Zum Inhalt springen
Personal, from the Hildesheim region
Website-Sicherheit

Website Maintenance 2026: Secure Against Attacks

The BSI reports around 119 new vulnerabilities per day (up 24 percent). Why local businesses must regularly maintain their website and what upkeep covers.

12 min read Website-WartungSicherheitUpdatesDSGVOHosting

A website gets built, goes live, works - and then nobody looks at it again for years. That is exactly where the risk begins. While your business serves customers, works on site or writes invoices, automated programs probe the web around the clock for vulnerable sites - regardless of size, sector or reputation. The German Federal Office for Information Security records an average of 119 new vulnerabilities per day in its current reporting period, an increase of around 24 percent on the previous year (BSI). Of the ransomware attacks recorded in the same period, 80 percent targeted small and medium-sized enterprises (BSI). A website that has been built once but is never maintained is therefore not a finished project but an open door that keeps opening wider over time. This article shows local businesses why ongoing maintenance is now basic equipment, what it covers in concrete terms - updates, backups, monitoring, SSL and load time - and how it simultaneously covers part of your obligations under the General Data Protection Regulation.

Website Maintenance 2026: Secure Against AttacksSecurity Status56%IT basics met(BSI)Maintenance closes the security gapOngoing maintenance coversUpdatesCMS & plugins currentBackupsbacked up dailyMonitoringchecked around the clockSSL certificatevalid & renewedLoad timefast & stableHardeninglogins protected119new vulnerabilities / day (BSI)80%of ransomware hits SMEs (BSI)202 bneuro cyber damage / year (Bitkom)A website built once still needs care - planned updates, not emergencies

Key takeaways

  • The BSI counts around 119 new vulnerabilities per day, up about 24 percent year on year - the supply of attack points does not run dry (BSI).
  • Attacks are automated: 80 percent of recorded ransomware cases hit small and medium-sized enterprises, not just large corporations (BSI).
  • The typical entry points are home-made: outdated CMS and plugin versions, weak passwords, missing backups and expired certificates.
  • Regular maintenance bundles updates, backups, monitoring, SSL upkeep, load time and basic hardening - planned instead of in an emergency.
  • Maintenance is also legal protection: it feeds directly into the technical measures required under Article 32 of the GDPR.

Why an Unmaintained Website Becomes a Risk

The threat landscape is not an abstract bogeyman from the IT press but something measurable. The BSI documents a continuous rise in newly disclosed security gaps: from around 68 per day in 2022, through 78 and 96, to most recently 119 per day in the reporting period (BSI). Each of these gaps can affect software that also runs on your website or server - from the content management system through individual extensions to the database. Anyone who does not update promptly leaves open exactly those doors whose locks are publicly known and therefore conveniently findable for attackers.

The economic consequence is quantified in the Wirtschaftsschutz report by the digital association Bitkom. The total damage to the German economy from theft, espionage and sabotage stands at around 289 billion euro a year, of which roughly 70 percent - about 202 billion euro - is caused by cyberattacks alone (Bitkom). 87 percent of the companies surveyed were affected in the past twelve months (Bitkom). These figures do not only arise in large data centres; they add up from many small incidents: hijacked contact forms, home pages injected with malicious code, encrypted servers, leaked customer data.

The Myth of Being Too Small a Target

Many owners think: my site is too small to be interesting. But for automated attacks what counts is not your revenue but whether the effort of the attack is in a favourable ratio to the benefit. That is exactly why 80 percent of recorded ransomware attacks hit small and medium-sized enterprises (BSI), which on average meet only around 56 percent of the basic IT security requirements (BSI). It is not prominence that makes you vulnerable, but neglect.

How Attackers Target Local Websites

Attacks on small websites are rarely the work of a determined hacker who personally targets your business. The normal case is more mundane and precisely for that reason so effective: programs automatically search millions of addresses for known weaknesses and strike wherever they find them. The most common entry points are remarkably always the same - and almost all of them could be closed by ongoing upkeep.

Outdated Systems

Around 43 percent of all websites worldwide run on the most widely used content management system (Statista). Known gaps in outdated CMS and plugin versions are by far the most common entry point, because their locks are publicly documented.

Weak Passwords

Short, reused or never-changed credentials can be guessed automatically. Without two-factor protection, a single guessed admin password is enough to take over the entire site.

