Website Maintenance — Because "Finished" Software Doesn't Exist
Updates, daily backups, security monitoring and small edits, handled by the team that builds websites daily — on cancel-anytime plans that never hold your ownership hostage.
Same standards, priced for your market
Singapore pricing
The arbitrage: small monthly habit vs four-figure crisis
An unmaintained website fails on a schedule you don't control — and always on the worst available day, because that's the day anyone finally looks. The pattern is identical in both our markets: months of silent decay (updates unapplied, backups unverified, forms untested), then a coin-flip period where the site either gets hacked by industrial-scale bots or breaks in an update cascade — and the repair invoice (cleanup, blacklist remediation, lost enquiries during a campaign or tender) runs 10–20× the prevention that wasn't bought. The country pages carry the true incident stories, the 24-month neglect timeline, and the ten-minute self-diagnosis checklist you can run on your own site today.
What the plans actually industrialise is a habit across four risk layers: software decay, active attack, silent breakage, and business continuity — the boring administrative hygiene (domain renewals, credential custody, recovery contacts) that kills more SME websites than hackers do. Every check is small; all of them, every month, for years, is the product. And the boundaries are published so the relationship never disappoints by ambiguity: maintenance is not SEO, not redesign, not copywriting — each of those is its own honestly-priced decision when you want it.
The structural promise underneath: hosting and domain run under our management for operational speed — fixes at 11pm without password hunts — but itemised at real cost, documented as yours, transfer-out free anytime. Managed and captive are different words; the difference is that leaving costs nothing, which is precisely why clients stay.
What actually decays on a website (and how fast)
A website isn't static software — it's software that lives on the public internet, connected to shifting standards, dependencies and threats. Left alone, a healthy website degrades measurably within months, and catastrophically within a year or two. Understanding what decays reframes maintenance from "why am I paying this" to "why isn't this priced higher":
Core software (WordPress, WooCommerce, PHP): security patches released monthly. An unpatched CMS is the vulnerability that a bot will find within days of any published exploit.
Plugins and themes: dozens of moving parts on a typical WordPress site, each maintained by a different developer, each releasing updates on its own schedule. Compatibility conflicts, deprecated APIs and abandoned plugins compound silently.
Server-level dependencies: SSL certificates expire (Let's Encrypt every 90 days, some paid ones annually), PHP versions age out of support, hosting environments shift subtly. A working site can become a broken site during your Sunday evening off.
Content freshness signals: Google measures how often your site is updated, and stagnant sites lose ground to competitors publishing quarterly at minimum.
Security posture: yesterday's secure configuration is today's vulnerability. New exploit categories emerge (this year: prompt-injection attacks on chatbot integrations, subtle supply-chain attacks via legitimate plugin updates), and defensive posture must move with them.
Performance: Google's Core Web Vitals thresholds tighten over time. A site that passed easily in 2024 might be borderline in 2026, and borderline in 2026 becomes failing in 2028 without intervention.
Our quarterly maintenance protocol (what actually happens)
Every Care plan runs the same underlying protocol — differing across Basic, Plus and Pro in depth, not in presence. Quarterly, we execute:
Backup verification — not just running backups, but restoring one to a staging environment and confirming it works. Backups that haven't been tested aren't backups; they're wishful storage.
Update audit — every plugin, theme and core version reviewed against changelogs. Non-breaking updates applied immediately; breaking or risky updates tested on staging first, then scheduled. Abandoned plugins (no updates in 18+ months) flagged for replacement — this is where most trouble hides.
Security scan and hardening review — malware scan, login attempt review, file integrity check, admin account audit (any accounts that shouldn't exist, any weak passwords, any exposed access points). Firewall and rate-limiting rules updated against current attack patterns.
Performance re-baseline — Core Web Vitals re-measured against the same test protocol used at launch. Anything that regressed gets investigated; anything that improved gets documented (so we know what worked when the next optimization cycle comes).
SEO health check — indexation status, crawl errors from Google Search Console, broken internal links, orphaned pages, sitemap freshness. Any issues Google is reporting that aren't yet visible on the site itself get fixed before they hurt rankings.
Uptime review — analysis of the last 90 days of monitoring data. Repeated brief outages that are individually small often reveal an underlying hosting issue worth addressing.
The three Care tiers: the honest scope difference
Care Basic (RM 599 / S$ 488 per year). The essential floor: security updates, uptime monitoring, weekly backups, and 2 small content edits per month. Best fit: Starter-tier sites where content rarely changes and the owner just needs the software safe and alive.
