What’s included in a website maintenance retainer? (UK, 2026)

A website maintenance retainer is a fixed monthly fee that covers the work needed to keep a live site secure, up to date, monitored, and supported. Most include software updates, security patching, backups, uptime monitoring, and an allocation of developer time; many also bundle managed hosting in, though some sit alongside a separate hosting contract.

UK retainers in 2026 run from roughly £80 a month for a small brochure site to £2,500 a month and up for high-traffic ecommerce or mission-critical platforms. The headline price tells you almost nothing on its own: what sits inside the fee, and what gets billed as an extra, varies enough between suppliers that two retainers at identical prices can be very different contracts.

What does a website maintenance retainer cover?

A retainer is the contract that keeps your live site working between projects. The core inclusions are reasonably consistent across the UK agency market in 2026:

• Managed hosting: server, CDN, SSL, DNS, with proactive performance tuning
• Software updates: CMS core, plugins, themes, and any custom dependencies
• Security: malware scanning, web application firewall, login protection, vulnerability patching
• Backups: daily off-site backups, defined retention policy, periodic restore testing
• Uptime monitoring: automated alerts with a routed escalation path
• Support time: a monthly allocation of developer or support hours
• Monthly reporting: uptime, performance, what was done, what’s coming
• An SLA: defined response and resolution times by severity

That’s the floor. Better retainers also include performance optimisation, accessibility audits, SEO health checks, content updates within the monthly allocation, security incident response, and on the higher tiers, a named technical contact who knows the codebase.

A retainer that excludes any of the items in the first list is not a maintenance retainer in the proper sense. It’s a hosting plan, or a support arrangement, or something the agency is calling a retainer for billing reasons. Ask which it is before signing.

How much does a maintenance retainer cost in the UK in 2026?

UK retainer pricing in 2026 falls into rough bands by site type and risk profile. The numbers below are based on the retainers we see, quote, and run. They’re our practitioner view of the market rather than a sourced industry survey. They cover proper retainers that include the inclusions listed above, not bare hosting plans dressed up with a different name.

Small brochure WordPress site, under 20 pages, low traffic, no integrations: roughly £80 to £250 a month.

Standard business or professional services site with a contact form, light integrations, normal traffic, council sites under accessibility regulations: £300 to £750 a month.

WooCommerce or Shopify ecommerce site with a mid-sized catalogue, payment gateway, and a handful of integrations: £600 to £1,200 a month.

High-traffic ecommerce, subscription billing, or sites with significant custom development and multiple integrations: £1,200 to £2,500 a month.

Mission-critical platforms (school sites with custom parent portals, healthcare, large membership platforms): £2,000 to £5,000 a month, sometimes more.

What pushes you up the bands is rarely traffic alone. It’s the combination of traffic, integration count, custom code, SLA tightness, and the consequence of downtime. A custom WordPress site integrated with a CRM, a payment gateway, and a third-party ERP carries more maintenance burden than a Shopify store on standard apps, even at the same traffic.

If a quote sits well below the band for your site type, look at the SLA and the hours allocation. Cheap retainers usually mean either no real developer time or a slow response window. Both are fine if you understand the trade-off and your site can carry the risk. Both are damaging if you don’t.

Maintenance versus managed hosting: what’s the difference?

These two terms get used interchangeably in agency proposals, and they shouldn’t be. Hosting is the server your site runs on. Maintenance is everything done to keep the site functional, secure, and current on that server.

You can have hosting without maintenance. The server is online, your DNS resolves, your SSL certificate is valid, but nobody is updating WordPress core or your plugins. After six months, the site has unpatched vulnerabilities and out-of-date dependencies. After twelve, something breaks and there’s no continuity of who’s been working on it.

You can have maintenance without hosting too, though it’s rarer. Some agencies maintain sites that sit on the client’s own infrastructure or a third party’s.

The cleanest setup, and the one we use for nearly every retainer client, is the agency providing the managed hosting and the maintenance retainer covering everything on top. One supplier, one number to call, one accountability line. If something breaks at 11pm, there’s no debate about whether it’s a hosting problem or a code problem before someone starts fixing it.

If the retainer and the hosting sit with separate suppliers, get the demarcation in writing. Who’s responsible for what. Who answers the phone first. Who pays when something goes wrong at the seam between the two.

Should development hours be included?

