Business Websites Have a Running Cost. Here's Why That's a Good Thing.

It's understandable

Once a site launches and is performing well, it can feel like the job is done. But a modern website built on a CMS like Statamic isn't a static brochure — it's a piece of software, built on top of dozens of third-party packages, all of which evolve over time.

Some of those changes are improvements. Others are security patches fixing vulnerabilities that, left unaddressed, could create real problems for your business website.

This post explains what's actually happening under the surface of your website, why regular maintenance matters, and how to think about it as a sensible running cost rather than an unwelcome extra.

What's Actually Running Your Website

A Statamic website isn't just the files a developer writes. It's built on top of a stack of open-source packages, each maintained by their own teams and communities.

These packages handle everything from image processing and form handling to authentication and caching. They're what make modern websites capable without every agency building every feature from scratch.

This is a good thing

It means your website benefits from the work of hundreds of developers worldwide and can do things that would otherwise take months to build.

The trade-off is that those packages change. New features are added, bugs are fixed, and critically, security vulnerabilities are discovered and patched.

When a vulnerability is identified in a package, it's assigned a CVE number and a severity rating: low, medium, high, or critical. The details are published publicly, which means anyone can look up exactly what the vulnerability is and how to exploit it.

What Unaddressed Vulnerabilities Look Like in Practice

As part of routine maintenance on a client site this month, a standard security audit identified seven vulnerabilities across one package. Of those seven: one was rated critical, two were rated high, and the remainder were medium severity.

The critical vulnerability (CVE-2026-27593) relates to account takeover via password reset link injection. The two high-severity issues relate to privilege escalation via stored cross-site scripting. These aren't theoretical risks, they're documented attack vectors with publicly available advisory information.

None of these are cause for panic

The site in question is on a monthly maintenance plan, so these were identified and resolved as part of normal scheduled work.

Statamic's founder Jack McDade addressed the vulnerabilities directly in a public statement, noting that "none of these issues are known to have been exploited in the wild, and most require a pretty specific set of highly unlikely circumstances" - but added that the team "take every report seriously and moved quickly to get fixes out."

That's reassuring. But his statement also contains a quieter warning worth noting: "Security patches don't just come from Statamic — Laravel, Livewire, and other dependencies in your stack get them too." In other words, Statamic itself is just one of many packages that need monitoring. The ecosystem is broader than most site owners realise.

The key point is this: vulnerabilities don't announce themselves. They accumulate quietly, and you only discover them if you're actively looking. A site without regular maintenance might carry these issues for months or years without anyone noticing. Until something goes wrong.

The Real Cost Comparison

Reactive fixes are expensive, for straightforward reasons. When something breaks or is compromised, the work is urgent, unplanned, and often requires diagnosis before any remediation can begin.

You're paying for time under pressure, and depending on what's happened, you may also be dealing with downtime, data issues, or the reputational impact of a compromised site.

Monthly website maintenance, by contrast, is planned and predictable.

It covers package updates, security patching, server-level updates (a typical production server accumulates updates continuously — it's not unusual to see 50 to 70 outstanding system updates on a server that hasn't been touched in a few months), and a review of anything that's changed or needs attention.

The work is done methodically, in a controlled environment, before problems develop. That's a fundamentally different kind of work to emergency remediation, and the cost reflects it.

How to Think About It

The nearest analogy is a service contract on a piece of business-critical equipment. You wouldn't run a company car without servicing it or buy a commercial boiler without a maintenance agreement.

The equipment works fine right now, but that's partly because it's being looked after. Skip the maintenance and the risk profile changes quietly.

Your website is no different. It's business-critical infrastructure. If it goes down, handles a contact form badly, or is compromised in some way, there's a real business impact. A monthly website maintenance plan is the service contract that keeps it running reliably and securely.

The cost of that plan is predictable. The cost of not having it isn't.

What a Maintenance Plan Actually Covers

D3 Creative's Support and Maintenance service is structured across three tiers, designed to match different levels of business need.

The Core plan is the right starting point for most businesses. It covers quarterly Statamic CMS updates, monthly server patching, and email support. For the majority of B2B websites, this is sufficient - vulnerabilities get addressed, the server stays current, and there's a direct line to someone who already knows the site when something needs attention.

The Plus plan moves to bi-monthly CMS updates, weekly server patching, and same-day support response. It also adds proactive uptime and performance monitoring - meaning issues are flagged before they become visible problems, rather than discovered after the fact.

The Max plan is designed for mission-critical websites where any downtime has immediate business impact. It includes monthly CMS updates, daily server patching, priority incident response, and full management of third-party integrations and CDN configuration.

All three plans include a thorough testing process: every update is applied to a staging environment first, with automated and manual checks run before anything touches the live site. Backups are taken before every maintenance window as standard.

The goal is simple: your website maintenance should be something you don't have to think about. That only happens if someone is thinking about it on your behalf.

The Practical Takeaway

If you've had a website built in the last few years, the question isn't whether it needs ongoing maintenance. It does.

Every modern CMS-powered website does. The question is whether that maintenance is planned and budgeted, or whether it's waiting to become an emergency.

Planning is cheaper. It's less stressful. And it means the person maintaining your site already knows it well when something does need attention.

If you're not currently on a maintenance plan and you'd like to understand what that would involve for your site, get in touch.