Website longevity (10-year horizon)

Summary

Overview

Website longevity is the empirical question of how long a given site continues to serve its purpose without ground-up rebuild. A 10-year operational horizon is a reasonable design target for SMB client sites: the default assumption is that the site exists 10 years from now, and any rebuild is a business-strategy event, not a forced move driven by accumulated technical debt.

Three forces determine whether a site reaches that horizon. First, architecture and maintenance posture — Orbit Media's own benchmark shows the average website lifespan across the Inc 5000 is "just 2 years and 4 months," while their continuously-maintained client base averages "6 years and 4 months" between major redesigns. Lifespan is a function of architecture and maintenance, not a fixed property of websites. Second, accessibility regulation — 95% of sites fail basic WCAG tests, the EU Accessibility Act became enforceable June 28, 2025 with revenue-scaled penalties, and 40% of new US federal ADA filings are now AI-assisted pro se complaints. Third, the WordPress plugin surface — Patchstack's 2026 figure is that 91% of new WordPress vulnerabilities are in plugins, Wordfence blocked 54 billion malicious requests in 2024, and Sucuri found 39.1% of compromised CMS apps were outdated at the point of infection.

This page consolidates the empirical evidence (Orbit Media, GOV.UK Design System, Patchstack, Wordfence, Sucuri, FTC, DOJ, EU Commission), a 12-dimension decay-vs-compound matrix, a 10-year Canadian SMB cost model, and the architectural rules that operationalize the 10-year horizon. The companion research brief is Agency methodology for small-business website projects.

Decay-vs-compound matrix: which website dimensions survive 10 years

A website is not a single asset — it is twelve overlapping assets that respond differently to time. The matrix below documents which dimensions decay without intervention and which compound on the right foundation.

Dimension Default (no foundation) With foundation-first Why
Visual design Decays — dated in ~3yr Decays slower with minimal semantic style Trends move; restraint ages better
Long-form content Decays — link rot, stale facts Compounds via refresh + structured-data updates HubSpot historical-optimization data: +106% organic traffic from refresh
Code dependencies Decays — plugins abandoned Compounds — fewer deps = less surface Patchstack 2024: 96% of WP vulns in plugins
Hosting Decays — provider EOL, acquisitions Stable on commodity Linux + portable code Squarespace acquired Google Domains in 2023
Structured data Neutral Compounds — AI citations, GEO Schema and semantic markup accrue value as retrieval surfaces multiply
SEO authority Decays without URL discipline Compounds heavily Search Engine Journal: median 523-day recovery across 892 migrations
Domain age Compounds — trust signals accrue Compounds One of the few unambiguously time-positive ranking inputs
Citation graph Decays with link rot Compounds with URL preservation Zittrain et al. (Harvard Law 2014): 50% reference rot in Supreme Court opinions
Security posture Decays rapidly without patching Stable with continuous patching Sucuri 2023: 39.1% of CMS outdated at infection
Accessibility Decays — WCAG advances, EAA in force Stable with semantic HTML + CI testing Lead-generation directories for trades and home services
Performance / CWV Decays — page weight grows, scripts pile up Stable with CI-enforced budget Web Almanac 2024: median page weight 2.56 MB, varies sharply by CMS
Brand equity Decays if site quality drops below brand promise Compounds when site quality matches brand Trust accumulates against consistent presentation
Internal docs/KB Decays as staff turn over Compounds when stored in repo + KB Institutional memory survives turnover when stored in versioned repo + KB

Net argument. Roughly half of these dimensions can compound — but only on architecture that lets them. On a brittle stack, every dimension decays simultaneously, and the "rebuild every three years" pattern becomes the only available response.

Ten-year cost framing: rebuild-every-three-years vs foundation-first

A ten-year ownership framing for a typical small-business marketing site (twenty to forty pages, professional services or local commerce) splits the decision into two long-run patterns.

