If you own a WordPress website and you haven’t touched the admin area in six months, this guide is for you. A WordPress site is not a “set and forget” asset. It needs the same kind of regular attention as a company car — small jobs every week, a proper check every month, and a full service every quarter. Skip it for long enough and something breaks.
I’m Spencer Thomas, a freelance WordPress designer based in Brighton. Over the past decade I’ve built and maintained 55+ WordPress sites for small businesses across Sussex, Surrey and beyond. This checklist is the exact routine I follow — both for my own site and for clients on my WordPress care plans. No jargon, no filler, just the tasks that actually matter.
Use it as a DIY template if you run your own site, or use it to sanity-check whether whoever currently maintains your site is doing their job properly.
Why a Maintenance Checklist Matters More Than You Think
Most small business owners only notice their website when something goes wrong. The contact form stops sending emails. A plugin update breaks the homepage layout. Google suddenly drops them out of the search results. By the time it’s obvious, the damage is already done — lost enquiries, lost rankings, sometimes lost revenue.
Regular WordPress maintenance prevents all of this. The reality is that a WordPress site has a lot of moving parts: the WordPress core software, your theme, every plugin you’ve installed, your hosting environment, your domain, your SSL certificate, your backups, your database, your forms, your images, your SEO settings. Any one of those can silently fail. A proper maintenance routine catches problems when they’re still small and cheap to fix.
Here’s what tends to happen when maintenance gets ignored:
- Security breaches. Outdated plugins are the single biggest cause of hacked WordPress sites. A plugin vulnerability discovered and patched in January can still take down your site in October if you haven’t applied the update.
- Slow page speeds. Databases bloat over time. Images pile up. Cached files grow stale. A site that loaded in 2 seconds a year ago can easily be hitting 6-7 seconds today.
- Broken forms and checkouts. Plugin conflicts, expired API keys, and PHP version changes all silently break things. I’ve seen businesses lose weeks of enquiries before they noticed their contact form wasn’t sending.
- SEO decay. Google Search Console issues, broken internal links, missing meta descriptions on new pages, and slow speeds all erode rankings. I wrote about this in how to get your website on Google.
- Data loss. If you don’t have working backups, a single bad update or hack can wipe out years of content, orders, and customer data.
Now the checklist. I’ve broken it into weekly, monthly, quarterly and annual tasks so you can spread the work out.
Weekly WordPress Maintenance Tasks (15-20 minutes)
These are the quick-win tasks that take no more than 15-20 minutes but prevent the majority of small problems from becoming big ones.
1. Check and install WordPress updates
Log into your WordPress admin and go to Dashboard → Updates. You’ll see available updates for the WordPress core, plugins, themes and translations. Install them — but not blindly. Here’s the routine I follow:
- Always run a backup first (your hosting provider should be able to do this automatically — more on backups below).
- Update one plugin at a time rather than bulk-updating everything at once. If something breaks, you’ll know exactly which plugin caused it.
- After each update, load the front-end of your site in an incognito browser window and click through your key pages: homepage, services, contact, checkout. Look for broken layouts, missing images, or error messages.
- If you see “Minor” or “Security” in the update description, prioritise that one.
If you’re nervous about updates — and plenty of business owners are, because they’ve been burned once — use a staging environment. Most good hosts let you clone your live site, apply updates to the clone, test everything, and only push it live when you’re confident.
2. Check your site is actually loading
Open your site in an incognito window and click through the header navigation. Try submitting your contact form with a test message. Try adding something to your cart if you run WooCommerce. This takes two minutes and catches the most obvious problems.
3. Scan for spam comments and form submissions
Delete spam comments. Check your contact form inbox for bot submissions. If you’re getting a lot of bot traffic, read my guide on how to block bad bots from your WordPress website — it’s one of the most common issues I deal with on client sites.
4. Check uptime
If you’re not using an uptime monitoring tool, set one up today. UptimeRobot has a free tier that pings your site every 5 minutes and emails you if it goes down. Most small businesses don’t find out their site was offline until a customer tells them.
Monthly WordPress Maintenance Tasks (1-2 hours)
These tasks go deeper. Set aside a proper hour once a month — I recommend the first Monday — and work through them.
5. Take a full backup and verify it works
A backup you haven’t tested is not a backup. Run a manual backup using a plugin like UpdraftPlus, BlogVault, or whatever your host provides. Download the backup to your local computer. Don’t just trust that it worked — open the zip file and check you can see the files inside.
