Why Your Web Agency Doesn't Update Your Site (And Why It's a Problem)

The Build-and-Forget Business Model

Here is something that most web agencies will never tell you: the moment they hand over your finished website, they stop thinking about it. The invoice is paid, the project is closed, the team moves on to the next client. Your site sits on a server somewhere, running the same code it launched with, slowly becoming more vulnerable with every passing week.

This is not a niche problem. It is the default state of the web industry, particularly in Ticino and across Switzerland. I have audited hundreds of SME websites over the years, and the pattern is depressingly consistent: a site built two or three years ago, running an outdated CMS, with plugins that have not been touched since launch day. The agency that built it? They moved on. They may not even exist anymore.

The consequences are real. An outdated website is an open door for attackers. If you want to understand the specific risks, we have covered them in detail in our article on the risks of an outdated website. But today, I want to focus on why this happens and what you, as a business owner, can do about it.

Why Agencies Don't Update Your Site

There Is No Maintenance Contract

The most common reason is the simplest: nobody agreed to maintain the site. The agency quoted you for design, development, and launch. Maintenance was never part of the scope, never discussed, never priced. Once the site goes live, the agency has no contractual obligation to touch it again.

From the agency's perspective, this makes perfect financial sense. Maintenance is low-margin work. It requires keeping track of dozens or hundreds of client sites, each running different CMS versions, different plugins, different hosting environments. It means dealing with update failures, broken layouts, and compatibility issues, all for a monthly fee that barely covers the time involved.

So most agencies simply do not offer it. Or they offer it as an afterthought, a line item in the proposal that the client crosses out to keep the budget down.

The "Don't Touch It If It Works" Culture

There is a deeply ingrained attitude in many agencies, especially smaller ones: if the site is running, leave it alone. Updating WordPress core, or Joomla, or whatever CMS was used, means risking breakage. A plugin update might conflict with the theme. A PHP version upgrade might cause fatal errors. And if something breaks, the client calls, and the agency has to fix it for free (or for a fee that creates friction).

So the calculus becomes: do nothing and nothing breaks. Update and something might break. For an agency with no maintenance revenue, the rational choice is clear. Do nothing.

The problem, of course, is that "nothing breaks" only appears true on the surface. Under the hood, known vulnerabilities accumulate. Attackers scan for exactly these outdated installations. The site may look fine for years until the day it gets compromised, defaced, or used to distribute malware. By then, the agency is long gone.

No Staging Environment

A staging environment is a copy of your website where updates can be tested before being applied to the live site. It is standard practice in professional web development. It is also something that most SME website projects never include.

Without a staging environment, every update is applied directly to production. If something goes wrong, your live site goes down. This is why many agencies and their clients avoid updates entirely. The risk of visible breakage feels worse than the invisible risk of a security vulnerability.

Setting up a staging environment is not expensive or complicated. Most quality hosting providers offer one-click staging. But it has to be part of the workflow from the start, and someone has to be responsible for using it.

Fear of Breaking Things

This is closely related to the staging problem, but it goes deeper. Many agencies, particularly the smaller ones that serve the SME market in Ticino, do not have deep technical expertise in the CMS they deploy. They know how to install WordPress, pick a theme, configure some plugins, and deliver a site that looks good. But they do not have the experience to confidently apply updates, debug compatibility issues, or recover from failed upgrades.

When you are not confident in your ability to fix what an update might break, you avoid updating. It is human nature. But the result is that thousands of business websites sit unpatched for years, accumulating known vulnerabilities that any script kiddie can exploit.

The Client-Agency Responsibility Gap

Ask a business owner: who is responsible for keeping your website secure? Most will say "my web agency." Ask the web agency: who is responsible for keeping the client's website secure? Most will say "the client, unless we have a maintenance contract."

This gap is where security goes to die. Neither party believes it is their job, so nobody does it. The business owner assumes the agency is handling things. The agency assumes the client knows they need to request (and pay for) ongoing maintenance. Both assumptions are wrong, and the website sits exposed.

In Switzerland, the legal situation adds another layer. Under the revised Federal Act on Data Protection (nDSG/revDSG), the data controller (that is, the business that collects personal data through the website) is responsible for adequate technical measures. "My agency did not update the site" is not a defense if customer data is compromised through a known vulnerability.