Pattern A — periodic rebuild on a typical agency platform stack. A new platform build is commissioned roughly every three years. Maintenance and hosting accrue between rebuilds; the rebuild itself dominates the line items at year three, year six, and year nine. The headline dollar total is dispersed across cycles, with the structural cost concentrated in three discrete rebuild events plus the steady-state hosting and support spend in between.

Pattern B — foundation-first, maintained continuously. A higher initial build cost is paid once, on a stack with content separated from presentation (semantic HTML, headless or lean CMS, minimal plugin surface). Continuous low-amplitude maintenance replaces the discrete rebuild events. A mid-horizon refresh typically replaces a fraction of the design surface around year five without resetting URLs, schema, or domain age.

Reading the patterns honestly. A naïve dollar total can read higher for Pattern B because continuous retainer hours are line items while opportunity costs are not. The honest comparison adds two omitted lines to Pattern A: the cumulative drag of multiple post-rebuild SEO recovery curves (Search Engine Journal's review of 892 migrations puts median traffic recovery at 523 days, with a 17% per-rebuild probability that traffic never recovers to baseline), and the lost lead value during each recovery curve. Pattern B benefits from compounding domain age, citation graph, and structured-data depth — none of which appear as line items but determine cost-per-lead by year five. For small businesses doing roughly one million dollars or more in annual revenue with non-trivial lead value, Pattern B's payoff is on the order of one rebuild avoided over ten years; at much smaller scale the math is closer to neutral.

Gaps in the framing. Maintenance-retainer pricing in Canada is not well-published (extrapolated from agency price-page aggregations); plugin licensing inflation across a decade is held flat as a working assumption; the framing does not account for breach-response cost (Verizon DBIR median ransom; see Customer self-service on small-business websites).

Orbit Media: 2y4mo Inc 5000 average vs 6y4mo under continuous care

Orbit Media reports the average website lifespan across the top of the Inc 5000 list is "just 2 years and 4 months." Their own client base — sites under continuous care — averages "6 years and 4 months" between major redesigns. The implication is that lifespan is a function of architecture and maintenance, not a fixed property of websites.

Source: https://orbitmedia.com/blog/website-lifespan-and-you/

Confidence: Industry-consensus (Orbit's own benchmark plus a Databox survey of 145 SMBs they cite).

Honest caveat. The frequently-recycled "2 years 7 months" lifespan figure (attributed to HubSpot in many agency blogs) could not be verified at primary source. Use Orbit's 2y4mo Inc-5000 number, not the unverifiable HubSpot one.

Longevity named examples (2026): nine sites that ran 10+ years without a ground-up rebuild

The empirical foundation for the "build to last" argument is the catalogue of sites that have actually done it.

  • Daring Fireball (since 2002): Movable Type, self-hosted on Linode, static HTML output. Content separated from presentation; one author = one stack owner.
  • Berkshire Hathaway (since 1997): Same HTML structure since 1997. Page weight ~198 KB; load time ~116 ms — orders of magnitude better than the modern average (median page is 2.56 MB per the HTTP Archive Web Almanac 2024). A brochure site that is just HTML can outlast a 30-year company without modification.
  • Craigslist: Plain HTML, table-based layout; survived 25+ years of "modernization" trends; consistently profitable. Usability over fashion compounds.
  • Hacker News (since 2007): Custom Lisp/Arc stack; intentional feature freeze; near-zero design churn. Scope discipline is an architectural choice.
  • Wikipedia / MediaWiki: Open-source CMS, structured wikitext + templates, separated from skin/presentation. Structured content survives presentation changes.
  • Stack Overflow (since 2008): Custom .NET; question/answer schema versioned for URL stability; permalinks preserved across redesigns. URL design is permanence design.
  • GOV.UK (since 2012): Government Digital Service built on content store + APIs + reusable design system. Per GDS: "pages on GOV.UK built with the Design System download about twice as fast as those that haven't, as they use about half as much code."
  • Pinboard (since 2009): Plain PHP + MySQL + Perl scripts; explicitly chose "boring architecture is a feature"; serves tens of thousands of paying users on modest hardware. Tech choices constrained by "what one person can operate forever" drive longevity.
  • Joel on Software (since 2000): Custom CMS, continuous publication, archive intact and linkable. URL stability + plain text + RSS = a 25-year asset.

