Website longevity (10-year horizon)

reference · Scope: marketing-site · Status: current
security-vulnerabilitiesaccessibilitylongevity-architecture
Created 2026-06-11

Overview

Website longevity is the empirical question of how long a given site continues to serve its purpose without ground-up rebuild. The 10-year operational horizon is the design target for Candid Creative client sites: the default assumption is that the site exists 10 years from now, and any rebuild is a business-strategy event, not a forced move driven by accumulated technical debt.

Three forces determine whether a site reaches that horizon. First, architecture and maintenance posture — Orbit Media's own benchmark shows the average website lifespan across the Inc 5000 is "just 2 years and 4 months," while their continuously-maintained client base averages "6 years and 4 months" between major redesigns. Lifespan is a function of architecture and maintenance, not a fixed property of websites. Second, accessibility regulation — 95% of sites fail basic WCAG tests, the EU Accessibility Act became enforceable June 28, 2025 with revenue-scaled penalties, and 40% of new US federal ADA filings are now AI-assisted pro se complaints. Third, the WordPress plugin surface — Patchstack's 2026 figure is that 91% of new WordPress vulnerabilities are in plugins, Wordfence blocked 54 billion malicious requests in 2024, and Sucuri found 39.1% of compromised CMS apps were outdated at the point of infection.

This page consolidates the empirical evidence (Orbit Media, GOV.UK Design System, Patchstack, Wordfence, Sucuri, FTC, DOJ, EU Commission), a 12-dimension decay-vs-compound matrix, a 10-year Canadian SMB cost model, and the Candid Creative architectural rules that operationalize the 10-year horizon. The companion research brief is Research brief: Built to Last — why most SMB sites rebuild every 3-4 years (piece 5 of 15).

Decay-vs-compound matrix: which website dimensions survive 10 years

A website is not a single asset — it is twelve overlapping assets that respond differently to time. The matrix below documents which dimensions decay without intervention and which compound on the right foundation.

Dimension Default (no foundation) With foundation-first Why
Visual design Decays — dated in ~3yr Decays slower with minimal semantic style Trends move; restraint ages better
Long-form content Decays — link rot, stale facts Compounds via refresh + structured-data updates [[hubspot-vaughan-historical-optimization-106pct]]
Code dependencies Decays — plugins abandoned Compounds — fewer deps = less surface Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core
Hosting Decays — provider EOL, acquisitions Stable on commodity Linux + portable code [[squarespace-acquired-google-domains-2023]]
Structured data Neutral Compounds — AI citations, GEO Research brief: Structured content as a competitive advantage (piece 2 of 15)
SEO authority Decays without URL discipline Compounds heavily [[sej-892-migrations-523-day-recovery]]
Domain age Compounds — trust signals accrue Compounds One of the few unambiguously time-positive ranking inputs
Citation graph Decays with link rot Compounds with URL preservation Zittrain et al. (Harvard Law 2014): 50% of URLs in U.S. Supreme Court opinions suffer reference rot
Security posture Decays rapidly without patching Stable with continuous patching Sucuri 2023: 39.1% of CMS outdated at infection
Accessibility Decays — WCAG advances, EAA in force Stable with semantic HTML + CI testing UsableNet 2025: 5,000+ digital accessibility lawsuits filed; 46% of federal cases involve repeat defendants
Performance / CWV Decays — page weight grows, scripts pile up Stable with CI-enforced budget Web Almanac 2024: median desktop page weight — WordPress 2,252 KB, Wix 2,560, Squarespace 3,323; 90th pct crosses 8 MB
Brand equity Decays if site quality drops below brand promise Compounds when site quality matches brand Trust accumulates against consistent presentation
Internal docs/KB Decays as staff turn over Compounds when stored in repo + KB Research brief: The knowledge-base-backed website (piece 3 of 15)

Net argument. Roughly half of these dimensions can compound — but only on architecture that lets them. On a brittle stack, every dimension decays simultaneously, and the "rebuild every three years" pattern becomes the only available response.