Warning Signs Your Agency Is Neglecting Security

How do you know if your web agency is leaving your site exposed? Here are concrete indicators:

• You have never received a maintenance report. If no one has ever told you what was updated and when, nothing was updated.
• You do not know what CMS version your site runs. If your agency has never mentioned a version number, they are not tracking it.
• You have no staging environment. If you cannot test changes before they go live, updates are either risky or nonexistent.
• Your agency responds to security questions with vague reassurances. "Don't worry, the hosting takes care of that" is not an answer. Hosting providers manage server-level security. Application-level security (your CMS, plugins, themes) is your responsibility.
• You have never been asked to approve or schedule updates. A responsible maintenance partner communicates about planned updates, especially major version upgrades.
• The agency has no documented security process. Ask them: what happens when a critical vulnerability is disclosed in a plugin we use? If they cannot describe their process, they do not have one.
• Your plugins include abandoned or removed items. Check your CMS admin panel. If plugins show "This plugin has been closed" or have not been updated in over a year, you have a problem. Our article on plugin vulnerabilities in CMS platforms explains why this matters.

Questions Every Business Owner Should Ask Their Agency

If you currently have a web agency managing your site, schedule a call and ask these questions. Their answers will tell you everything you need to know:

1. What CMS version is my site running, and is it the latest? They should be able to answer immediately. If they need to "check and get back to you," that is a red flag.
2. How many plugins/extensions are installed, and are all of them up to date? They should know. They should also be able to tell you which plugins have been abandoned by their developers.
3. What PHP version is my site running? If it is anything below 8.2 (as of 2025), you need an upgrade plan.
4. Do you have a staging environment for my site? If the answer is no, ask why not and what it would take to set one up.
5. What is your process when a critical vulnerability is disclosed? The correct answer involves monitoring vulnerability databases, assessing impact, testing the patch on staging, and deploying promptly. Anything less specific than that is a non-answer.
6. Who is responsible for security updates? Is this in our contract? Get clarity in writing. Verbal agreements are worth the paper they are printed on.
7. What happens if my site gets hacked? Do you have an incident response plan? A professional partner has a documented process: isolate, investigate, restore from backup, patch the vulnerability, monitor for re-compromise.
8. Can you show me a log of all updates applied in the last 12 months? If no log exists, no updates were applied.

What a Proper Maintenance Agreement Looks Like

If your agency does not offer maintenance, or if their offering is vague ("we keep an eye on things"), here is what a real maintenance agreement should include:

Scope and Responsibilities

• Clear definition of what is covered: CMS core updates, plugin updates, theme updates, PHP version management, security monitoring.
• Clear definition of response times: how quickly will critical security patches be applied? (Acceptable: within 48 hours of disclosure for critical CVEs. Not acceptable: "at the next scheduled maintenance window, which is quarterly.")
• Clear definition of what is not covered: new feature development, content changes, design modifications. These should be scoped and billed separately.

Update Process

• All updates tested on a staging environment before production deployment.
• Automated backups taken before every update cycle.
• Rollback procedure documented and tested.
• Client notified of major updates (e.g., CMS major version upgrades) before they are applied.

Reporting

• Monthly maintenance report showing: what was updated, what vulnerabilities were addressed, any issues encountered, current status of all components.
• Annual security review summarizing the year's maintenance, any incidents, and recommendations.

Pricing

What should you expect to pay? For a standard WordPress or Joomla site with 10-20 plugins, a reasonable maintenance contract in Switzerland runs between CHF 150 and CHF 400 per month, depending on the complexity of the site and the response time guarantees. This covers regular update cycles, security monitoring, backups, and basic incident response.

If that sounds expensive, compare it to the cost of a compromised website: business downtime, data breach notification requirements under Swiss law, reputational damage, and the cost of emergency remediation (which typically runs CHF 2,000 to CHF 10,000 for a serious compromise).

Monthly vs. Quarterly Update Cycles

How often should updates be applied? The answer depends on the risk profile, but here is a general framework:

Update Type	Recommended Frequency	Notes
Critical security patches	Within 48 hours	For CVEs with CVSS 7.0+, waiting is not acceptable
Regular security updates	Weekly to biweekly	Minor security fixes, plugin patches
Feature updates	Monthly	New functionality in plugins/themes, test thoroughly
Major version upgrades	Within 30 days of stable release	CMS core major versions, PHP upgrades, require staging testing
Full security audit	Annually	Review all components, remove unused plugins, audit access

Quarterly update cycles are too slow for anything security-related. In the three months between updates, dozens of new vulnerabilities may be disclosed in your CMS and plugins. Automated exploit tools are updated within days or hours of a CVE publication. A quarterly cycle means you are potentially exposed for months.

Monthly is the minimum acceptable frequency for non-critical updates. Weekly is better. Critical patches should always be applied as soon as they are available and tested.

In-House Control vs. Agency Dependence

Some business owners, frustrated by agency neglect, consider bringing website management in-house. This is worth thinking through carefully.