Common pattern across all of them. Content separated from presentation. Minimal dependencies. URL stability as a design principle. Boring architecture as a feature. None of them rebuilt every three years.

GOV.UK Design System: 2× faster downloads, half the code

The Government Digital Service (GDS) is the most-documented public example of foundation-first design compounding across an organization.

Quote (GDS blog, March 31, 2022):

"Pages on GOV.UK built with the Design System download about twice as fast as those that haven't, as they use about half as much code."

Source: GDS blog (March 2022); GOV.UK Design System documentation.

Confidence: Verified.

Why this matters as a model. GOV.UK's Design System, GOV.UK Frontend, and shared platforms (notifications, payments, hosting) are reused across hundreds of departments. Foundation-first compounds across an organization, not just within a site. The same architectural discipline applied to a multi-vertical service business — or an agency's portfolio of clients — produces the same compound efficiency. A shared component library that ships once and is reused across multiple client sites is the small-scale version of the GDS pattern.

Accessibility: regulatory and litigation forcing functions

Accessibility has crossed from "good practice" to "regulatory floor" in the jurisdictions Canadian SMBs typically operate in. Three sub-sections below: the litigation environment, the regulatory deadlines, and the overlay-vendor problem.

95% of sites fail basic WCAG; 40% of new federal ADA filings are pro se (AI-assisted)

Accessibility.Works analysis (citing Seyfarth Shaw federal litigation data) states:

"According to Seyfarth Shaw, 40% of federal ADA Title III filings are now pro se" — driven by AI-assisted complaints.

Companion finding from the same analysis: "95% of websites fail basic WCAG tests."

Confidence: Verified (cross-corroborated by UsableNet).

The structural shift. Litigation volume is decoupling from law-firm capacity. AI-drafted complaints lower the cost of filing, which raises the volume of cases without requiring more plaintiff-side legal resources. A small business with a sub-WCAG site is no longer protected by the friction of "no one will sue me, I'm too small" — the marginal cost of filing has fallen. Pairs with Lead-generation directories for trades and home services for the macro trend (USABLENet 2025: ~5,000 federal ADA Title III digital-accessibility lawsuits annually, with 46% involving repeat defendants).

DOJ Interim Final Rule 2026-07663: ADA Title II compliance dates extended to April 2027 / April 2028

Per DOJ Interim Final Rule 2026-07663 (Federal Register, effective April 20, 2026):

"The compliance date for State and local government entities with a total population of 50,000 or more is extended from April 24, 2026, to April 26, 2027."

Entities under 50,000 population are extended to April 26, 2028 (per Duane Morris LLP summary).

Source: Federal Register 2026-07663; Duane Morris summary.

Confidence: Verified.

The original "April 2026" date that has circulated in agency writing is superseded. Public-sector pressure has eased a year; the private-sector ADA Title III risk and the EU EAA pressure have not.

EU Accessibility Act: enforcement began June 28, 2025

European Accessibility Act enforcement began June 28, 2025. Maximum penalties typically:

  • Germany (BFSG): up to €100,000 per violation
  • France: up to 4-5% of revenue under national transposition
  • Italy: similar 4-5% revenue penalties

Scope (per Kinsta + Bird & Bird): any business selling to EU consumers with ≥10 employees AND ≥€2M turnover. Microenterprises are temporarily exempt.

Sources: https://accessibility.works/european-accessibility-act/; https://allaccessible.org/blog/european-accessibility-act-eaa-compliance-guide; https://kinsta.com/blog/european-accessibility-act/

Confidence: Verified.