Ten-year cost model: rebuild-every-3-years vs foundation-first (Canadian SMB, CAD)

The 10-year cost projection below is for a typical Kitchener-Waterloo SMB site (~20-40 pages, professional services or local commerce, CAD). Ranges are wide because the work is wide.

Scenario A — Rebuild every 3 years on typical agency platform stack:

  • Year 0 initial build (WP + page builder): $8k-$18k
  • Hosting + plugins + 5 hr/mo support, years 0-3: ~$8.5k
  • Year 3 full rebuild: $10k-$25k
  • Years 4-6 maintenance + Year 6 second rebuild: ~$37k-$55k
  • Years 7-9 + Year 9 third rebuild: ~$39k-$60k
  • Year 10 residual: ~$10k
  • Total: ~$115k-$185k CAD

Scenario B — Foundation-first, maintained continuously:

  • Year 0 initial build (semantic HTML + headless/lean CMS): $18k-$35k
  • 10 years hosting (cloud/CDN): ~$3.5k total
  • 10 years minimal plugin licenses: ~$2k total
  • 10 years continuous retainer (~10-15 hr/mo @ $140/hr): ~$200k
  • Year 5 significant refresh: $8k-$15k
  • Total: ~$235k-$260k CAD

Reading the model honestly. Naïve dollar total is HIGHER for Scenario B — but misleading without including (a) the opportunity cost of 3× 523-day SEO recovery curves ([[sej-892-migrations-523-day-recovery]]) and (b) lost lead value during rebuilds. Scenario A loads ~3× 523 days of degraded organic traffic plus a 17% probability per rebuild that traffic never recovers. Scenario B benefits from compounding domain age, citation graph, and structured-data depth — none of which appear as line items but determine cost-per-lead by year 5. For SMBs doing $1M+ revenue with non-trivial lead value, Scenario B's payoff is on the order of one rebuild avoided over 10 years; for sub-$250k micro-businesses, the math is closer to neutral.

Gaps in the model. Ontario retainer pricing is not well-publicized (extrapolated from CSP / 2Marketing / Databending ranges); plugin licensing inflation is held flat (likely too generous); the model does not account for breach response (Verizon DBIR median ransom: US$115k — see Verizon DBIR 2025: 88% of SMB breaches involved ransomware vs 39% of enterprise; median ransom $115k).

Orbit Media: 2y4mo Inc 5000 average vs 6y4mo under continuous care

Orbit Media reports the average website lifespan across the top of the Inc 5000 list is "just 2 years and 4 months." Their own client base — sites under continuous care — averages "6 years and 4 months" between major redesigns. The implication is that lifespan is a function of architecture and maintenance, not a fixed property of websites.

Source: https://orbitmedia.com/blog/website-lifespan-and-you/

Confidence: Industry-consensus (Orbit's own benchmark plus a Databox survey of 145 SMBs they cite).

Honest caveat. The frequently-recycled "2 years 7 months" lifespan figure (attributed to HubSpot in many agency blogs) could not be verified at primary source. Use Orbit's 2y4mo Inc-5000 number, not the unverifiable HubSpot one.

Longevity named examples (2026): nine sites that ran 10+ years without a ground-up rebuild

The empirical foundation for the "build to last" argument is the catalogue of sites that have actually done it.

  • Daring Fireball (since 2002): Movable Type, self-hosted on Linode, static HTML output. Content separated from presentation; one author = one stack owner.
  • Berkshire Hathaway (since 1997): Same HTML structure since 1997. Page weight ~198 KB; load time ~116 ms — orders of magnitude better than the modern average (median page is 2.56 MB per Web Almanac 2024: median desktop page weight — WordPress 2,252 KB, Wix 2,560, Squarespace 3,323; 90th pct crosses 8 MB). A brochure site that is just HTML can outlast a 30-year company without modification.
  • Craigslist: Plain HTML, table-based layout; survived 25+ years of "modernization" trends; consistently profitable. Usability over fashion compounds.
  • Hacker News (since 2007): Custom Lisp/Arc stack; intentional feature freeze; near-zero design churn. Scope discipline is an architectural choice.
  • Wikipedia / MediaWiki: Open-source CMS, structured wikitext + templates, separated from skin/presentation. Structured content survives presentation changes.
  • Stack Overflow (since 2008): Custom .NET; question/answer schema versioned for URL stability; permalinks preserved across redesigns. URL design is permanence design.
  • GOV.UK (since 2012): Government Digital Service built on content store + APIs + reusable design system. Per GDS: "pages on GOV.UK built with the Design System download about twice as fast as those that haven't, as they use about half as much code."
  • Pinboard (since 2009): Plain PHP + MySQL + Perl scripts; explicitly chose "boring architecture is a feature"; serves tens of thousands of paying users on modest hardware. Tech choices constrained by "what one person can operate forever" drive longevity.
  • Joel on Software (since 2000): Custom CMS, continuous publication, archive intact and linkable. URL stability + plain text + RSS = a 25-year asset.

