A client sent us her WordPress invoices last month. She wanted a second opinion before renewing. Hosting: $38 a month. Premium theme license: $79 a year. Elementor Pro: $99 a year. WooCommerce extensions she doesn’t use but can’t remove: $240 a year. A maintenance plan with her previous developer: $85 a month. Backup plugin: $49 a year. Security plugin: $199 a year. A reCAPTCHA workaround because three forms had been spam-bombed: one-off $180 fix.
She had paid roughly $2,400 in the last twelve months to keep a six-page website online.
This is the WordPress small business website cost conversation nobody has upfront. The sticker price looks friendly. The three-year total rarely does. After years of auditing small business sites for clinics, consultants, and local service businesses across Canada, we can tell you where the money actually goes — and when a custom-coded site quietly becomes the cheaper option.
The sticker price is the smallest number you’ll see
WordPress itself is free. That’s the hook. But a WordPress site in production isn’t WordPress — it’s WordPress plus a theme, plus a page builder, plus twelve to twenty plugins, plus managed hosting, plus somebody keeping all of it patched.
Here’s the shape of a typical small business WordPress invoice across three years:
- Hosting at $25–$60/month managed: $900–$2,160
- Premium theme + page builder licenses (Divi, Elementor Pro, Astra Pro): $300–$600
- Plugin licenses (forms, SEO, security, backup, caching): $400–$1,000
- Maintenance retainer or ad-hoc developer hours: $1,200–$4,000
- The one emergency — hacked site, broken update, expired license: $200–$1,500
Low-end three-year total: around $3,000. Realistic mid-range: $6,000–$8,000. None of that includes the day you decide you need a real redesign.
A custom-coded site from us starts at CAD $800 for a Starter and CAD $3,500 for a Business build. Hosting is $5–$15 a month. There are no plugin licenses, because there are no plugins. Three-year total is the build price plus about $200 in hosting. The math gets interesting fast.
Tax 1: the plugin stack
Every WordPress feature you rely on — a contact form, a gallery, a schema tag, an SSL forced redirect, a spam blocker, a booking widget — is a separate plugin, usually written by a separate company, each with its own update cadence, its own licensing model, and its own failure mode.
You aren’t paying for a website. You’re paying rent to fifteen landlords at once, and any one of them can raise prices, get acquired, or stop shipping security patches.
On a custom site, a contact form is twenty lines of code we wrote once. It doesn’t need an annual license. It doesn’t pull in 180KB of third-party JavaScript. It doesn’t break when a plugin we’ve never heard of pushes a bad update on a Tuesday.
Tax 2: the speed penalty
A stock WordPress install with a page builder and the plugins most small business owners actually need typically ships 1.5–3 MB of JavaScript and CSS before your homepage has loaded a single image. We’ve measured this on live client sites more times than we can count.
Google’s Core Web Vitals care about this. Your patients and customers care about it even more, even if they can’t name what they’re feeling. A site that takes four seconds to become interactive on a mid-range phone on a spotty LTE connection loses bookings that the owner never knows existed. There’s no line item on a WordPress invoice that says “customers who bounced.” The ledger is invisible.
A hand-built site serves only what’s needed. Most of our client homepages are under 120KB total. They score 95+ on Lighthouse out of the box, and they stay there, because no plugin update will quietly add 400KB of tracking scripts next month.
Tax 3: the maintenance cycle
WordPress core, themes, and plugins all push updates on their own schedules. Skip them and you expose your site to attacks. Apply them without testing and you risk a plugin conflict that takes the site down in the middle of a Tuesday afternoon.
Most small business owners resolve this by paying a developer $60–$120 a month for a maintenance plan — essentially insurance against the ecosystem’s fragility.
That’s a structural problem, not a business-model one. WordPress powers roughly 40% of the web because the ecosystem is big, not because the ecosystem is calm. A custom site doesn’t have a plugin ecosystem to babysit. When the HTML, CSS, and JavaScript we wrote for your site last year keep working this year, that’s because they have no moving parts that update themselves.
Tax 4: the security surface
Because WordPress is everywhere, it’s the biggest target on the internet. Every public WordPress login page is being probed right now by bots. Plugin vulnerabilities get weaponized within hours of disclosure. The wp-admin URL is known, the database schema is known, the attack surface is cataloged.
This is fixable — strong passwords, 2FA, a firewall plugin, limited login attempts, an off-site backup, a web application firewall at the hosting layer — but that’s four or five more things to configure, pay for, and check.
A custom static or JAMstack site has no admin panel to compromise, no database to inject, no plugin directory to scan. The attack surface shrinks from “the entire WordPress ecosystem” to “a few HTML and CSS files on a CDN.” It isn’t magic. It’s just a smaller target.
When WordPress is the right answer
We’re not anti-WordPress. Use it when:
- You’ll publish a new long-form article, product, or case study at least every week, and you want non-technical staff to do it through an admin panel.
- You’re running a real ecommerce catalogue with inventory, variants, and shipping rules — WooCommerce or Shopify is a better fit than anything we’d hand-build for you.
- You already have a WordPress-literate team and a maintenance process that works.
Use a custom-coded build when:
- You’re a service business — clinic, consultant, contractor, studio — where the site is 8–20 pages and changes infrequently.
- You care more about conversion and load speed than about editing every paragraph yourself.
- You want to pay once, own the code, and not be renting a template from someone else for the rest of your business’s life.
Most small businesses we talk to are in the second bucket and were sold the first by default.
How to run the real spreadsheet for your own site
Before you renew anything, open a blank sheet and write down:
- Every monthly fee you’re paying for the site (hosting, plugins, themes, maintenance).
- Every annual fee (licenses, SSL if separate, domain, backups).
- The last three emergencies — what you paid, who you paid, and how many hours it cost you.
- What your time is worth per hour, and how many hours a month you or a staff member spend on the site.
Multiply monthly fees by 36. Add annuals times 3. Add the emergencies. Add the people-hours times your hourly rate. That’s the real three-year cost of the current site.
Compare that to our process and packages plus $200 of hosting. For most small business sites, custom wins the three-year comparison, often by a lot. For a few — active publishers, real ecommerce, big teams — WordPress still wins. Either way, you’ll have a real number instead of a feeling.
That’s the whole argument. Not that WordPress is bad. That the pricing page you saw on day one isn’t the bill you’ll actually pay.