For Canadian SMBs selling into the EU. Any business selling into the EU is in scope above the 10-employee / €2M threshold. The EAA is the strongest current regulatory accessibility forcing function — stronger than ADA Title III in private-sector enforcement because the penalties scale with revenue.

FTC accessiBe $1M settlement (January 3, 2025): the overlay-vendor problem

Quote (FTC press release, January 3, 2025):

"FTC Order Requires Online Marketer to Pay $1 Million for Deceptive Claims that its AI Product Could Make Websites Compliant with Accessibility Guidelines"

Settlement with accessiBe Inc. (accessWidget overlay). Final consent order approved April 2025.

Source: https://ftc.gov/news-events/news/press-releases/2025/01/

Confidence: Verified (FTC primary).

The overlay-vendor problem in one settlement. A generation of small-business sites bought accessibility overlays believing they had achieved WCAG conformance; they had not. Those sites are now (a) still non-compliant, (b) still suable, and (c) running JS that the actual disabled users they are supposed to help often disable. Use as the canonical "do not buy accessibility overlays" reference. The structural remediation (semantic HTML, real keyboard navigation, real screen-reader labels) is the only durable answer.

Security: the WordPress plugin surface and the ambient attack environment

The WordPress security data documents two things at once: the shape of the attack surface (overwhelmingly plugins, not core), and the volume of the ambient attack traffic an unmaintained site is exposed to.

Patchstack 2024 vuln disclosure: 4,166 vulnerabilities, 96% in plugins

Patchstack disclosed 4,166 WordPress vulnerabilities in 2024, with 96% in plugins (only 7 in core).

Patchstack 2026: 91% of new vulnerabilities in plugins; only 6 in core

Quote (Patchstack, State of WordPress Security in 2026): "91% of new vulnerabilities were found in plugins, and 9% were found in themes. There were only 6 vulnerabilities reported in the WordPress core."

Source: https://patchstack.com/whitepaper/state-of-wordpress-security-in-2026/

Confidence: Verified (primary).

Mechanism. Each plugin is a separate attack surface, maintained by a separate developer (or no developer). A 30-plugin WordPress site has 30 attack surfaces; a custom Next.js site has its own npm dependency tree but no plugin-as-extension model.

Note on plugin-count averages. Industry rules-of-thumb circulate (20-30 plugins average per business site; WPBeginner runs 62; FatLab Web Support reports 80+ extra files loaded on heavy plugin sites). Those are industry-consensus rules-of-thumb, not measured installed-base data — no host publishes hard averages.

Patchstack 2024: 1,614 plugins and themes removed from the .org repo

Quote (Patchstack State of WordPress Security 2025):

"1,614 plugins and themes were removed from the WordPress repository for unpatched security issues" in 2024; "1,450 had High and Medium priority vulnerabilities" and "33% of vulnerabilities were not fixed in time for public disclosure."

Source: https://patchstack.com/whitepaper/state-of-wordpress-security-in-2025/

Confidence: Verified.

Operational implication. If a site depends on any plugin in the 1,614, the only "upgrade path" is removal. Patchstack's October 2024 cleanup event alone closed 977 plugins (~1.1% of the repo). Site lifespan is bounded by the maintenance posture of the longest-tail plugin in the stack.

Wordfence 2024: 54 billion malicious requests blocked; 325-350k sites infected daily

Wordfence 2024 Annual WordPress Security Report (published April 8, 2025):

  • "Wordfence blocked and logged over 54 billion malicious requests, and blocked over 55 billion password attacks in 2024"
  • "In 2024, 8,223 vulnerabilities were published… roughly a 68% increase from 2023"
  • "Plugin vulnerabilities remain the biggest software threat to WordPress, accounting for 96% of all vulnerabilities disclosed" (only 5 affected core)
  • "Roughly 35% of the vulnerabilities disclosed in 2024 remain unpatched in 2025"
  • "Wordfence saw just under one million distinct sites infected with malware… roughly 325,000 - 350,000 infected sites on any given day"

Source: https://wordfence.com/blog/2025/04/2024-annual-wordpress-security-report-by-wordfence/

Confidence: Verified.

