A website gets built, goes live, works - and then nobody looks at it again for years. That is exactly where the risk begins. While your business serves customers, works on site or writes invoices, automated programs probe the web around the clock for vulnerable sites - regardless of size, sector or reputation. The German Federal Office for Information Security records an average of 119 new vulnerabilities per day in its current reporting period, an increase of around 24 percent on the previous year (BSI). Of the ransomware attacks recorded in the same period, 80 percent targeted small and medium-sized enterprises (BSI). A website that has been built once but is never maintained is therefore not a finished project but an open door that keeps opening wider over time. This article shows local businesses why ongoing maintenance is now basic equipment, what it covers in concrete terms - updates, backups, monitoring, SSL and load time - and how it simultaneously covers part of your obligations under the General Data Protection Regulation.
Key takeaways
- The BSI counts around 119 new vulnerabilities per day, up about 24 percent year on year - the supply of attack points does not run dry (BSI).
- Attacks are automated: 80 percent of recorded ransomware cases hit small and medium-sized enterprises, not just large corporations (BSI).
- The typical entry points are home-made: outdated CMS and plugin versions, weak passwords, missing backups and expired certificates.
- Regular maintenance bundles updates, backups, monitoring, SSL upkeep, load time and basic hardening - planned instead of in an emergency.
- Maintenance is also legal protection: it feeds directly into the technical measures required under Article 32 of the GDPR.
Why an Unmaintained Website Becomes a Risk
The threat landscape is not an abstract bogeyman from the IT press but something measurable. The BSI documents a continuous rise in newly disclosed security gaps: from around 68 per day in 2022, through 78 and 96, to most recently 119 per day in the reporting period (BSI). Each of these gaps can affect software that also runs on your website or server - from the content management system through individual extensions to the database. Anyone who does not update promptly leaves open exactly those doors whose locks are publicly known and therefore conveniently findable for attackers.
The economic consequence is quantified in the Wirtschaftsschutz report by the digital association Bitkom. The total damage to the German economy from theft, espionage and sabotage stands at around 289 billion euro a year, of which roughly 70 percent - about 202 billion euro - is caused by cyberattacks alone (Bitkom). 87 percent of the companies surveyed were affected in the past twelve months (Bitkom). These figures do not only arise in large data centres; they add up from many small incidents: hijacked contact forms, home pages injected with malicious code, encrypted servers, leaked customer data.
The Myth of Being Too Small a Target
How Attackers Target Local Websites
Attacks on small websites are rarely the work of a determined hacker who personally targets your business. The normal case is more mundane and precisely for that reason so effective: programs automatically search millions of addresses for known weaknesses and strike wherever they find them. The most common entry points are remarkably always the same - and almost all of them could be closed by ongoing upkeep.
Outdated Systems
Around 43 percent of all websites worldwide run on the most widely used content management system (Statista). Known gaps in outdated CMS and plugin versions are by far the most common entry point, because their locks are publicly documented.
Weak Passwords
Short, reused or never-changed credentials can be guessed automatically. Without two-factor protection, a single guessed admin password is enough to take over the entire site.
Missing Backups
Without a current, tested backup, an incident quickly becomes a total loss. Anyone who cannot restore a clean state after an attack faces rebuilding from scratch.
Expired Certificates
When the SSL certificate expires, browsers warn visitors with a red error page. That instantly costs trust and enquiries - and is a visible sign of missing upkeep.
Unpatched Servers
Not just the website itself, but the underlying server and database software needs updates too. An outdated web server or an old PHP version opens attack paths beneath the visible surface.
No Monitoring
Without oversight, a breach is often noticed only when Google has already flagged the site as dangerous or customers complain. Detected early, an incident can usually be kept small.
What is striking about this list is that not a single point describes an exotic attack technique. They are all failures in ongoing operation. That is the good news: anyone who systematically covers these six areas removes the basis for the large majority of automated attacks. None of it is magic, but all of it needs doing regularly - and that very regularity is the core of any serious website maintenance.
What Regular Maintenance Really Covers
Maintenance sounds like a single task but is an interplay of several coordinated building blocks. Only together do they produce a robust level of protection. If one block is missing, a deceptive sense of security quickly arises - for instance when updates are installed but no backups are run. The following six areas form the foundation of solid upkeep.
Updates
The content management system, all extensions and the server software are updated promptly and in a controlled way. Security updates first, functional updates planned - each with a prior backup as a fallback.
Backups
Regular, automated backups of files and database, stored separately from the server and spot-checked for restorability. A backup that cannot be restored is not a backup.
Monitoring
Availability, certificate status and unusual changes are monitored continuously. That way an outage or a breach is noticed before customers or search engines notice it.
SSL and HTTPS
The certificate is renewed in good time, the encryption cleanly configured and consistent HTTPS delivery ensured. This protects form data and is at the same time a ranking factor.
Load Time
Images, caching and code are kept in view so the site stays fast. Performance is not a one-off result but degrades gradually with every new piece of content.
Hardening
Login areas are secured, unnecessary access is closed, permissions granted sparingly and two-factor protection set up. Basic hardening removes the easiest paths for automated attacks.
