We get calls every week from people asking us to fix their website. We're asked to finish projects, to rescue them from the money pit they have fallen into. As we investigate problems, we frequently discover that the problems are significantly worse than the client ever suspected. Largely, this is because websites are built with Content Management Systems '- software which is vulnerable to the machinations of very bad, evil people who found their way into the website.
The Cost of Doing Nothing
Most of these problems wouldn't have occurred if the websites were maintained after they were launched. Bug fixing and security updates are part of the everyday diagnostic checks and routine procedures that sites require. Most of the time, these are difficult to execute, but someone needs to be vigilant and aggressively stay on top of the demands for the software that runs the system. Time and again, we see that web developers simply have no interest in maintaining the website they've built. They picked up their paycheck, and split.
Once security weaknesses are discovered, they get published. The bad guys can read, and they look for targets that they can exploit. I can go to any website with a tool, called BuiltWith, and see what your website uses for software, along many details about your site that you may not be aware of. The bad guys use internet drones to scan for websites that they can break into.
We had a customer come to us recently with two websites which had been built by another developer that they wanted us to work on. This developer had not bothered to maintain the site. Our client's preference was to go slowly, basically for cost considerations, and so we were told to work on one at a time. Before we could work on the second website, it was hacked. Now, it is a mess, and messy websites are much more costly to clean up. It's like waiting too long to change the oil in your car, and one day having the engine seize. In this case, the only safe course is to start over, and completely build a new site. Severely hacked websites have backdoor viruses, and it is almost impossible to detect all of them.
Worst case scenarios
The usual response to this diagnosis is to deny the real problem. Clients will protest that they aren't concerned because they don't have sensitive, private information on these sites. In fact, the bad guys aren't interested in that stuff. What they really want is to take control of the webpages, and divert customers to their servers, with a bogus website that looks like yours. They gain data not from you, but from your customers, all completely without your knowledge until it is far, far too late.
The other trick that the evildoers are pulling off has to do with your server. Once they have access to your server, they can do all kinds of nefarious deeds. They may not touch your customers, but they could use your server to send out child pornography, or launder money. As part of a daisy-chain of servers, this sort of crime is basically impossible to stop or trace. Nevertheless, your reputation is ruined when it is learned that your website was hacked, and you must reveal such information to all of your customers.
The responsibility of ownership
If a developer doesn't offer maintenance support programs, it's probably because they aren't very good, and it wouldn't be worth their while to support their work. They'd never have time to spend the money that you paid them. You need to consider the total cost of ownership of your site, not simply the cost of building it. What is the cost of your brand? What is the cost of your reputation?