People don’t really know what has to happen in the background of a WordPress web site. In the past year, there could be server updates that have to be managed or at least reviewed. There are core WordPress updates. There are many WordPress plugin updates. There are theme updates. All should be reviewed for conflicts or problems, and updated or replaced.
Security should be reviewed. Some software plugins should be removed due to security problems. Denial of service attacks have happened. Attempts by miscreants to login have happened. Sometimes IPs should be blocked. Sometimes entire countries should be blocked. Security needs an eye on it regularly.
Traffic should be reviewed.
None of these things mean that a single pixel on the public side of the site looks different. So it is easy to see why the client doesn’t think anything is being done, because they cannot see anything being done.
It is the job of the web site contractor to keep the client in the loop on this. We’ve been hired to clean up WordPress sites that have been unmaintained by a knowledgeable web manager, and the results can be disastrous. The software and the environment have to be maintained and reviewed. Otherwise, something breaks, the web site owner has no clue as to why, and is in a panic to get it fixed. What other assets would any legitimate organization do that with?
So, WordPress web developers and designers, don’t be entirely silent with your clients about what you do in the background for their sites. It’s not to your benefit, and it’s not to theirs.