What you should actually pay for monthly website maintenance

The honest answer to “how much should monthly website maintenance cost” sits somewhere between £75 / $95 and £3,000 / $3,800 per month, and the gap is mostly explained by the platform you’re on and what the retainer actually does.

The lower figure is a fair floor for a small WordPress brochure site on managed hosting with a handful of plugins. The upper figure is a fair ceiling for a bespoke headless build running across multiple applications with a couple of hours of development included each month. Every price in between maps to a specific shape of site and a specific shape of work.

The reason buyers consistently overpay (or, more often, underpay and then discover they aren’t getting what they thought they were) is that “maintenance” is one of the most loosely defined services any digital agency sells. One agency’s £79 / $100 monthly plan covers automated plugin updates, weekly backups and a monthly uptime report. Another agency’s £79 / $100 plan does most of the same and charges separately for anything that takes more than ten minutes. A third charges £350 / $440 a month for the same site and includes nothing the £79 plan didn’t.

What follows is what a fair retainer should cover at each tier, what gets quietly excluded, and how to read a maintenance proposal without trusting it.

The fair-price range, at a glance

Numbers above are the cost of having someone maintain the site competently. Hosting spend, platform subscriptions and plugin licences are usually separate; the section on excluded items further down covers what tends to live outside the retainer.

What “maintenance” actually means

Strip out the brochure language and a maintenance retainer covers four things. Software updates. Security. Backups and recovery. Visibility, in the form of monitoring and reporting.

That’s it on the technical side. Everything else (content edits, small design tweaks, copy changes, adding a new page, fixing a broken form) sits in a slightly different bucket called “support” or “production hours”. Most agencies bundle the two into one monthly fee. Some don’t. The first thing to clarify on any proposal is whether your retainer is pure maintenance or maintenance plus support, and how the support hours are tracked.

The labour cost of support hours matters here, because it sets a floor on what any retainer claiming “included support” can realistically cost. A single hour of agency time at sensible UK rates sits somewhere between £75 / $95 and £125 / $160, depending on seniority and overhead. That means a £79 / $100 monthly retainer that claims to include two hours of support is either a loss-leader, a misrepresentation, or an agency pricing its own time at a rate that suggests the work won’t be done by a senior. When a low-end plan promises “support”, read it as “we’ll reply to your email if something is wrong, within reason.” Allocated hours don’t exist at the bottom of the market.

Updates are platform-specific. WordPress sites have core, theme and plugin updates landing weekly. WooCommerce sites add the WooCommerce core itself plus payment gateway and extension updates. Webflow and Squarespace handle their own platform updates and most security patching, which is why the agency layer on top of them is thinner. Bespoke builds have whatever dependencies the agency wrote in (Composer packages for CraftCMS, npm packages for the frontend, Laravel updates for any custom app) and those need someone competent to apply, not a junior running an automated update script.

Security is where the gap between cheap and expensive retainers shows fastest. At the cheap end, you get a security plugin (Wordfence, or Solid Security, formerly iThemes Security) running with default settings, an SSL certificate, and a malware scan that triggers an email if something looks wrong. At the higher end, you get active monitoring against a vulnerability database like Patchstack’s, file integrity checks, and someone who reads the alerts before you do. The hosting layer matters too: Cloudflare WAF in front of the site, server-level rate limiting, fail2ban on the SSH layer.

Backups are simpler. Daily, weekly, or hourly, depending on how much data changes. Stored offsite, in a separate provider to the hosting account. Tested for restore at least once a year. The line to watch on a proposal is “we take backups” without specifying retention or restore time. If you can’t restore from a backup inside four hours when the site is down, you have a log file, not a backup.

Visibility is the part agencies underdeliver most often. A real monthly report shows what was updated, what was blocked at the security layer, what the uptime actually was (with the dates of any incidents), and how long a restore would take if it were needed today. The fake version is a one-page PDF that says “your site is fine” and lists three plugin update timestamps.

Hosted platforms: Squarespace and Webflow

Hosted platforms do most of the technical work themselves. Squarespace handles the platform, the hosting, the SSL and the security patches. Webflow does the same, and lists hosted-site features including SSL, CDN, automatic backups, vulnerability scanning and DDoS/bot protection. Wix works similarly. There is, by design, no plugin layer to update.

The agency retainer on top of a hosted platform mostly covers support, not maintenance. Content edits, small layout changes, integrations with marketing tools, occasional troubleshooting when something behaves oddly. Fair monthly pricing sits between £50 / $65 and £250 / $315, depending on how much actual work happens each month.