Common pattern across all of them. Content separated from presentation. Minimal dependencies. URL stability as a design principle. Boring architecture as a feature. None of them rebuilt every three years.

GOV.UK Design System: 2× faster downloads, half the code

The Government Digital Service (GDS) is the most-documented public example of foundation-first design compounding across an organization.

Quote (GDS blog, March 31, 2022):

"Pages on GOV.UK built with the Design System download about twice as fast as those that haven't, as they use about half as much code."

Source: GDS blog (March 2022); GOV.UK Design System documentation.

Confidence: Verified.

Why this matters as a model. GOV.UK's Design System, GOV.UK Frontend, and shared platforms (notifications, payments, hosting) are reused across hundreds of departments. Foundation-first compounds across an organization, not just within a site. The same architectural discipline applied to a multi-vertical service business — or an agency's portfolio of clients — produces the same compound efficiency. A Candid component library that ships once and is reused across client sites is the small-scale version of the GDS pattern.

Accessibility: regulatory and litigation forcing functions

Accessibility has crossed from "good practice" to "regulatory floor" in two jurisdictions Candid clients operate in. Three sub-sections below: the litigation environment, the regulatory deadlines, and the overlay-vendor problem.

95% of sites fail basic WCAG; 40% of new federal ADA filings are pro se (AI-assisted)

Accessibility.Works analysis (citing Seyfarth Shaw federal litigation data) states:

"According to Seyfarth Shaw, 40% of federal ADA Title III filings are now pro se" — driven by AI-assisted complaints.

Companion finding from the same analysis: "95% of websites fail basic WCAG tests."

Confidence: Verified (cross-corroborated by UsableNet).

The structural shift. Litigation volume is decoupling from law-firm capacity. AI-drafted complaints lower the cost of filing, which raises the volume of cases without requiring more plaintiff-side legal resources. A small business with a sub-WCAG site is no longer protected by the friction of "no one will sue me, I'm too small" — the marginal cost of filing has fallen. Pairs with UsableNet 2025: 5,000+ digital accessibility lawsuits filed; 46% of federal cases involve repeat defendants for the macro trend (USABLENet 2025: ~5,000 federal ADA Title III digital-accessibility lawsuits annually, with 46% involving repeat defendants).

DOJ Interim Final Rule 2026-07663: ADA Title II compliance dates extended to April 2027 / April 2028

Per DOJ Interim Final Rule 2026-07663 (Federal Register, effective April 20, 2026):

"The compliance date for State and local government entities with a total population of 50,000 or more is extended from April 24, 2026, to April 26, 2027."

Entities under 50,000 population are extended to April 26, 2028 (per Duane Morris LLP summary).

Source: Federal Register 2026-07663; Duane Morris summary.

Confidence: Verified.

The original "April 2026" date that has circulated in agency writing is superseded. Public-sector pressure has eased a year; the private-sector ADA Title III risk and the EU EAA pressure have not.

EU Accessibility Act: enforcement began June 28, 2025

European Accessibility Act enforcement began June 28, 2025. Maximum penalties typically:

  • Germany (BFSG): up to €100,000 per violation
  • France: up to 4-5% of revenue under national transposition
  • Italy: similar 4-5% revenue penalties

Scope (per Kinsta + Bird & Bird): any business selling to EU consumers with ≥10 employees AND ≥€2M turnover. Microenterprises are temporarily exempt.

