Short answer: websites are not “set and forget”. The minimum adult standard is tested backups, timely updates for your stack, and controlled admin access.
Maintenance is often framed as a cost. The better framing is risk reduction: fewer emergency weekends, fewer embarrassed emails to customers, and less chance of SEO damage from a hacked site serving spam.
What should every SME website have on day one?
- Backups: automated + a restore test at least once.
- Updates: CMS, plugins, themes, PHP—on a schedule.
- Monitoring: uptime alerts and a known support path.
- Access hygiene: unique passwords, MFA where possible, least-privilege accounts.
What does a reasonable update workflow look like for WordPress?
Stage changes when possible, update in batches, verify checkout/contact forms after updates, and keep a rollback path. If you cannot do that internally, buy a maintenance retainer—cheap hosting without care is expensive eventually.
What are early signs you have been compromised?
- Unexpected admin users or login failures spikes.
- New pages you did not create, weird JavaScript, or search console “hacked content” warnings.
- Email blacklisting or spam complaints tied to your domain.
How do you balance security with convenience?
Use MFA for email and hosting, limit plugin installs, and avoid sharing one “master password” across staff. Document who owns DNS, registrar, and hosting—so you can respond fast.
Need professional maintenance support?
See website maintenance and security on NZDH if you want a NZ team involved—this guide defines what “good” looks like.
Frequently asked questions
How often should backups be tested?
At least quarterly for most SMEs; monthly if you change the site frequently.
Is free security scanning enough?
It helps, but it is not a substitute for updates and good hosting isolation.
What is the #1 password mistake?
Reusing the same password across registrar, hosting, and email—one breach becomes total loss.