Reading the volume. This is the ambient background radiation an unmaintained WordPress site is exposed to. The +68% YoY growth in disclosed vulns means the maintenance burden of any large plugin stack is itself growing.

Sucuri 2023: 39.1% of CMS apps outdated at point of infection

Quote (Sucuri 2023 Hacked Website & Malware Threat Report, June 12, 2024):

"39.1% of all CMS applications were outdated at the point of infection."

Companion findings (same report):

  • 13.97% of compromised sites had at least one vulnerable plugin or theme present
  • 49.21% had at least one backdoor at remediation
  • 42.22% had SEO spam (Japanese SEO spam .htaccess: 10.07% — the most common single infection)
  • 55.2% of infected databases had malicious WordPress admin users

Year-over-year context. Sucuri's 2022 report (April 2023) reported 50.58% of compromised CMS apps were outdated. The 50.58% → 39.1% improvement reflects real progress, but outdated CMS is still the most common environment for a compromise.

Source: https://blog.sucuri.net/2024/06/2023-hacked-website-malware-threat-report.html

Confidence: Verified.

Architectural principles that operationalise the ten-year horizon

The compound-vs-decay matrix and ten-year cost framing above describe outcomes. The published practitioner and research literature converges on five architectural principles that determine which side of the matrix a given site lands on. Each is documented from the named research bases above (Orbit Media, GOV.UK Design System, Zittrain et al., the New York Times link-rot study, Patchstack, Wordfence, Sucuri, FTC).

Principle: treat the operational horizon as ten years by default

Sites designed for a ten-year horizon assume continuity and treat rebuilds as business-strategy events rather than forced responses to accumulated debt. The implications follow from the decay-vs-compound matrix above: URLs are planned at the information-architecture phase rather than retrofitted; dependencies are minimised because each plugin, theme, or build-time package is a future maintenance liability (Patchstack 2024–2026 evidence on plugin vulnerability share); content is separated from presentation so design refreshes do not invalidate stored content (the GOV.UK Design System pattern, Berkshire Hathaway's continuous HTML structure since 1997, Wikipedia's wikitext-plus-skin separation). Continuous maintenance replaces episodic rebuilds. Where a genuine rebuild is unavoidable — business pivot, capability ceiling, or a compliance forcing function — the published migration evidence (Search Engine Journal's 523-day recovery median across 892 migrations) argues for planning the rebuild as a redirect-mapped migration rather than a sudden replatform.

Principle: URL design is a ten-year decision; preserve URLs or 301 every change

URL stability is one of the highest-leverage longevity decisions because inbound link equity, citation graph value, and returning-visitor habit all decay silently when URLs change. Zittrain, Albert, and Lessig (Harvard Law, 2014) measured 50% reference rot in US Supreme Court opinions and 70% in Harvard Law Review articles. The New York Times link-rot study reports a roughly fifteen-year half-life with thirteen-percent content drift even on "live" links. Architecturally, this implies: URL taxonomies are planned at the information-architecture phase rather than bolted on later; every slug change is paired with a 301 redirect; redirect maps live in version control alongside the code (htaccess, Nginx configuration, framework-level redirects.json) rather than as undocumented runtime state; and the 404-rate trend is monitored as the leading indicator of silent inbound-link breakage. On rebuild, the redirect map is treated as the first deliverable rather than the last.

