Now that you have gotten your domain name, created your site, and it is up and running (perhaps with the help of a professional developer), you can just sit back and relax; NO! Having a WordPress site is similar to owning a car; it needs periodic maintenance to keep it running and prevent unexpected problems, and may need complete replacement at some point in time, hopefully after many years of good service.
What can go wrong you might ask after you have your site up and running as you want? Future issues fall into three broad categories: security problems identified in the software used on your site, changes in your hosting environment, and changes in the way visitors access your site. These first two are really near-term maintenance issues. While I’ll cover these issues for the DIYers, if you are making money from your site, you should 100% buy on-going maintenance or use managed-WordPress hosting for your site; there was a reason you used a professional to create your WordPress site and getting professional maintenance is money well-spent. Imagine if your money-making site was hacked or otherwise wasn’t working properly, wouldn’t the lost revenue have paid for on-going professional maintenance? Depending on exactly what happened, how much revenue would you loose if your site was offline for days? Any on-going maintenance can be provided in a few different ways.
If your site is running on WordPress.com (note this is not the free WordPress.org but the .com business) they provide on-going maintenance by controlling what version of WordPress you use and what add-on software (i.e., themes and plugins) are allowed. They ensure the allowed software has all the latest security patches, has been tested together, and deal with any changes to the server environment. The more they restrict the software you can run, the easer it is to provide maintenance and compatibility testing and hence the cheaper the hosting plan, even to the point they provide a free plan for non-commercial users happy with a very limited set of options.
WordPress can run on other hosting providers with fewer restrictions on add-on software and those providers can provide various types of on-going maintenance services. Often they will handle any changes to the hosting, such as when the the version of PHP is changed. Some hosting providers offer managed-WordPress where they take responsibility for making sure your site is working, leaving you to only worry about content. And finally, more and more professional WordPress developers offer on-going maintenance services. These are generic description of different types of maintenance services, so read up on what exact services you are buying.
Perhaps the most near-term and pressing concern is security issues. All the time, different pieces of software gets updated to patch security holes as they get identified to prevent hackers from accessing or defacing your site. It is truly an on-going cat-and-mouse game between hackers and security researchers; as soon as one security hole is identified and patched, hackers find another. Much as you keep your personal computer updated to prevent getting malware, your WordPress site also needs similar attention. Some people think they don’t have anything of value on their site and so need not worry about security holes. Unfortunately, that isn’t true for two reasons–most hacking is done by bots that hack-first and after successfully breaking in, the hacker then sees if there is anything of value to steal from compromised sites, and if nothing else, hackers CAN steal your site’s computer resources for their own use or for re-sell. (Yes, there is a substantial black-market for stolen computer time that is then used by others for things such as bit-coin mining or spreading malware or even attacking other sites.) In any case, your site is disrupted to varying degrees that can end up costing you money.
The WordPress community robustly responds to identified security issues but because software is written by people and people make mistakes, even the best of software (e.g., WordPress itself, plugins and themes) have security holes. Unfortunately, it is just a matter of WHEN not IF, there is a security hole, especially as WordPress, themes and plugins become ever more complex and hackers become ever more sophisticated. The best defense is to always run the latest version of software, but blindly auto-updating may not a good idea either because the update may cause compatibility problems. Before you update your WordPress, you must take a backup of your site to restore in case of problems, make sure all plugins have been tested with that version of WordPress, update the plugins first and then update WordPress, and finally do a quick functionality test to make sure there are no problems. Different hosting providers provide different types and configurations of firewalls to protect your site from brute-force attacks. And every site needs to have some sort of security plugin, since unfortunately, WordPress by itself really isn’t enough to defend against today’s hackers. As an example, this site is not very popular, clearly has nothing of real value, and yet, my security plugin notes one or two attacks every day.
Your WordPress site runs on a hosting service and there may be occasional changes that might need a response. Perhaps the most common is updating the version of PHP which executes the WordPress software. Most hosting providers will support a variety of PHP versions from very old (basically obsolete) to newest. The newer versions have security problems fixed and offer significantly better performance s ir is usually best to run the latest PHP version compatible with your site.
And over time, the way your visitors access your site will evolve and your site must keep up. These changes are usually over the course of many years, but web standards and browsers do evolve and change in ways not always backwards compatible (meaning all or parts of your site will look different or stop functioning as designed). The devices people use also change over time. For example, not long ago most visitors came from desktop/laptop computers with large screens and keyboard/mouse but now the majority come from mobile devices with touch screens. Since moving from a desktop design to a mobile-friendly design is often a feature change, maintenance contracts or using managed-WordPress typically don’t cover that. Since recently designed sites should already be mobile-friendly, this change won’t be needed; but know knows what future changes may be needed. Maybe your site will be need to be voice-activated friendly to work with Siri, Alexa, or Google. Maybe your site will want to be Virtual-Reality-ready. While you know your site might need major changes if your business changes, also know that new user technologies may also drive changes.
Web sites are not set-and-forget or one-and-done situations.