If you run a WordPress site, you already know the bill. If you're thinking about starting one, here's what the brochure leaves out.
WordPress itself is free. Hosting starts at $5/month. Themes are $50 once. None of those numbers are the real cost.
What you actually pay for
Plugins. The average WordPress site runs 20-30 plugins. Most have free tiers with paywalls on the features you actually need. Yoast SEO Premium: $99/year. WP Rocket: $59/year. Gravity Forms: $159/year. WooCommerce extensions: $50-300 each. Budget $500-1,500/year in plugin licenses for a production site.
Hosting that doesn't fall over. The $5/month shared hosting works until your site gets traffic. Managed WordPress hosting that handles real load — Kinsta, WP Engine, Pressable — starts at $35/month and climbs fast. Most sites with meaningful traffic pay $100-300/month.
Security. WordPress is the largest target on the web. Wordfence Premium: $119/year. Sucuri firewall: $200-500/year. You either pay for these or you pay for cleanup after a breach.
Backups. Your host's backups are usually inadequate or expensive to restore. UpdraftPlus Premium, BlogVault, BackupBuddy — pick one, budget $50-150/year.
The maintenance retainer. Somebody has to update plugins, test that updates didn't break the site, roll back when they did, fix the things that broke anyway, and patch security holes within hours of disclosure. Agencies charge $100-500/month for this. If you don't have it, you're doing it yourself — and the time cost is real.
The annual bill, totaled
Small business site, no e-commerce, managed hosting, agency maintenance retainer:
- Hosting: $1,200/year
- Plugins: $800/year
- Security + backups: $250/year
- Maintenance retainer: $2,400/year
Total: $4,650/year, before you've shipped a single change to the site.
This isn't a gotcha. This is what running a production WordPress site costs. The platform's flexibility is real — and the maintenance burden is the bill for that flexibility.
What you're paying for
Plugin updates are the core problem. Each plugin is independently developed, on its own release schedule, with its own bugs. WordPress core releases break plugins. Plugin updates break each other. Updating one breaks two. The maintenance retainer exists because somebody has to be on call when an update takes the site down at 9pm on a Tuesday.
You're also paying for the architecture. WordPress was designed in 2003 for blogs. The database structure, the request lifecycle, the plugin hook system — all of it is tuned for "many editors, one site, lots of plugins." It runs websites because the web ran on it for fifteen years, not because it's the best fit for what most sites need today.
A different bet
BrightSite is an opinionated alternative. One platform, no plugins, no maintenance. The plumbing is invisible: hosting, security, backups, updates, performance optimization — all included, no separate vendors. Pricing is fixed and predictable. There are no plugin licenses to renew.
The trade-off is real: BrightSite isn't a fit for every project. Custom WooCommerce stores, sites that need 50 niche plugins, or teams that already have WordPress expertise should stay where they are. But if you're tired of maintenance retainers and plugin update nights, see how BrightSite compares to WordPress.
The point isn't that WordPress is bad. The point is that "free" comes with a bill, and you should know what it is before you sign up.