Principle: cite-time archive snapshots are the durable defence against citation rot

A footnote with only a URL has no recovery path when the URL dies; a footnote with a short verbatim quote and an archive snapshot remains searchable in citation archives indefinitely. The published archival infrastructure includes Perma.cc (developed by Harvard Law's Library Innovation Lab to mitigate the rot Zittrain et al. measured) and Internet Archive's Save Page Now. The encyclopedic equivalent of the New York Times link-rot finding — a fifteen-year half-life with material content drift even on "live" pages — is what drives the citation-time snapshot pattern: the snapshot is captured at the moment of citation rather than retroactively, and short verbatim quotation is treated as part of the citation rather than as an optional decoration. The Trust Project / Coalition for Content Provenance and Authenticity work on news-source provenance documents the same pattern in the journalism layer.

Principle: accessibility is a property of the architecture, not a layer of overlay JavaScript

The FTC's January 3, 2025 one-million-dollar settlement with accessiBe (FTC press release, FTC.gov/news-events/news/press-releases/2025/01/) — for "deceptive claims that its AI product could make websites compliant with accessibility guidelines" — established at the federal-regulatory level what the accessibility-engineering literature had already documented: overlay widgets are not accessibility solutions; semantic HTML, keyboard navigation, real screen-reader labels, sufficient colour contrast, and authentic focus management are. UsableNet's 2025 figures (approximately five thousand annual federal ADA Title III digital-accessibility lawsuits, with forty-six percent involving repeat defendants; see Lead-generation directories for trades and home services) plus the Accessibility.Works finding that ninety-five percent of sites fail basic WCAG tests describe the litigation environment overlays do not fix. The EU European Accessibility Act has been enforceable since June 28, 2025 with revenue-scaled penalties. Architecturally, accessibility is treated as a design-phase property tested in continuous integration (axe, pa11y) plus a pre-launch manual screen-reader sweep, with overlays declined.

Principle: plugin count is the WordPress security surface

For WordPress sites, plugin count is the dominant component of the security attack surface. Patchstack's 2025 and 2026 State of WordPress Security reports place plugin share of new vulnerabilities at approximately ninety-one percent in 2026 versus only six in core. Wordfence's 2024 Annual WordPress Security Report records over fifty-four billion blocked malicious requests, an approximately sixty-eight-percent year-over-year increase in disclosed vulnerabilities, and roughly thirty-five percent of disclosed vulnerabilities still unpatched the following year. Patchstack's 2024 cleanup closed approximately 1,614 plugins and themes from the WordPress.org repository for unpatched issues — sites depending on those plugins have removal as their only upgrade path. Sucuri's 2023 Hacked Website report places thirty-nine percent of compromised CMS sites on outdated software at the point of infection. Architecturally, plugin acceptance is treated as a gated decision with an audit cadence: each candidate plugin must justify why core or the theme cannot satisfy the requirement, the vendor's release cadence is verified, and the replacement plan if the vendor goes silent is documented. Plugins that have not shipped a release in eighteen months go on a watchlist; the twenty-four-month threshold typically triggers scheduled removal.

Sources and confidence

Verified — primary sources:

Verified — cross-corroborated:

  • Accessibility.Works / Seyfarth Shaw federal litigation data: 40% of federal ADA Title III filings now pro se; 95% of sites fail basic WCAG tests

Industry-consensus:

  • Orbit Media's secondary citation of a Databox survey of 145 SMBs for the 6y4mo continuous-care figure
  • Plugin-count rules-of-thumb (20-30 per business site; WPBeginner 62; FatLab 80+ extra files) — rules-of-thumb, not measured installed-base data

Unverified / explicitly rejected:

  • The "2 years 7 months" website lifespan figure (attributed to HubSpot in many agency blogs) could not be verified at primary source; the Orbit 2y4mo Inc-5000 number is used instead

Caveats on the 10-year cost model:

  • Ontario retainer pricing is not well-publicized (extrapolated from CSP / 2Marketing / Databending ranges)
  • Plugin licensing inflation is held flat across 10 years (likely too generous)
  • The model does not account for breach response (Verizon DBIR median ransom: US$115k — see Customer self-service on small-business websites)

Companion KB entries kept standalone: