Nonprofit Website Maintenance Schedule: A Governance Framework

The website launched. The maintenance problem started the next day.

Most nonprofit websites are treated as projects. There is a budget, a timeline, a launch date, and a sign-off. After launch, the project is considered complete. The website is handed over to whoever manages it day-to-day, usually the Communications Director, and the question of how it stays healthy over time is rarely answered in writing.

This is how websites decay. Not through dramatic failure, but through gradual neglect: content that becomes outdated, forms that stop routing correctly, accessibility errors that accumulate as pages are added without review, plugins or third-party integrations that quietly break after an update. None of these failures announce themselves. They sit there, invisible to the team managing the site, until a funder raises a concern, a donor cannot complete a transaction, or a security incident forces an emergency rebuild.

The emergency rebuild is expensive. Organisations that fall into this cycle typically spend 20 to 40 per cent of their eventual technology budgets just catching up on accumulated technical debt — money spent returning to where they were, not moving forward. A structured maintenance schedule is not overhead. It is the governance tool that prevents that outcome.

Why maintenance is a governance question, not a technical one

The instinct is to frame website maintenance as a technical concern: server uptime, software updates, broken links. These things matter, but they are symptoms of a deeper governance failure.

The governance question is: who is responsible for the website’s ongoing health, what are they responsible for, and how often does that responsibility get exercised? Without answers to those three questions, maintenance happens reactively, when something breaks, rather than proactively, as part of a structured rhythm.

For organisations with Board oversight, funder relationships, and public accountability obligations, reactive maintenance is not a neutral position. A donor who cannot complete a gift on year-end giving day is unlikely to return. The M+R Benchmarks report found that approximately 5 per cent of online revenue for nonprofits raising $1 million annually arrives on 31 December alone — roughly $50,000 in a single day. If a botched update or expired SSL certificate takes the site offline at that moment, that revenue does not come back later. A maintenance schedule prevents that exposure.

The other governance dimension is data protection. IBM’s 2024 Cost of a Data Breach Report found the global average breach cost reached $4.88 million, a 10 per cent increase from the previous year — the largest annual spike since the pandemic. Nonprofits are not immune to this. Outdated integrations, unpatched third-party scripts, and forms routing to unmonitored email addresses are all vectors for the kind of low-profile incidents that do not make headlines but do trigger ICO investigations and donor trust failures.

What a maintenance schedule covers

A maintenance schedule is not a to-do list. It is a structured cadence of reviews across four dimensions: content, technical, compliance, and governance. Each has a different review frequency because each changes at a different rate.

Content maintenance

Content decays faster than most organisations expect. Leadership changes, programme updates, impact figures that reference the previous fiscal year, events that have passed, team members who have left. From a funder’s perspective, outdated content is not a minor inconvenience — it is a credibility signal. An annual report from two years ago, or a team page that still lists someone who departed, signals that the organisation does not actively govern its digital presence.

Content reviews should happen at two speeds. A light monthly pass covers the homepage, contact page, and any time-sensitive content (campaigns, events, grant deadlines). A deeper quarterly review covers all programme pages, the team and board sections, governance documents, and impact evidence. The quarterly review should be assigned to a named individual with a completion date, not left as a general responsibility.

Technical maintenance

Technical maintenance covers the infrastructure the site depends on: SSL certificate validity, form submission routing, analytics tracking, third-party integrations, page speed, and Core Web Vitals. These require a monthly check rather than a quarterly one because they can fail silently and quickly. A form that stops routing submissions is invisible until someone notices that enquiries have dried up. An SSL certificate that expires takes the site offline with no warning.

For Webflow-hosted sites, many of these concerns are handled at platform level: SSL is managed automatically, hosting is on a CDN, and the core CMS is maintained by Webflow. What requires active monitoring is the layer of integrations built on top: donation platforms, CRM connections, email marketing sign-ups, analytics configuration, and cookie consent. These are the fragile joints in the system, and they need a named owner and a monthly verification step.

Compliance maintenance

Compliance maintenance covers accessibility, data protection, and the governance documents required by your regulatory framework. Accessibility degrades over time as content is added without review. New pages may use colour combinations that fail WCAG AA contrast ratios. New images may lack meaningful alt text. The WebAIM Million 2026 report found that 16.2 per cent of homepage images had missing alternative text, and 83.9 per cent of homepages had low-contrast text failures. These are not edge cases. They are the default outcome when accessibility is not part of the editorial routine.

A bi-annual accessibility audit using axe DevTools or WAVE, combined with a keyboard navigation check, catches most of the issues that accumulate between builds. This does not need to be a comprehensive audit every six months. It needs to be enough to catch the regressions that occur when content is added without accessibility review built into the publishing workflow.

Governance documents require an annual review at minimum: the annual report, the accounts, the safeguarding policy, the privacy policy, and the trustees list. These are the documents institutional funders check. If they are outdated or missing, the credibility damage occurs before any conversation happens.

Governance maintenance

This is the layer most organisations skip entirely. Governance maintenance means formally reviewing whether the website is still serving its primary stakeholders, and whether the decisions made at the last review still reflect current organisational priorities.