A good UK maintenance retainer in 2026 includes a defined allocation of developer time per month, rolled into the fee. Two hours at the small end. Eight to ten at the larger end. Some agencies cap this at ‘support tasks only’, which usually means tiny fixes and not real dev work. The contract should say which it is.

What this monthly allocation is good for: small content changes, minor bugs, plugin updates that need testing, occasional theme tweaks, small reports, security responses, performance tuning. Things that take an hour or two and would otherwise create constant invoicing friction.

What it’s not good for: anything resembling a project. New features, redesigns, new integrations, page rebuilds, SEO migrations. These get scoped and quoted separately. If an agency tells you they can fit a new payment gateway integration into your retainer hours, they are either underestimating the work or not planning to do it properly.

In traditional maintenance retainers, check what ‘unlimited’ means in writing. It usually means unlimited within a scope the supplier defines, with anything substantial scoped as a separate project. That’s fine if the scope is clear up front. The trouble is when it isn’t, and you only find out at the point you need the work done. Better to see the hours number written down and know what you’re buying. (Subscription website services that bundle site ownership, hosting and ongoing changes into a single monthly fee are a different product and operate on different commercial logic. That’s not what we’re talking about here.)

What SLAs and response times should you expect?

The SLA is the part of the contract people forget to check until something goes wrong. Then it’s the part that determines whether your site is back up in an hour or down for a working day.

Here’s a tier structure to use as a benchmark when reviewing the SLA in any maintenance retainer contract. Different agencies will commit to different specifics, and most will negotiate. What matters is that the contract spells out the tiers in writing.

Critical issues, defined as a site down, payments broken, or a confirmed security incident: response within the hour, resolution targeted in hours rather than days, with monitoring and on-call cover around the clock. This level of cover is what higher-risk sites should look for.

Major issues, meaning a key feature is broken but the site is mostly functional: response within two business hours, resolution within one business day.

Standard issues, including bugs, small breakages, and non-urgent fixes: response within one business day, resolution within five business days, often handled within the monthly hours allocation.

Improvements, change requests, and minor features: scheduled into the monthly allocation in agreement with the client. Not SLA-bound in the same way, because they’re not failures.

A retainer without 24/7 cover on critical issues is fine for a marketing brochure site. It is not fine for an ecommerce site that takes overnight orders, or for a school site that parents check on weekends, or for any platform whose downtime measurably costs revenue or reputation. Match the SLA to what your site is for. If the agency quoting you can’t articulate their SLA in writing, that’s an answer in itself.

When does a retainer make more sense than ad-hoc support?

Not every site needs a retainer. Plenty of small brochure sites are fine on a ‘call us when something breaks’ arrangement, particularly if the site is static, low-traffic, and the business has someone in-house who can update content.

A retainer makes clear sense when any of the following apply.

The site generates revenue. Even modest ecommerce sites can lose more in a single day of downtime than a year of retainer fees pays for, depending on traffic and timing.

You’re in a regulated sector. School websites, healthcare, public sector, and financial services all carry compliance obligations that filter through to maintenance. WCAG 2.2 is the current accessibility standard, and UK public-sector monitoring moved to it from October 2024. Sites that handle personal data sit under UK GDPR processor and controller obligations, which include keeping the processing infrastructure secure and up to date. Sites that store, process or transmit cardholder data fall within PCI DSS scope; most modern checkouts reduce that exposure by offloading payment handling to Stripe, Shopify Payments, or another hosted gateway. In any of these cases, the cost of a missed patch or an accessibility breach is generally much higher than the retainer.

You depend on integrations. The more third-party services your site talks to (CRM, ERP, payment gateways, subscription billing, marketing automation), the more often something will break at a seam that wasn’t your code. Retainers cover the maintenance of those joins.

You have no in-house developer. Without one, every small change becomes a separate project quote, every emergency becomes a scramble, and small problems compound into expensive ones.

You’re running custom code. Off-the-shelf templates can survive on standard updates. Custom themes, custom plugins, headless builds, bespoke integrations: these need someone who understands the codebase and is being paid to keep it healthy.

The opposite case (ad-hoc is fine) usually applies when the site is genuinely simple, traffic is low, the business can tolerate days of downtime if something breaks, and there’s nothing custom under the bonnet. That’s a real and reasonable position. Just understand which one you’re in before deciding.

What to ask before signing a maintenance retainer

Five questions that separate a serious maintenance offer from a thin one. Ask all of them. If any answer is vague, push harder before signing.

