WORDPRESS CARE PLANS

A WordPress site needs roughly two hours of attention per month for plugin updates, security patches, performance review, and routine monitoring. Without that attention, the site degrades over 12 to 24 months: plugin updates lag, security risks accumulate, performance regresses, backups go untested, and one day something breaks expensively.

Care plans exist to deliver that two hours of attention reliably. The honest version: most WordPress incidents we respond to at Seahawk trace back to a care plan that lapsed, not to anything inherently fragile about WordPress itself.

Weekly: plugin and core update review, applied within seven days of release on staging then production. Backup verification. Uptime monitor review. Security scan results review.

Monthly: full performance audit via PageSpeed Insights or Calibre. Database optimisation if needed. Theme update if available. Admin user audit. Backup restore drill on staging.

Quarterly: plugin diet review (which plugins still earn their place), PHP version review, hosting plan review, security posture review including 2FA enforcement audit.

Ad-hoc: incident response when something breaks, 24-hour SLA for paying clients on critical issues, content edit support within scope.

Solo brochure site: 200 to 500 USD per month covers the core cadence above plus reasonable content edit support.

WooCommerce or content-heavy site: 500 to 1,200 USD per month adds e-commerce monitoring, transaction-level alerting, faster SLA on critical issues.

Agency portfolio (5+ sites): 1,500 to 5,000 USD per month for the bundle, scales with site count, includes monthly performance and security reports per site.

Enterprise WordPress (multi-site network or high-traffic): 5,000 to 25,000 USD per month, includes dedicated support engineer, custom monitoring, incident response retainer.

Major redesigns, new feature builds, custom development beyond minor edits. These are project work and should be priced separately, not absorbed into the retainer.

Recovery from incidents that pre-date the care plan. The first month or two of a new engagement often surfaces accumulated debt; that work should be quoted separately as a stabilisation engagement.

Hosting fees, plugin license renewals, third-party SaaS costs. These pass through with markup or are billed separately for transparency.

Three diagnostic questions to ask your current provider:

When was the last malware scan and what did it find? (If they cannot answer immediately, the scan is not happening.)

When was the last backup restore drill, and to what staging environment? (If they have never restored a backup, the backup might not work when you need it.)

What is the current PHP version, plugin count, and Lighthouse score? (If they cannot answer, they are not monitoring.)

Care plans that cannot answer all three are not delivering care; they are billing a retainer. The right care plan provides these answers proactively in monthly reports.