An annual governance review asks: have our primary audiences changed? Have our programmes or campaigns changed in ways the site does not reflect? Has our regulatory environment changed? Is the current Communications Director still the right named owner for website governance, or has that responsibility shifted?

This review does not need to be lengthy. It should produce a short written record: what was reviewed, what was found, what decisions were made, and who is responsible for implementing them. That record is what makes website governance legible to a Board or an incoming leader.

A practical maintenance schedule

The schedule below is a starting point. It should be adapted to the organisation’s size, team capacity, and platform.

Monthly

Review the homepage, contact page, and any live campaign pages for accuracy. Test all forms by submitting a test entry and confirming it routes correctly, including confirmation messages. Confirm SSL certificate status is active. Verify analytics tracking is recording sessions correctly in GA4 or equivalent. If the site accepts donations, test the donation flow end-to-end on both desktop and mobile. Resolve any broken links identified since the previous month’s review.

Quarterly

Review all programme pages for accuracy and currency against actual programme delivery. Check team and board sections for personnel changes. Verify impact figures and statistics against current reporting and fiscal year data. Test all third-party integrations: CRM, email marketing platform, donation platform, and any embedded tools. Run a page speed audit on the homepage and key conversion pages. Conduct an internal link audit to identify broken or stale links across the site.

Bi-annually

Run an accessibility audit using axe DevTools or WAVE across the homepage, key programme pages, the donation flow, and the contact page. Complete a keyboard navigation check on those same pages, confirming that every interactive element is reachable and that focus indicators are visible. Review all meta titles and meta descriptions for accuracy and SEO completeness. Test Open Graph and social sharing previews on key pages to confirm they display correctly on LinkedIn and other platforms.

Annually

Review and update all governance documents on the site: annual report, accounts, safeguarding policy, privacy policy, and trustees list. Conduct a full content audit across every page, identifying outdated, redundant, or inaccurate content for removal or revision. Complete a stakeholder review to confirm whether the site’s primary audiences are still correctly identified and whether the navigation structure still serves their needs. Review named ownership of the website: confirm who is responsible, whether that is still the right person, and whether the governance schedule itself needs revision. Record the governance review in writing.

The case for documenting the schedule

A maintenance schedule that exists only in one person’s head is not a governance tool. It is a personal habit, and it disappears when that person leaves.

The schedule should exist as a written document, reviewed annually, with named owners for each item and a record of when each task was last completed. That documentation serves three purposes. It makes the workload visible, so the organisation can assess whether it is realistic for the team’s capacity. It creates accountability, because a record that has not been completed is an explicit gap rather than an invisible one. And it protects continuity, because an incoming Communications Director or new Board member can read the document and understand the organisation’s current website governance posture without having to reconstruct it from institutional memory.

For Webflow sites, the maintenance schedule should also note which tasks are handled at platform level (SSL, hosting, CMS updates) and which require active review. This prevents duplication and clarifies responsibility — particularly important when there is an external provider involved alongside an internal team member.

What to do if no schedule currently exists

Start with an audit before attempting to build a schedule. You cannot create a sensible maintenance cadence without knowing the current state of the site. The audit should cover content currency, technical health, accessibility compliance, and the completeness of governance documents. Once you know what is broken, missing, or outdated, you can build a realistic schedule that addresses the gaps rather than maintaining a site that already has unresolved problems.

The nonprofit website governance policy post covers the broader framework for formalising website responsibilities at an organisational level. The content governance post addresses the publishing workflows and approval processes that underpin the content maintenance layer. And if your organisation has never conducted a formal website review, the security and Board governance post outlines the risks that accumulate when technical oversight is absent.

FAQ

Question 1: How often should a nonprofit review its website content?

At minimum, the homepage and any time-sensitive content should be reviewed monthly. Programme pages, team sections, and impact evidence should be reviewed quarterly. Governance documents such as the annual report, accounts, and safeguarding policy should be reviewed and updated annually. The review cadence should be documented and assigned to a named individual, not treated as a general responsibility without a specific owner.

Question 2: Is website maintenance different for nonprofits on Webflow versus WordPress?

The governance principles are the same regardless of platform. The practical differences lie in where responsibility sits. Webflow handles SSL, hosting infrastructure, and CMS updates at platform level, which reduces the technical maintenance burden. WordPress sites require active plugin management, security patching, and hosting oversight, which typically demands more frequent technical review. The content, compliance, and governance maintenance layers are identical across platforms.

Question 3: Who should be responsible for website maintenance in a nonprofit?

Responsibility should be formally assigned, not assumed. In most organisations, the Communications Director or Digital Lead holds primary ownership of content and compliance maintenance. Technical maintenance may involve an external provider. The key governance requirement is that both areas have a named owner, a documented schedule, and a record of completion. Where maintenance is split between internal and external parties, the responsibilities should be clearly delineated in writing, ideally in the website governance policy or the external provider’s terms of service.

If your organisation does not have a current, documented maintenance schedule, the Blueprint Audit provides a structured assessment of where your site currently sits across content, technical, compliance, and governance dimensions, and what a realistic maintenance framework looks like for your specific situation. Learn more about the Blueprint Audit.