Sources: https://accessibility.works/european-accessibility-act/; https://allaccessible.org/blog/european-accessibility-act-eaa-compliance-guide; https://kinsta.com/blog/european-accessibility-act/

Confidence: Verified.

For Canadian Candid clients. Any client selling into the EU is in scope above the 10-employee / €2M threshold. The EAA is the strongest current regulatory accessibility forcing function — stronger than ADA Title III in private-sector enforcement because the penalties scale with revenue.

FTC accessiBe $1M settlement (January 3, 2025): the overlay-vendor problem

Quote (FTC press release, January 3, 2025):

"FTC Order Requires Online Marketer to Pay $1 Million for Deceptive Claims that its AI Product Could Make Websites Compliant with Accessibility Guidelines"

Settlement with accessiBe Inc. (accessWidget overlay). Final consent order approved April 2025.

Source: https://ftc.gov/news-events/news/press-releases/2025/01/

Confidence: Verified (FTC primary).

The overlay-vendor problem in one settlement. A generation of small-business sites bought accessibility overlays believing they had achieved WCAG conformance; they had not. Those sites are now (a) still non-compliant, (b) still suable, and (c) running JS that the actual disabled users they are supposed to help often disable. Use as the canonical "do not buy accessibility overlays" reference. The structural remediation (semantic HTML, real keyboard navigation, real screen-reader labels) is the only durable answer.

Security: the WordPress plugin surface and the ambient attack environment

The WordPress security data documents two things at once: the shape of the attack surface (overwhelmingly plugins, not core), and the volume of the ambient attack traffic an unmaintained site is exposed to.

Patchstack 2024 vuln disclosure: 4,166 vulnerabilities, 96% in plugins

The standalone reference is Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core. The figure is preserved here as a cross-reference: Patchstack disclosed 4,166 WordPress vulnerabilities in 2024, with 96% in plugins (only 7 in core).

Patchstack 2026: 91% of new vulnerabilities in plugins; only 6 in core

Quote (Patchstack, State of WordPress Security in 2026): "91% of new vulnerabilities were found in plugins, and 9% were found in themes. There were only 6 vulnerabilities reported in the WordPress core."

Source: https://patchstack.com/whitepaper/state-of-wordpress-security-in-2026/

Confidence: Verified (primary).

Mechanism. Each plugin is a separate attack surface, maintained by a separate developer (or no developer). A 30-plugin WordPress site has 30 attack surfaces; a custom Next.js site has its own npm dependency tree but no plugin-as-extension model.

Note on plugin-count averages. Industry rules-of-thumb circulate (20-30 plugins average per business site; WPBeginner runs 62; FatLab Web Support reports 80+ extra files loaded on heavy plugin sites). Those are industry-consensus rules-of-thumb, not measured installed-base data — no host publishes hard averages.

Patchstack 2024: 1,614 plugins and themes removed from the .org repo

Quote (Patchstack State of WordPress Security 2025):

"1,614 plugins and themes were removed from the WordPress repository for unpatched security issues" in 2024; "1,450 had High and Medium priority vulnerabilities" and "33% of vulnerabilities were not fixed in time for public disclosure."

Source: https://patchstack.com/whitepaper/state-of-wordpress-security-in-2025/

Confidence: Verified.

Operational implication. If a site depends on any plugin in the 1,614, the only "upgrade path" is removal. Patchstack's October 2024 cleanup event alone closed 977 plugins (~1.1% of the repo). Site lifespan is bounded by the maintenance posture of the longest-tail plugin in the stack.

Wordfence 2024: 54 billion malicious requests blocked; 325-350k sites infected daily

Wordfence 2024 Annual WordPress Security Report (published April 8, 2025):

  • "Wordfence blocked and logged over 54 billion malicious requests, and blocked over 55 billion password attacks in 2024"
  • "In 2024, 8,223 vulnerabilities were published… roughly a 68% increase from 2023"
  • "Plugin vulnerabilities remain the biggest software threat to WordPress, accounting for 96% of all vulnerabilities disclosed" (only 5 affected core)
  • "Roughly 35% of the vulnerabilities disclosed in 2024 remain unpatched in 2025"
  • "Wordfence saw just under one million distinct sites infected with malware… roughly 325,000 - 350,000 infected sites on any given day"

Source: https://wordfence.com/blog/2025/04/2024-annual-wordpress-security-report-by-wordfence/

Confidence: Verified.