Agencies that charge significantly more than this for a Squarespace or Webflow site are usually one of three things: charging for time you’re not using, bundling the platform subscription itself into the retainer (which inflates the headline figure), or operating on the assumption that you don’t know how little technical work the platform actually requires.

The honest pitch from an agency on these platforms looks like this: “Your Squarespace Core subscription is around £17 / $23 a month when billed annually, paid direct to Squarespace. We charge £120 / $150 a month for two hours of content and design support, plus a quarterly review of analytics and forms. We’re not patching the platform or a plugin stack, so there’s no maintenance layer to manage.” If a retainer for one of these platforms is more than £250 / $315 a month and isn’t bundling significant production hours, ask what the money is doing.

One specific watch: agencies sometimes charge a “performance” or “optimisation” fee on Webflow or Squarespace sites where the optimisation work is structurally limited by the platform. After images, fonts, third-party scripts and embeds have been cleaned up, ongoing speed work on a closed platform is mostly constrained by what the platform allows. Paying every month for vague “performance optimisation” after that point is paying for theatre.

WordPress brochure sites

This is where most agencies do their maintenance volume, and where pricing is most variable.

A typical WordPress brochure site has core WordPress, a theme (or page builder like Elementor, Divi, Beaver Builder), and somewhere between 10 and 30 active plugins. Each is a potential update. Each is a potential security vulnerability. Patchstack’s 2026 State of WordPress Security report found 11,334 new WordPress ecosystem vulnerabilities in 2025, a 42% increase on 2024. 91% were in plugins, 9% in themes, and only six were in WordPress core itself. The maintenance bill on a WordPress site is, in practice, the plugin maintenance bill.

A fair pure-maintenance retainer for a site like this sits between £75 / $95 and £200 / $250 a month. That covers updates, backups, monitoring and reporting. It does not include allocated support hours, beyond best-effort responses to email when something specific needs looking at.

At the lower end (around £75 / $95 a month), expect weekly automated plugin and core updates, daily offsite backups with a 30-day retention, an uptime monitor pinging every five minutes, a monthly report covering the update log and backup confirmations, and an email response inside a working day.

At the £150 / $190 to £200 / $250 end, you should be getting everything above plus active security monitoring against a vulnerability database, a staging environment for testing updates before they hit live, faster response (same business day, often within hours), and a quarterly performance and accessibility check.

Once you want one or two genuinely allocated support hours every month for content edits, small design tweaks or troubleshooting, the realistic band moves up to £200 / $250 to £400 / $500 a month. That’s not a price hike; that’s the labour cost showing up in the proposal. An agency promising allocated hours below that band is either operating at margins it can’t sustain or quietly redefining “an hour” to mean something shorter.

Above £400 / $500 a month for a brochure WordPress site, the question to ask is “what am I getting that the £300 plan doesn’t have.” If the answer is “more support hours” or “faster SLAs”, fine. If the answer is hand-waving about “comprehensive monitoring”, that’s a thin retainer wearing a premium price.

Where this tier gets ugly is the bundled hosting. Some agencies sell £200 / $250 monthly retainers where the underlying shared hosting costs less than £20 / $25 a month from GoDaddy, SiteGround, or a similar provider, and the rest is pure margin on minimal labour. Other agencies sell £200 / $250 monthly retainers where the hosting is properly managed on AWS with Cloudflare CDN & WAF, page caching and image optimisation included. These look identical on a proposal. Ask what’s actually running, and where.

Standard ecommerce: WooCommerce and Shopify

Add an ecommerce layer and the retainer gets more expensive, because what’s being protected gets more expensive when it breaks.

A WooCommerce site with a few hundred to a few thousand orders a month, a couple of payment gateways, and maybe a subscription plugin or two has roughly twice the surface area of an equivalent brochure site. The plugins are more critical (a failed checkout costs real money), the updates are more disruptive (WooCommerce minor versions occasionally break extensions), and the recovery time matters more (every hour the site is down is lost revenue, not lost vanity).

Fair pricing for sites at this tier sits between £100 / $125 and £500 / $635 a month for pure maintenance, with no allocated development time or guaranteed SLAs. The lower end of that band suits a small WooCommerce shop with a handful of plugins and modest order volume. The upper end suits a larger WooCommerce site doing real transaction volume across more extensions, where the agency is doing more update testing, watching more closely, and absorbing more risk. Either way, what the retainer buys is updates with staging-environment testing, daily backups (preferably twice-daily for the database, with at least 14 days of retention), active security monitoring including payment-flow specific checks, an uptime monitor and a basic transaction monitor (does checkout still work?), a monthly report with update log, security events and backup confirmations, and best-effort response when something specific needs looking at.