Missing Backups

Without a current, tested backup, an incident quickly becomes a total loss. Anyone who cannot restore a clean state after an attack faces rebuilding from scratch.

Expired Certificates

When the SSL certificate expires, browsers warn visitors with a red error page. That instantly costs trust and enquiries - and is a visible sign of missing upkeep.

Unpatched Servers

Not just the website itself, but the underlying server and database software needs updates too. An outdated web server or an old PHP version opens attack paths beneath the visible surface.

No Monitoring

Without oversight, a breach is often noticed only when Google has already flagged the site as dangerous or customers complain. Detected early, an incident can usually be kept small.

What is striking about this list is that not a single point describes an exotic attack technique. They are all failures in ongoing operation. That is the good news: anyone who systematically covers these six areas removes the basis for the large majority of automated attacks. None of it is magic, but all of it needs doing regularly - and that very regularity is the core of any serious website maintenance.

What Regular Maintenance Really Covers

Maintenance sounds like a single task but is an interplay of several coordinated building blocks. Only together do they produce a robust level of protection. If one block is missing, a deceptive sense of security quickly arises - for instance when updates are installed but no backups are run. The following six areas form the foundation of solid upkeep.

Updates

The content management system, all extensions and the server software are updated promptly and in a controlled way. Security updates first, functional updates planned - each with a prior backup as a fallback.

Backups

Regular, automated backups of files and database, stored separately from the server and spot-checked for restorability. A backup that cannot be restored is not a backup.

Monitoring

Availability, certificate status and unusual changes are monitored continuously. That way an outage or a breach is noticed before customers or search engines notice it.

SSL and HTTPS

The certificate is renewed in good time, the encryption cleanly configured and consistent HTTPS delivery ensured. This protects form data and is at the same time a ranking factor.

Load Time

Images, caching and code are kept in view so the site stays fast. Performance is not a one-off result but degrades gradually with every new piece of content.

Hardening

Login areas are secured, unnecessary access is closed, permissions granted sparingly and two-factor protection set up. Basic hardening removes the easiest paths for automated attacks.

So that these building blocks are not forgotten, good maintenance follows a fixed rhythm rather than chance. A proven approach uses short, regular intervals for security-critical tasks and longer ones for the fine work. That keeps the effort per session manageable and the site permanently at a reliable level.

  • Weekly: check availability and certificate status, install security-critical updates
  • Monthly: apply all updates in a controlled way, test backups for restorability, measure load time
  • Quarterly: review access rights and user accounts, remove extensions no longer in use
  • Ongoing: evaluate monitoring alerts and check anomalies promptly
  • After every major update: verify core functions such as forms, booking and payment

Security is not a state you establish once but a habit you maintain. A website ages exactly as fast as the software around it changes.

Web Agency Hildesheim

What a Successful Attack Costs: Revenue, Visibility, Trust

An attack rarely hits in just one place. If the site goes down or is blocked, revenue through digital channels dries up first: no enquiries via the contact form, no bookings, no orders. Because around 60 percent of visits in Germany come via mobile devices (Statista), an outage hits precisely those visitors who want to get in touch spontaneously and on the go. Every hour of standstill is a lost opportunity - and cannot be made up afterwards.

The second, often underestimated damage hits visibility. If Google detects malicious code or a compromise, the site can be flagged with a warning in the search results or downgraded. What was built up over years of visibility on Google is then damaged in days and needs weeks to months to recover. A slow site that has been unstable since an incident additionally loses ground on the Core Web Vitals - the topic we explore in our article on website load time.

The heaviest cost is the loss of trust. Anyone who sees a browser warning when opening a site, or reads about a data breach, rarely comes back a second time. For local businesses in particular, which live on recommendation and a good reputation, this damage is hard to quantify and even harder to repair. The composition of the damage shows how real this is: ransomware accounts for around 34 percent, denial-of-service attacks for 25 percent and malware for 24 percent of the losses (Bitkom). The share of cyberattacks in the total damage recently rose from 67 to 70 percent (Bitkom) - the direction is unambiguous.

Prevention Is Plannable, Cleaning Up Is Not

The cost of ongoing maintenance is calculable and spread across the year. The cost of an incident arrives unannounced, often at the worst possible moment, and involves more than the pure recovery: lost revenue, ranking loss, notification obligations and the effort of winning back lost trust. Upkeep is the cheaper of the two bills.