Reading the volume. This is the ambient background radiation an unmaintained WordPress site is exposed to. The +68% YoY growth in disclosed vulns means the maintenance burden of any large plugin stack is itself growing.

Sucuri 2023: 39.1% of CMS apps outdated at point of infection

Quote (Sucuri 2023 Hacked Website & Malware Threat Report, June 12, 2024):

"39.1% of all CMS applications were outdated at the point of infection."

Companion findings (same report):

  • 13.97% of compromised sites had at least one vulnerable plugin or theme present
  • 49.21% had at least one backdoor at remediation
  • 42.22% had SEO spam (Japanese SEO spam .htaccess: 10.07% — the most common single infection)
  • 55.2% of infected databases had malicious WordPress admin users

Year-over-year context. Sucuri's 2022 report (April 2023) reported 50.58% of compromised CMS apps were outdated. The 50.58% → 39.1% improvement reflects real progress, but outdated CMS is still the most common environment for a compromise.

Source: https://blog.sucuri.net/2024/06/2023-hacked-website-malware-threat-report.html

Confidence: Verified.

Candid Creative architectural rules (operationalizing the 10-year horizon)

Rule: design for a 10-year operational horizon

Candid Creative client sites are designed for a 10-year operational horizon. The default assumption is that the site exists 10 years from now; rebuild decisions are business-strategy events, not forced moves driven by accumulated debt.

How to apply. URL design: slugs are a 10-year decision (see rule on URL permanence below). Dependency minimum: fewer plugins, fewer themes, fewer build-time dependencies. Content separated from presentation (Markdown / Postgres / headless CMS — not page-builder JSON blobs). Continuous maintenance retainer is part of the engagement, not a separate sale; quarterly content refresh discipline pays for itself via [[hubspot-vaughan-historical-optimization-106pct]]. When a client does genuinely need to rebuild (business pivot, capability ceiling, compliance forcing function), do it as a planned migration with 301 redirects — not a panic move.

Rule: URL/slug design is a 10-year decision; never let a slug change without a 301 redirect

Every Candid client URL is designed for permanence. Slug renames require a 301 redirect from the old path. The redirect map is maintained for the life of the site — never garbage-collected.

Why. Zittrain et al. (Harvard Law 2014): 50% of URLs in Supreme Court opinions suffer reference rot (Zittrain et al. (Harvard Law 2014): 50% of URLs in U.S. Supreme Court opinions suffer reference rot). When the open web's most prestigious citation infrastructure rots at 50%, the typical SMB site's URL discipline is much worse. Every broken inbound link is a lost citation, a degraded SEO signal, a frustrated returning visitor. Mueller on internal linking: "one of the biggest things that you can do on a website" — see [[mueller-internal-linking-biggest-thing]]. The same logic applies to inbound links from elsewhere — they degrade silently when URLs change.

How to apply. Slug taxonomy planned at IA phase, not bolted on later (see [[url-structure-patterns-by-pattern]]). Every redirect lives in version control alongside the code (htaccess, Nginx conf, Next.js redirects.json — anywhere reviewable). Quarterly check: 404 rate trend. Spike = broken inbound links somewhere; fix the redirect. On rebuild: redirect map is the first deliverable, not the last (see [[sej-892-migrations-523-day-recovery]]).

Rule: capture an archive snapshot at the moment of citing any web source; quote verbatim

At the moment of citing any web source in Candid content, capture an archive snapshot (Perma.cc preferred; archive.org Save Page Now as fallback). Include both URLs in the citation. Quote the source verbatim (≤25 words) so the claim survives link death.