What this tier does not buy, at fair pricing, is allocated dev hours or two-hour site-down SLAs. Two hours of dev a month is roughly £200 / $250 of agency labour at sensible rates; a guaranteed two-hour response capacity costs the agency real money to provision. If a £250 / $315 retainer promises both, somebody is going to be unhappy.

The logic carries over to small Shopify stores, with one important difference. Shopify handles platform updates and PCI compliance itself, so the agency layer is lighter on the security side. Themes are the exception: Shopify themes break with theme updates the same way WordPress plugins do, and a basic Shopify retainer usually covers theme maintenance, app monitoring and content edits. Fair pricing sits between £100 / $125 and £200 / $250 a month, with anything above that requiring named work.

Complex ecommerce: integrations, SLAs, dedicated management

When the WooCommerce site has thousands of orders a month, a complex payment setup, subscription billing through Chargebee or Stripe Billing, custom shipping rules, and integrations with a CRM or ERP, the retainer changes shape. So does the price.

Fair pricing at this tier sits between £500 / $635 and £1,200 / $1,500 a month, often higher if the integration count is significant or the SLA is tight. The work isn’t fundamentally different from the standard ecommerce tier. The volume, stakes and provisioned capacity are. An agency promising a two-hour site-down response has to keep someone on call or near a screen for that window; that’s a cost that lives in the retainer.

What that should buy:

• Weekly updates with careful staging testing, because the cost of a broken checkout is now meaningful
• A subscription-billing audit, if billing runs through Chargebee or similar (subscription lifecycles fail in quiet, expensive ways: renewals that don’t trigger, dunning emails that never send, tax rates that quietly stop applying)
• Active monitoring of the integration layer (CRM sync failures, ERP stock updates, tax provider outages)
• Daily backups, twice-daily for the database, with point-in-time recovery on the database itself where the platform supports it
• A dedicated point of contact, not a shared inbox
• Defined SLAs: same-business-day response for non-critical issues, two-hour response for site-down events
• A monthly report that’s a real report, not a screenshot of a dashboard

Some of these retainers include a small allocation of dev hours (typically two to four a month) for the small fixes that always come up. Some don’t. The honest distinction in a proposal is whether dev hours are quoted separately or bundled, and what happens to unused hours.

The trap at this tier is Shopify Plus pricing creep. Shopify Plus starts at $2,300 / £1,800 a month on a three-year term, or $2,500 / £1,950 on a one-year term, before any agency retainer, apps or implementation work. Higher-volume merchants can move onto variable platform pricing, but Shopify’s public pricing page doesn’t publish a clear threshold-and-rate formula. Agencies often quote a “Plus support retainer” on top. That can be fair: a Shopify Plus store with a custom checkout and several apps does need active management. But the line between “we’re managing your Plus store” and “we’re charging for things Shopify already does” gets thin. Ask what specifically the agency does that Plus doesn’t.

Bespoke and headless builds

Bespoke and headless builds are where maintenance pricing genuinely earns its number, and where the cheap option doesn’t exist for a reason.

A site built on CraftCMS with a Laravel companion app, a separate frontend (Next.js, Nuxt or similar), and a few middleware services for things like search or content sync has at least four moving applications. Each has its own dependency tree. Each is capable of breaking in different ways. The agency that built it is often the only team that knows where the bodies are buried.

Fair pricing at this tier sits between £1,500 / $1,900 and £3,000 / $3,800+ a month, and the variation maps to how many applications are in the stack and how much active development is included.

What’s typically in scope:

• Updates across the whole stack (CraftCMS plugins, Composer dependencies, Laravel core, npm packages on the frontend, Node version upgrades when required)
• Security patches across all applications, often with same-day deployment for critical CVEs
• Infrastructure management (the Hetzner or AWS account configuration, the Cloudflare setup, the SSL automation, the DNS records, the queue workers, the cron jobs). The infrastructure spend itself, server, CDN, database, object storage, is usually billed separately and varies with traffic.
• A staging environment per application, plus a process for testing changes that cross applications
• Performance monitoring at the application layer (response times per endpoint, queue health, cache hit rates, error rates)
• A monthly or fortnightly retainer call with the lead developer
• Two to ten hours of development included as standard, for small features and improvements that don’t warrant a separate project

The reason this tier is so different from the WordPress tier is that the agency isn’t running plugin updates against a known platform. They’re running updates against a system they built, which means update breakages need a developer to fix, not a support agent to log. That’s why headless retainers tend to include dev time as standard, and why retainers without dev time at this tier are usually trouble.