Arguments for In-House Management

• Direct control: You decide when updates happen, not an agency that may deprioritize your site.
• Faster response: When a critical vulnerability drops, you can act immediately instead of waiting for your agency to get to it.
• Better awareness: You understand your own attack surface because you manage it directly.
• Cost efficiency at scale: If you have multiple sites or a complex web presence, an in-house person can be more cost-effective than multiple agency contracts.

Arguments for Agency Management

• Expertise: A good agency has seen hundreds of CMS installations and knows the common failure patterns.
• Tooling: Agencies that take maintenance seriously use monitoring tools, automated update systems, and vulnerability scanners that would be expensive for a single business to license.
• Availability: If your one in-house person is on vacation when a critical CVE drops, who patches the site?

The Middle Ground

For most SMEs, the best approach is a hybrid model:

1. Own your hosting account. Never let the agency own your hosting. You should have direct access to the server, the CMS admin panel, and the domain registrar. If the agency disappears, you can still access everything.
2. Own your code repository. If custom development was done, the source code should be in a repository you control (GitHub, GitLab, Bitbucket). The agency can have contributor access, but you own the repository.
3. Contract maintenance separately. Your maintenance provider does not have to be the same agency that built the site. In fact, having a different party audit and maintain the site can surface issues that the original developer overlooked.
4. Get admin access and training. You should be able to log in to your CMS and see the dashboard. You should know how to check plugin versions. You should know what a security warning looks like.
5. Have a backup you control. Automated backups should go to a storage location you own, not just the agency's server. If the agency goes bankrupt, your backups should still be accessible.

What Happens When Maintenance Is Neglected

Let me describe a scenario we see regularly. A Ticino-based SME had their website built four years ago by a local agency. It runs WordPress 5.9 with 22 plugins. PHP 7.4. The agency that built it no longer offers maintenance. The business owner logs in to update content occasionally but ignores the "updates available" badges in the dashboard because "last time I tried, something broke."

One Monday morning, their customers start reporting that the website redirects to a pharmaceutical spam site. Google has already flagged the domain with a "This site may be hacked" warning. Their search rankings have evaporated. The contact form has been sending spam to their entire customer database.

The cleanup took three weeks and cost CHF 8,500. The reputation damage took much longer to recover from. All because a known vulnerability in a plugin, patched by the developer eight months earlier, was never applied.

This is not a horror story I invented. It is a composite of real cases we have handled. The details change (sometimes it is a defaced homepage, sometimes it is a cryptocurrency miner running on the server, sometimes it is stolen customer data), but the root cause is always the same: no one was maintaining the site.

The Static Site Alternative

There is a different approach that eliminates many of these maintenance headaches: static site generators and modern JAMstack architecture. Sites built with tools like Astro, Next.js, or Hugo do not have a traditional CMS running on the server. There is no PHP, no database, no plugin ecosystem to patch. The attack surface is dramatically smaller.

This does not mean static sites are maintenance-free. Dependencies still need updating, hosting configurations still matter, and any dynamic functionality (contact forms, search, e-commerce) introduces its own attack surface. But the baseline security posture is far better than a traditional CMS installation.

If you are considering a website rebuild or a new site, it is worth exploring whether a modern architecture could reduce your ongoing maintenance burden. We have written more about this in our comparison of WordPress vs. JAMstack.

Taking Action

If you have read this far, you probably recognize some of these patterns in your own situation. Here is what to do next:

1. Find out what your site runs. Log in to your CMS admin panel and note the CMS version, PHP version, and number of plugins/extensions. If you do not have admin access, that is problem number one.
2. Check when things were last updated. Most CMS platforms show the last update date for each plugin. If everything was last updated on the original launch date, you have your answer.
3. Talk to your agency. Use the questions listed above. Get clear answers in writing. If they cannot or will not answer, start looking for a new maintenance partner.
4. Get a security assessment. An independent security audit of your website will show you exactly where you stand. This is not about blaming your agency; it is about understanding your risk.
5. Set up a maintenance plan. Whether in-house, through your agency, or through a specialized partner, get ongoing maintenance in place with clear responsibilities and schedules.

Your website is not a one-time project. It is a living piece of infrastructure that requires ongoing attention, the same as your office network, your accounting software, or your physical premises. The agencies that build and forget are not malicious; they are just optimizing for their own business model. It is your job to make sure someone is optimizing for your security.

If you need help assessing your current situation or setting up a proper maintenance plan, get in touch with us. We work with SMEs across Ticino and Switzerland to close the maintenance gap and keep websites secure.