Care Pro (RM 1,599 / S$ 1,288 per year). The top tier for stores and active businesses: weekly updates, daily off-site backups, 10 edits plus one big change monthly, yearly design refresh, and same-day response. Best fit: E-commerce and high-activity sites that behave like they have an in-house IT department.
Care Plus (RM 1,199 / S$ 888 per year). Everything in Basic, plus: two hours of content edits monthly (add pages, update blog posts, edit product listings), monthly performance report, quarterly proactive audit rather than reactive fixes, and priority response window (12 hours vs 48). Best fit: active businesses where the website is a moving asset — new services, new products, new stories to add. Also best fit for stores, because stores have more moving parts than static sites.
Neither? Some clients — technically-inclined founders, larger companies with in-house dev support — genuinely don't need us. We say so at handover. The Care plan is opt-in and cancellable monthly; the website is never held hostage to it.
What crises actually cost — documented numbers
From our own incident log and rescue projects inherited from other providers, the typical crisis invoices we've documented (across our own incident log and rescue projects from other providers):
- Malware cleanup after security compromise: RM 2,500–8,000 / S$ 1,500–5,000, plus 3–7 days of Google's "this site may be hacked" warning to visitors, plus recovery of any lost trust or transactions during the incident. Prevention cost with Care Basic: RM 599/year total.
- Full rebuild after abandonment (site so out of date that update path is broken): RM 3,000–8,000 / S$ 2,000–5,000, effectively rebuilding from scratch. Prevention cost: two years of Care Basic at RM 1,198 total, and the rebuild never happens.
- Downtime during peak sales: for ecommerce, a Black Friday day of downtime often exceeds the annual maintenance budget several times over. Prevention: monitoring + rapid response, both included in Care.
- Google penalty recovery after neglected SEO health: 3–6 months of ranking damage while the site rebuilds trust. Prevention: the quarterly health check catches problems while they're still page-level.
The math is uncomfortable for the "I'll do it myself" or "I'll deal with it if something breaks" approach — because "something breaking" usually costs 10–20x what prevention would have. But we won't force this conversation — you're an adult, and the Care plan is a genuine opt-in.
Common questions about the maintenance side
Can we cancel the care plan later? Any month. No fee, no argument, no guilt. The credentials remain yours; the website continues to work (until it doesn't, at which point you have every option to re-engage or engage someone else).
What if we want to make our own edits? Encouraged, actually. Every Care client gets admin access to their site and a Loom walkthrough of the CMS. We cover the technical layer; you cover the day-to-day content. Care Plus adds our editing hours on top for when you need help.
Can you maintain a website you didn't build? Usually yes, sometimes no. If the site was built responsibly (standard WordPress or Shopify, not an abandoned custom framework or a proprietary platform we can't access), we take it on after a paid audit (RM 300 / S$ 200) that surfaces any structural issues. If the site was built on something we can't safely maintain (rare but real), we say so and recommend rebuild rather than pretending we can nurse a dying architecture.
What about the domain and hosting? Included in your ownership at the start (registered under your name, hosting purchased under your account). We recommend and handle renewal but the bill always goes to you, at the actual real price. When you leave, both stay with you unless you specifically want to transfer them elsewhere.
Emergency response (the escalation path if something goes wrong)
Sites break sometimes; the question is what happens next. For Care clients we operate a documented escalation:
Detection. Uptime monitoring alerts us within minutes of a site going down. For non-Care clients, alerting requires you noticing and reaching out — usually much slower.
Diagnosis. Care Basic: within 3 working days. Care Plus: within 1 working day. Care Pro: same day. Non-Care: quoted per incident.
Fix. Standard incidents (plugin conflict, hosting hiccup, SSL expiry) resolved in the response window. Complex incidents (malware infection, database corruption, major hosting failure) may take 24–72 hours and are managed with hourly status updates to you throughout.
Post-incident report. After every incident, a written summary: what happened, what fixed it, what prevention is being added to prevent recurrence. Incidents that reveal systemic issues generate a permanent process change. The incident log is how the service gets better over time.
Security posture — the specifics of what we do
"Security is important" is easy to claim; specific security work is what actually protects sites. Every Care plan includes:
Login protection. Custom login URL (not /wp-admin/, which is bot-attacked constantly), rate limiting on login attempts, IP-based blocking for repeated failures, two-factor authentication available for admins, and — for higher-risk sites — restricted admin access by IP whitelist.