Backup frequency depends on how often your site changes. An ecommerce site needs daily backups. A static brochure site can get away with weekly. Either way, store backups in at least two locations: your host’s server AND somewhere off-site like Google Drive, Dropbox or AWS S3.
6. Review and clean up plugins
Go to Plugins → Installed Plugins. For each plugin ask yourself:
- Am I actually using this? Deactivate and delete anything you aren’t.
- When was it last updated by the developer? Check the plugin page on WordPress.org. If it hasn’t been updated in over a year, start looking for alternatives — abandoned plugins become security liabilities.
- Is the developer still active? Check whether the plugin is compatible with the current WordPress version.
On a typical client site I find 3-4 plugins that are no longer needed. Removing them speeds up the site, reduces attack surface, and makes future maintenance easier.
7. Check for broken links
Broken links hurt user experience and SEO. Use a tool like Broken Link Checker (free plugin) or run a crawl through Screaming Frog’s free version. Fix or redirect any broken links. Pay particular attention to:
- Links to external websites that may have gone offline
- Internal links from blog posts to pages you’ve since moved or deleted
- Image links where the image file has been deleted
8. Review site speed
Run your homepage through Google PageSpeed Insights and GTmetrix. Aim for a PageSpeed score above 80 on both mobile and desktop. If it’s dropped since last month, something has changed — usually a new plugin, a bloated image upload, or cache issues. Image optimisation is almost always the biggest lever. Every image uploaded should be compressed and served in WebP format.
9. Check Google Search Console for errors
Log into Search Console and check:
- Coverage report — any new pages marked “Excluded” or “Error”? Investigate.
- Core Web Vitals — are your pages still passing? If URLs have shifted from “Good” to “Needs Improvement”, act quickly.
- Manual actions / Security issues — should always be empty. If they’re not, drop everything and deal with it.
- Mobile usability — any new flagged pages?
10. Review analytics
Open Google Analytics and look at traffic trends for the past month. Dropping? Going up? Which pages are driving it? If a key landing page has lost traffic, check its rankings in Search Console — a ranking drop usually precedes the traffic drop by a few weeks.
11. Moderate and reply to reviews
Not strictly “maintenance” in the technical sense, but Google Business Profile reviews have a direct impact on local rankings and click-through rates. Reply to every new review — good or bad — within a week.
Quarterly WordPress Maintenance Tasks (2-4 hours)
Every three months, go deeper. These tasks don’t need to be done frequently but skipping them entirely builds up technical debt.
12. Optimise the database
Your WordPress database accumulates junk over time: post revisions, auto-drafts, spam comments, transients that never expired, and orphaned metadata. A bloated database slows every query. Use WP-Optimize or WP-Sweep to clean it up. Back up first — database operations can be destructive if something goes wrong.
Once cleaned, the database should be lean. On a typical small business site I’d expect under 50MB. If yours is over 500MB and you don’t run an ecommerce store or large blog, something is wrong.
13. Audit your users
Go to Users → All Users. Delete or demote anyone who shouldn’t still have access. Ex-employees, former agencies you’ve parted ways with, plugin developers who requested temporary admin access — all should be removed.
For the users who remain, check that:
- They’re on the lowest role that allows them to do their job (don’t give editors admin access)
- They have strong, unique passwords — consider enforcing this with a plugin like WP Password Policy Manager
- Two-factor authentication is enabled for anyone with admin rights
14. Check SSL certificate expiry
Most hosting providers auto-renew Let’s Encrypt certificates. But “most” isn’t “all”, and renewals occasionally fail. Check the padlock icon in your browser — click it and view the certificate expiry date. If it’s within 30 days of expiring, check your hosting dashboard to confirm auto-renewal is working.
15. Update your privacy policy and terms
The ICO (UK’s data protection regulator) expects your privacy policy to accurately reflect what you’re doing with data. If you’ve added new forms, switched email providers, installed analytics tools, or started using any new cookies in the past quarter, your policy probably needs updating.
16. Review hosting performance
Is your site still on the right hosting plan? If your traffic has grown 3x since you signed up, you may be bottlenecking yourself. Check your host’s resource usage dashboard for CPU, memory, and disk usage trends. For a deeper look at hosting, see my guide on what is website hosting and why do I need it.
17. Review and update content
Pick your 10 most-trafficked pages and read them top-to-bottom. Anything out of date? Prices wrong? Services you no longer offer? Old team members? This is the cheapest SEO you can do — Google rewards freshness, and users hate finding a “2023 guide” in 2026.