Why. NYT link half-life is ~15 years with 13% content drift even on "live" links ([[nyt-link-half-life-15-years-13pct-content-drift]]). Zittrain Harvard Law 2014: 50% of US Supreme Court opinion links, 70% of Harvard Law Review links broken (Zittrain et al. (Harvard Law 2014): 50% of URLs in U.S. Supreme Court opinions suffer reference rot). A footnote with "source: example.com/article-123" leaves no recovery path when the URL dies; a footnote with a verbatim quote remains searchable in archives forever.

How to apply. Workflow: cite → snapshot (one click in Perma.cc browser extension) → verbatim quote into the citation. Format: "...[verbatim quote]..." (Source, Date — original URL | archived). For research-brief and KB entries: archive every primary source on first use. For marketing pages citing sources via the KB: the KB entry is the archive layer; marketing pages link to the KB. Quarterly link-checker pass per [[link-rot-mitigation-9-step-plan]]. Candid-authored research artifacts get DOIs via Zenodo (free).

Rule: accessibility is architecture, not an overlay

Candid Creative client sites achieve WCAG conformance through architectural choices — semantic HTML, keyboard navigation, screen-reader labels, color contrast — not via overlay widgets. Never sell, install, or recommend an accessibility overlay (accessiBe, UserWay, EqualWeb, etc.).

Why. FTC ordered accessiBe to pay $1M in January 2025 for "deceptive claims that its AI product could make websites compliant." Overlays do not fix accessibility — they layer JS over an inaccessible page. Disabled users routinely disable the overlays. Litigation surface remains: 46% of federal ADA cases involve repeat defendants (UsableNet 2025: 5,000+ digital accessibility lawsuits filed; 46% of federal cases involve repeat defendants); 95% of sites fail basic WCAG; 40% of new filings are pro se. EU EAA has been enforceable since June 28, 2025 with revenue-scaled penalties.

How to apply. Accessibility audit at design phase, not after launch. Semantic HTML (<button>, <nav>, <main>) over <div> soup. Color contrast checks in design system (4.5:1 minimum text). Keyboard navigation tested before each release. Automated testing in CI (axe, pa11y) plus manual screen-reader sweep before launch. If a client insists on an overlay (often because a competitor showed them one), document the FTC settlement in writing and decline to install. The shared-risk argument: the agency that installed accessiBe sites in 2023 is the agency whose clients are receiving 2025 ADA filings.

Rule: plugin count is the WordPress security surface; one-in, one-out

For Candid WordPress client sites, plugin count is the security surface. Audit quarterly. New plugins require justification plus a removed-plugin counterpart (one-in, one-out).

Why. Patchstack 2024: 96% of WordPress vulnerabilities are in plugins; only 7 in core (Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core). Wordfence 2024: 8,223 vulns published, +68% YoY, 35% still unpatched in 2025. Patchstack 2024 cleanup: 1,614 plugins removed from the repo for unpatched issues — sites depending on them get no upgrade path, only removal. Sucuri 2023: 39.1% of compromised CMS sites were running outdated software at infection.

How to apply. Quarterly plugin audit: list every plugin, last-update date, active install count, alternative if vendor goes silent. Plugin acceptance gate: a new plugin must justify (a) why core/theme/code can't do it, (b) the vendor's update cadence, (c) the alternative if the vendor disappears. One-in-one-out: net plugin count never grows without explicit justification. Plugins that haven't shipped a release in 18 months go on a watchlist; 24 months = scheduled removal.

Sources and confidence

Verified — primary sources:

Verified — cross-corroborated:

  • Accessibility.Works / Seyfarth Shaw federal litigation data: 40% of federal ADA Title III filings now pro se; 95% of sites fail basic WCAG tests

Industry-consensus:

  • Orbit Media's secondary citation of a Databox survey of 145 SMBs for the 6y4mo continuous-care figure
  • Plugin-count rules-of-thumb (20-30 per business site; WPBeginner 62; FatLab 80+ extra files) — rules-of-thumb, not measured installed-base data

Unverified / explicitly rejected:

  • The "2 years 7 months" website lifespan figure (attributed to HubSpot in many agency blogs) could not be verified at primary source; the Orbit 2y4mo Inc-5000 number is used instead

Caveats on the 10-year cost model:

Companion KB entries kept standalone:

Raw JSON: /api/kb/website-longevity