So that these building blocks are not forgotten, good maintenance follows a fixed rhythm rather than chance. A proven approach uses short, regular intervals for security-critical tasks and longer ones for the fine work. That keeps the effort per session manageable and the site permanently at a reliable level.
- Weekly: check availability and certificate status, install security-critical updates
- Monthly: apply all updates in a controlled way, test backups for restorability, measure load time
- Quarterly: review access rights and user accounts, remove extensions no longer in use
- Ongoing: evaluate monitoring alerts and check anomalies promptly
- After every major update: verify core functions such as forms, booking and payment
Security is not a state you establish once but a habit you maintain. A website ages exactly as fast as the software around it changes.
What a Successful Attack Costs: Revenue, Visibility, Trust
An attack rarely hits in just one place. If the site goes down or is blocked, revenue through digital channels dries up first: no enquiries via the contact form, no bookings, no orders. Because around 60 percent of visits in Germany come via mobile devices (Statista), an outage hits precisely those visitors who want to get in touch spontaneously and on the go. Every hour of standstill is a lost opportunity - and cannot be made up afterwards.
The second, often underestimated damage hits visibility. If Google detects malicious code or a compromise, the site can be flagged with a warning in the search results or downgraded. What was built up over years of visibility on Google is then damaged in days and needs weeks to months to recover. A slow site that has been unstable since an incident additionally loses ground on the Core Web Vitals - the topic we explore in our article on website load time.
The heaviest cost is the loss of trust. Anyone who sees a browser warning when opening a site, or reads about a data breach, rarely comes back a second time. For local businesses in particular, which live on recommendation and a good reputation, this damage is hard to quantify and even harder to repair. The composition of the damage shows how real this is: ransomware accounts for around 34 percent, denial-of-service attacks for 25 percent and malware for 24 percent of the losses (Bitkom). The share of cyberattacks in the total damage recently rose from 67 to 70 percent (Bitkom) - the direction is unambiguous.
Prevention Is Plannable, Cleaning Up Is Not
Maintenance Also Meets Your GDPR Duties
As soon as personal data is processed through your website - and even a contact form counts - the General Data Protection Regulation applies. Article 32 requires appropriate technical and organisational measures to protect this data according to the state of the art. This is not a one-off declaration but an ongoing obligation: what was state of the art yesterday can be a known gap today. It is precisely this continuity that means data protection and maintenance cannot be separated.
In concrete terms, the classic maintenance tasks feed directly into Article 32: current software closes known gaps, HTTPS encryption protects transmission, access restrictions and two-factor protection safeguard confidentiality, and regular backups ensure recoverability after an incident. Should a data breach occur nonetheless, documented diligence is also decisive - anyone who can demonstrate that they have maintained their systems is in a considerably better position than someone running a site that has been unchanged for years.
Maintenance and Data Protection Interlock
Maintain It Yourself or Have It Maintained?
In principle, many maintenance tasks can be done yourself. The question is less whether it works than whether it happens reliably and permanently. Installing updates is quickly explained, but in day-to-day business that is exactly what gets postponed - until a gap is exploited or an update breaks another function. The comparison below places the three usual routes in context.
| Aspect | No Maintenance | Occasionally Yourself | Maintenance Plan |
|---|---|---|---|
| Updates | Left undone, gaps open | Irregular, often postponed | Plannable and controlled |
| Backups | Usually none or untested | Present, rarely checked | Automated and tested |
| Response to incident | Noticed late | Depends on presence | Detected early via monitoring |
| Time cost for you | Zero - until the emergency | Ongoing and hard to plan | Outsourced, fixed rhythm |
| Responsibility | Unclear | With you | Fixed point of contact |
| Cost profile | Low, then emergency costs | Fluctuating | Plannable across the year |
From over 50 web and maintenance projects we have supported (project experience), a pattern emerges: it is not the individual technical step that overwhelms small businesses, but the continuity. An outsourced maintenance plan takes over exactly this continuity - not because you could not do it yourself, but because a plannable routine is more reliable in everyday operation than good intentions. How such ongoing costs fit into the overall budget of a website is shown in the article what a website costs in 2026.
A Plannable Maintenance Plan from the Region
A good maintenance plan is more than a technical service - it is a reliable counterpart. Instead of searching for an anonymous hotline in an emergency, you have a fixed point of contact from the Hildesheim region who knows your site. This includes hosting in Germany that meets the requirements of the General Data Protection Regulation, short paths for questions and an operation that fits the workflows of a local company.
- Fixed, controlled update sessions with a backup as fallback
- Automated, off-site backups with restore testing
- Ongoing monitoring of availability, certificate and anomalies
- SSL upkeep and consistent HTTPS delivery
- Regular attention to load time and Core Web Vitals
- A fixed point of contact instead of changing responsibilities
Maintenance works best when it starts with a solid modern website and then never quite stops. Anyone building anew or migrating lays the foundation most sensibly to be maintainable from the outset - this applies to ongoing operation as much as to a website relaunch, which is about rebuilding, not upkeep. And security is not an end in itself: a maintained, fast and trustworthy site is the prerequisite for features such as online appointment booking or a convincing careers page for the trades to reliably bring in enquiries at all. Legal topics such as accessibility under the BFSG are also easier to carry along in ongoing operation than to retrofit.
Built Once Becomes Reliable for the Long Term