Where buyers go wrong is in trying to negotiate this retainer down by treating bespoke maintenance as if it were brochure-site maintenance. A £400 / $500 monthly retainer on a £80,000 / $100,000 headless build looks like a saving until something breaks. What it actually guarantees is that nobody is actively looking after the site, and the next bill arrives in project-fee form at the worst possible moment.

If you’re paying significantly less than £1,500 / $1,900 a month on a multi-application bespoke build, stop asking whether you can negotiate a better price. Start asking what isn’t being done.

What’s quietly excluded from most retainers

Almost every maintenance proposal has a list of exclusions buried in the small print. The honest agencies put it on page one. The dishonest ones put it in clause 14 and use it as a billing lever later.

The most commonly excluded items, across every tier:

• Plugin and theme licence renewals. Wordfence Premium, Yoast Premium, Gravity Forms, ACF Pro, Elementor Pro, the WooCommerce extensions you actually use. These add up. A mid-size WooCommerce site can easily carry £300 / $380 to £800 / $1,000 a year in licence costs. Whether the agency or the client pays for them, and in whose account, needs to be explicit.
• SSL certificate management beyond Let’s Encrypt. Free certificates renew automatically. Paid wildcard or EV certificates need someone to handle the renewal and re-deployment. Often “out of scope”.
• DNS changes. Adding a new subdomain, pointing email to a new provider, setting up SPF/DKIM/DMARC for deliverability. Some retainers cover this; many don’t.
• “Emergency” out-of-hours work. Defined differently by every agency. Some count 5pm Friday onwards as emergency rates. Some only weekends. Some only between 11pm and 7am. Worth pinning down.
• Anything that touches accessibility, SEO or analytics. These are almost always separate work, even when the agency offers them. Don’t assume a maintenance retainer includes an annual accessibility check unless it specifically says so.
• Content creation. Edits to existing content are usually in scope. Writing new content, sourcing images, or building out new pages from scratch usually isn’t.
• Storage and bandwidth costs above a baseline. Particularly relevant on AWS or Google Cloud builds, where a sudden traffic spike or a backup retention change can push the bill up significantly.

The proposal that says “comprehensive monthly maintenance” without itemising exclusions is the proposal that will surprise you in month three. A proposal listing exclusions on page one is selling honest work.

How to read a maintenance proposal

A maintenance proposal is worth ten minutes of forensic reading before signing. The things to look for:

Defined response and resolution times, separately. “We respond within four hours” is meaningless if resolution takes three weeks. A real SLA distinguishes between acknowledgement (we’ve seen it), response (we’ve started looking), and resolution (it’s fixed or escalated). For ecommerce or high-value sites, look for tighter response times on site-down events specifically.

Scope, in clauses, not adjectives. A scope written as “ongoing maintenance and support” is a scope that doesn’t exist. A scope written as “weekly plugin updates with staging deployment, daily off-site backups with 30-day retention, security monitoring via [named tool], up to two hours of editorial support per month” is a real scope.

The update process. Manual or automated? Are updates tested on staging first? What’s the rollback procedure if something breaks? On critical sites, ask to see the update process documented. If the agency can’t show you, they don’t have one.

Plugin and tool ownership. Whose account are the premium licences in? If the agency walks away, do the licences walk away too? This is the same question as who owns your hosting account, applied to the software stack. Wrong answer to this question is how you end up locked in.

Reporting cadence and content. Monthly is standard. A real report shows: updates applied (with dates), security events (with severity), uptime percentage (with incident dates), backup confirmations (with restore-test date), and performance trend. If the proposal doesn’t specify what’s in the report, the report will be a screenshot.

Exit terms. What happens to the backups, the credentials and the documentation if the relationship ends? Notice period? Handover process? These are easier to negotiate before signing than after. Our agency handover checklist covers the broader question, but the maintenance contract is where it gets specific.

Escalation path. When the main contact is on holiday and the site is down, who picks up? An agency with a real escalation path will name it on the proposal. An agency without one will say “we always respond quickly”.