File integrity monitoring. Automated scanning that alerts when core WordPress files or theme files change unexpectedly (a strong indicator of compromise). Alerts investigated within 12-48 hours depending on plan tier.
Malware scanning. Regular scans against known malware signatures. Positive matches trigger immediate investigation.
Database security. Regular password rotation for database credentials (not the WP admin — the underlying database), read-only replicas for reporting where warranted, and hardened database configuration that blocks common attack vectors.
Backup diversity. Backups stored in two locations (on-server and off-server), rotated on schedule (daily for 7 days, weekly for 4 weeks, monthly for 6 months), and restoration tested quarterly. Backup files themselves are encrypted so a compromised server doesn't leak historical data.
Access log review. Suspicious access patterns (multiple failed logins from different IPs, admin access from unusual geographies, sudden spike in API calls) trigger investigation. Log data itself is retained 90 days.
The updates conversation nobody wants to have honestly
WordPress core, plugins, themes: updates happen constantly, and updating everything blindly is how sites break. Not updating anything is how sites get hacked. The judgment call is what to update when, and it's where inexperienced maintenance work goes wrong.
Security updates: immediate, always. WordPress security releases, plugin security patches — applied within 24 hours (Care Plus) or 72 hours (Care Basic). Delay here is negligence.
Minor version updates: within a week, tested on staging first. Point releases usually add refinement without breaking changes, but "usually" isn't "always." Test on staging, then apply.
Major version updates: monthly cadence with real testing. Major WordPress version releases (5.x → 6.x) or major plugin releases warrant staging deployment, functional testing of critical flows (forms, checkout, admin operations), then production deployment during a low-traffic window.
Plugin updates from abandoned plugins: never — plugin gets replaced instead. A plugin with no updates in 18+ months is a security time-bomb; we identify these and migrate to actively-maintained alternatives before they cause incidents.
The theme update trap. Custom-modified themes require special care — automatic updates would overwrite customisations. We use child themes as standard practice so customisations survive updates, and we test theme updates on staging before applying.
Website maintenance sits at the unglamorous intersection of software engineering, cybersecurity, and operational discipline — and it's precisely the discipline that most SME websites lack. The result is the pattern we see repeatedly: sites built with initial enthusiasm, then neglected until they break, then rebuilt from scratch when the accumulated technical debt exceeds the cost of starting over. Every rebuild cycle wastes months of momentum and thousands in fees. The Care plans we offer are the interruption of that cycle — small monthly cost that prevents big episodic cost, executed with the same operational discipline as the initial build. If that framing resonates with how you'd want to protect a business asset, we're built for it.
The economics of maintenance are counterintuitive because the benefits are the incidents that don't happen. It's hard to point to a specific ROI on prevention; it's easy to point to specific costs from neglect. But across a portfolio of client sites over years, the pattern is unambiguous — sites on care plans stay healthy, sites off care plans have expensive episodes eventually. This isn't unique to us; every professional-quality web operation reaches the same conclusion. The question is just whether the maintenance discipline is built into your monthly workflow or postponed until it's forced by an incident.
Maintenance questions
Can you maintain a website someone else built?
Yes — rescue and adoption is half our maintenance work. Free preliminary look, then a first-month sequence: access recovery if needed, a plain-language audit with a salvage-or-rebuild verdict, backups established first, the update backlog cleared in stages, hardening to our 8-point standard, and your credentials documented so orphaning can never structurally repeat.
What does the monthly fee actually cover?
The habit, industrialised: daily off-site backups, uptime + SSL + domain-expiry monitoring, firewall against the automated attacks every SME site receives, monthly updates applied after changelog review, an actual test submission through your forms (silent form death is the costliest failure in this industry), and your content-edits window. Emergency lane included — site-down jumps every queue.
Why cancel-anytime — isn't that risky for you?
It’s the product working as designed. Locked contracts subsidise vendor complacency; a cancellable plan means every month must feel worth it on its own merits. Our retention is a scoreboard, not a clause — and your ownership never depends on subscribing, which is the whole philosophy in one sentence.
Ten minutes. Zero obligation. Real findings.
Send your URL — you'll get a plain-language health report: what's fine, what's risky, what's urgent. The diagnosis is free even when the patient chooses another doctor.