effort same-day for emergencies (broken checkout, down page). Standard tier: 24-hour response for non-critical, 4-hour business-hour response for emergencies. Premium tier: 4-hour business-hour response for non-critical, same-day written SLA for emergencies including evenings and weekends. Every response-time commitment is in writing in the contract, not a marketing claim.
Can I cancel month-to-month?
Yes. Every tier runs month-to-month after the first month. 30-day written notice to cancel. On cancellation we hand over all access credentials, current backup, a written status of every in-progress item, and a 2-week grace period for emergency issues. No long-term contracts, no automatic renewals past the opt-out window, no data hostage situations. The easiest way to earn the next 12 months of retainer is to make leaving easy.
What happens if a critical security incident occurs?
Defined emergency runbook. Trigger: pageviews drop, error-rate spike, defacement, exfiltration alert, ransomware indicator. Step one: site goes into a maintenance-mode page with a clear message; the affected service stops accepting traffic. Step two: forensic snapshot taken before any remediation. Step three: lateral exposure check (other sites on shared hosting, related accounts). Step four: clean restore from the most recent uncompromised backup. Step five: written post-mortem within 5 business days. Premium tier includes evening + weekend coverage; Standard is business-hours best-effort.
Month-to-month. Exit clauses in writing.
30-day cancellation, no annual lock-in. 30-minute scoping call to set retainer tier and starting runbook. Written scope and monthly retainer quote in 48 hours.
related services
Published · Last updated .