First, what exactly is in the monthly fee? Get a written list. Hosting, updates, backups, monitoring, hours, SLA, reporting. If something on the floor list above isn’t included, ask why.

Second, what counts as a billable extra, and what’s the rate? Reasonable agencies have hourly rates for work outside the retainer. Unreasonable ones surprise you with invoices.

Third, what’s the SLA, in writing, and how is it measured? ‘We respond quickly’ is not an SLA. ‘Response within the hour for critical issues, monitored 24/7’ is.

Fourth, where are backups stored, how long are they retained, and when was the last restore tested? An untested backup is a hopeful guess, not a backup. The honest answer is sometimes ‘we run periodic restore tests on a sample of client sites’. The wrong answer is silence or vagueness.

Fifth, who owns the hosting account, DNS, and domain? If the answer isn’t ‘you do, and we have delegated access’, that’s a problem. You should be able to leave the agency without losing access to your own infrastructure.

One more question matters: what’s the notice period, and what happens during offboarding? A good retainer is one you stay in because the service is good, not because you can’t get out.

Red flags in maintenance retainer contracts

Patterns we see in contracts from departing clients of other agencies, that are reliable warning signs at the point of signing.

No SLA in writing. The agency promises good response times in conversation, but the contract has no measurable commitment. When something goes wrong, there’s no recourse.

‘Unlimited’ anything in a traditional retainer. Unlimited support, unlimited updates, unlimited changes. As above, this nearly always means unlimited within a definition the agency narrows after signing.

Client has no access to hosting, DNS, or registrar. The agency holds the keys and you can’t see the locks. This is sometimes incompetence, sometimes a soft lock-in tactic. Either way, fix it.

No clear hours allocation. The retainer doesn’t say how many developer hours are included per month, or what counts. You’ll find out the hard way when something doesn’t get done.

Updates not happening. Ask to see the changelog for plugins and core software for the last three months. If nothing has been updated in 30 days on a WordPress site, ask why. There’s sometimes a legitimate reason (a known incompatibility being worked through, a deliberate hold). Silence is the warning sign.

No monthly reporting, or reports that are obvious templates with the client name swapped in. The agency should be able to tell you what they did last month and what they’re planning next month. If they can’t, they’re not really paying attention to your site.

Long notice periods with no exit support. Many UK agencies use a 12-month minimum term followed by 30-day rolling notice; that’s reasonable. A 12-month term followed by 90-day notice with no offboarding support is a trap.

What should ecommerce retainers cover?

For ecommerce sites, the retainer needs to cover the integration layer, not just the CMS. WooCommerce sites running subscription billing through services like Chargebee are the clearest example. We host and maintain a number of WooCommerce subscription platforms, and in our experience a large share of the support requests across those sites in any given month relate to the join between WooCommerce, the payment provider, and the billing platform. A retainer that only covers WordPress core and standard plugins will leave you exposed at exactly the seam where things break most often.

If your retainer is for an ecommerce site with non-trivial integrations, confirm that the agency has worked with your specific stack before, and that the SLA covers the integration code as well as the CMS.

So what’s the right retainer for you?

Three quick guides, by site type.

Brochure or professional services site, low traffic, no ecommerce: aim for around £200 to £500 a month with two to four hours of developer time, business-hours SLA, monthly reporting, daily backups.

Ecommerce site, mid-sized, growing, some custom work: aim for around £600 to £1,200 with six to ten hours of developer time, 24/7 SLA on critical issues, strong security cover, performance tuning included.

Mission-critical platform (school, council, healthcare, large membership, high-traffic ecommerce with integrations): aim for £1,500 and up with a named technical contact, 24/7 cover on critical issues with tight resolution times, full incident response, and explicit contractual cover for the integration layer as well as the CMS.

For higher-risk sites, the retainer is rarely the expensive part. The expensive part is the avoidable outage, the breach, or the broken checkout.

Talk to us

If you’re evaluating maintenance retainers, comparing quotes, or thinking about moving from your current supplier, we’re happy to look at what you’ve got and tell you what we’d do differently. No sales pitch, just an honest read.

We run structured maintenance retainers for ecommerce, schools, councils, and professional services clients across the UK. Each one includes managed hosting, monitoring, agreed response routes, monthly reporting, and a defined allocation of developer time. If that sounds like what you’re looking for, get in touch.