Maintenance Also Meets Your GDPR Duties

As soon as personal data is processed through your website - and even a contact form counts - the General Data Protection Regulation applies. Article 32 requires appropriate technical and organisational measures to protect this data according to the state of the art. This is not a one-off declaration but an ongoing obligation: what was state of the art yesterday can be a known gap today. It is precisely this continuity that means data protection and maintenance cannot be separated.

In concrete terms, the classic maintenance tasks feed directly into Article 32: current software closes known gaps, HTTPS encryption protects transmission, access restrictions and two-factor protection safeguard confidentiality, and regular backups ensure recoverability after an incident. Should a data breach occur nonetheless, documented diligence is also decisive - anyone who can demonstrate that they have maintained their systems is in a considerably better position than someone running a site that has been unchanged for years.

Maintenance and Data Protection Interlock

Updates, encryption, access protection and backups are at the same time data protection measures within the meaning of Article 32 GDPR. Whether and to what extent additional duties - such as notifying the supervisory authority - apply in your case depends on the individual situation and should be checked legally. The best time to think technical and legal requirements together is ongoing operation, not the emergency.

Maintain It Yourself or Have It Maintained?

In principle, many maintenance tasks can be done yourself. The question is less whether it works than whether it happens reliably and permanently. Installing updates is quickly explained, but in day-to-day business that is exactly what gets postponed - until a gap is exploited or an update breaks another function. The comparison below places the three usual routes in context.

AspectNo MaintenanceOccasionally YourselfMaintenance Plan
UpdatesLeft undone, gaps openIrregular, often postponedPlannable and controlled
BackupsUsually none or untestedPresent, rarely checkedAutomated and tested
Response to incidentNoticed lateDepends on presenceDetected early via monitoring
Time cost for youZero - until the emergencyOngoing and hard to planOutsourced, fixed rhythm
ResponsibilityUnclearWith youFixed point of contact
Cost profileLow, then emergency costsFluctuatingPlannable across the year

From over 50 web and maintenance projects we have supported (project experience), a pattern emerges: it is not the individual technical step that overwhelms small businesses, but the continuity. An outsourced maintenance plan takes over exactly this continuity - not because you could not do it yourself, but because a plannable routine is more reliable in everyday operation than good intentions. How such ongoing costs fit into the overall budget of a website is shown in the article what a website costs in 2026.

A Plannable Maintenance Plan from the Region

A good maintenance plan is more than a technical service - it is a reliable counterpart. Instead of searching for an anonymous hotline in an emergency, you have a fixed point of contact from the Hildesheim region who knows your site. This includes hosting in Germany that meets the requirements of the General Data Protection Regulation, short paths for questions and an operation that fits the workflows of a local company.

  • Fixed, controlled update sessions with a backup as fallback
  • Automated, off-site backups with restore testing
  • Ongoing monitoring of availability, certificate and anomalies
  • SSL upkeep and consistent HTTPS delivery
  • Regular attention to load time and Core Web Vitals
  • A fixed point of contact instead of changing responsibilities

Maintenance works best when it starts with a solid modern website and then never quite stops. Anyone building anew or migrating lays the foundation most sensibly to be maintainable from the outset - this applies to ongoing operation as much as to a website relaunch, which is about rebuilding, not upkeep. And security is not an end in itself: a maintained, fast and trustworthy site is the prerequisite for features such as online appointment booking or a convincing careers page for the trades to reliably bring in enquiries at all. Legal topics such as accessibility under the BFSG are also easier to carry along in ongoing operation than to retrofit.

Built Once Becomes Reliable for the Long Term

A website is like a vehicle: the purchase is the beginning, not the end. Whoever goes for regular servicing drives more safely and for longer. Transferred to the digital world that means: planned updates instead of emergencies, a fixed point of contact instead of helplessness in a crisis - and a site that is still fast, secure and trustworthy in three years.
This article is based on data from: the German Federal Office for Information Security (BSI, The State of IT Security in Germany 2025), Bitkom (Wirtschaftsschutz 2025) and Statista (content management systems and mobile internet use). Legal reference: Article 32 of the General Data Protection Regulation (GDPR). The figures cited are averages and reference values and may vary by sector, size and starting point; entries marked (project experience) are based on our own web and maintenance projects.