Annual WordPress Maintenance Tasks (Half a day)
Once a year, do these properly. I usually bundle them with a client’s annual strategy review.
18. Full security audit
Install Wordfence or Sucuri temporarily and run a full scan. Look for malware, suspicious admin accounts, modified core files, and unusual database entries. Hacked sites often look fine on the surface — proper scanning reveals problems you’d never otherwise see.
19. PHP version check
WordPress and its plugins support specific PHP versions. Running an outdated version (like PHP 7.4 in 2026) means you’re missing security patches and performance improvements. Check your hosting control panel — if you’re on anything below PHP 8.2, speak to your host about upgrading. Test on staging first because some older plugins break on newer PHP versions.
20. Theme and framework audit
Is your theme still being actively maintained? Many premium themes from the 2018-2020 era are now abandoned. A dead theme is a long-term security problem. If yours is dead, plan a rebuild on a modern, actively-maintained alternative — this is the kind of project I help businesses plan through my WordPress web design service.
21. Domain and DNS check
Confirm your domain is registered for at least another 2 years. A lapsed domain is catastrophic. Also check your DNS records — any that shouldn’t be there (leftover from previous services)? Anything pointing to IPs that have changed?
22. Full backup and archive
Once a year, take a full backup, download it, and store it somewhere permanent — not just your rolling backup rotation. If something goes catastrophically wrong in the future, you’ll have a clean snapshot from a known-good state.
Should You Do All This Yourself?
Honestly? Probably not. The checklist above takes roughly 30-40 hours of work per year for a typical small business site. If your time is worth more than £30/hour, you’re losing money doing it yourself — and that’s before you factor in the cost of learning the tools and the risk of breaking something.
Most small businesses I work with come to me after one of three things has happened:
- They’ve had a scare — a hack, a serious plugin conflict, or a backup that didn’t exist when they needed it
- They’ve fallen out with their previous agency and want someone responsive who actually answers emails
- They’ve built a new site and realised that “WordPress is easy” actually means “WordPress is easy to break”
I offer WordPress care plans for small businesses across Sussex and Surrey. Plans start at £49/month and cover weekly updates, monthly backups, quarterly audits, and emergency support when something does go wrong. Most of my clients send me a one-line email describing what they need and I get on with it — no ticketing system, no account managers, no surprises.
If you’re in a specific area, I have dedicated pages for WordPress support in Brighton, Haywards Heath, Crawley and elsewhere across Sussex and Surrey.
Frequently Asked Questions
How often should I update WordPress plugins?
Weekly for security updates, and within a month for feature updates. Don’t wait more than a month unless there’s a specific reason.
What’s the difference between maintenance and hosting?
Hosting is the server your website lives on. Maintenance is the ongoing work to keep the website itself healthy — updates, backups, security, performance tuning. You need both. Most good maintenance providers can also include quality hosting as part of the package.
How much should WordPress maintenance cost per month?
For a typical small business site in the UK, expect to pay between £49 and £150 per month depending on site complexity, whether ecommerce is involved, and the level of support you need. I’ve written a full guide on how much WordPress maintenance costs.
Can I do this myself or do I need a professional?
You can absolutely do this yourself if you enjoy it and have the time. The technical barrier isn’t as high as people think. But for most busy business owners, it’s poor value to spend 3 hours every month on maintenance when a freelancer can do it properly for less than an hour of your billing rate.
What happens if I don’t do any maintenance?
Nothing — until something breaks. Then a lot happens, usually all at once, usually at the worst possible time. The cost of emergency WordPress repair is typically 10-20x the cost of prevention.
Do I need to back up my site if my host does daily backups?
Yes. Host backups are fine for host-level problems, but if your host itself has an issue — account suspension, data loss, company going under — their backups go with them. Always keep an independent off-site copy.
Next Steps
Print this checklist, save it as a PDF, or pin it to your browser bookmarks. Run through the weekly tasks this Monday. Schedule a monthly slot in your calendar for the longer jobs. If you get to the quarterly review and realise you’re in over your head, that’s when it’s time to hand it off to someone who does this every day.
If you’d rather skip the DIY route entirely, get in touch and I’ll put together a WordPress care plan that covers all of the above. Or grab my free website audit if you just want to know what shape your site is currently in — no obligation, no sales pitch, just a practical report.
