# WordPress Maintenance Checklist (2026) · WPCloudLab

> A WordPress maintenance checklist you can actually sustain: weekly, monthly and quarterly tasks, honest time estimates, and the one step everyone skips.

Canonical: https://wpcloudlab.com/guides/wordpress-maintenance-checklist

[Home](/)/[Guides](/guides)/Maintenance checklist

guide · maintenance checklist · 2026 edition

# The maintenance checklist you’ll actually keep.

Nothing on this page needs unusual skill — that’s the honest secret of WordPress maintenance. What it needs is showing up every single week. Here’s the routine we run for clients, trimmed so a careful site owner can run it too: weekly, monthly and quarterly, with real time estimates.

001 / the guideweekly · monthly · quarterly

WordPress maintenance doesn’t fail because it’s hard. It fails because it’s relentless: the same small tasks, every week, on every site, forever — and “forever” is exactly where busy people quietly stop. Nobody decides to abandon their sites. The weekly pass slips to fortnightly during a launch, the restore test gets skipped because backups “have been fine,” and the gap does the damage.

So this checklist is built to be sustained, not admired. Three cadences, every task justified, and honest time estimates. If a task matters more than the others, we say so.

weekly · 15–30 minutes per site

## The weekly pass.

Same day every week, in the calendar, non-negotiable. The routine only protects you while it’s boring.

-   01
    
    ### Run updates — with a restore point first
    
    Before touching anything, confirm there is a backup from today that you could actually restore. Then run core, plugin and theme updates — and never on a Friday afternoon; you want a business day of runway if something regresses. This is exactly the step a [safe-update pipeline](/features/safe-updates) automates: restore point, update, screenshot, verify, roll back.
    
-   02
    
    ### Click through your key pages — desktop and mobile
    
    Homepage, contact page, one product or service page, checkout or your main form. Updates break layouts and interactions far more often than they break servers, and none of that shows up in an admin dashboard. Ninety seconds of looking — on a phone as well as a laptop, because that is where breakage hides — catches most of it.
    
-   03
    
    ### Review the week of uptime
    
    Scan your [uptime monitor](/features/uptime) for the week: any incidents, how long, what time of day? A site that blips at 3am every night is telling you about a hosting or cron problem before it becomes a daytime outage. No monitor yet? Checks every five minutes are table stakes; set one up before next week.
    
-   04
    
    ### Send a test through every important form
    
    Forms fail silently: the page says thanks, the email never arrives. Submit each form that matters and confirm the notification lands where a human reads it. A dead contact form is the most expensive quiet failure on a business site — it costs leads daily and appears in no error log.
    

monthly · about an hour per site

## The monthly hour.

The weekly pass keeps a site alive; the monthly hour keeps it healthy. This is where the highest-value task on the entire page lives — first on the list for a reason.

-   01
    
    ### Restore-test one backup — the step everyone skips
    
    We will say this as plainly as we can: a backup you have never restored is a guess, not a safety net. Once a month, restore a recent backup into a staging or local environment, click around, and confirm your content survived. If that sounds like work — it is, and it is the single highest-value hour on this page. The how and why are in our [backup strategy guide](/guides/wordpress-backup-strategy).
    
-   02
    
    ### Crawl for broken links
    
    Run a [broken-link crawl](/features/broken-links) — a desktop crawler or an online checker is fine — and fix or redirect what it finds. Broken links leak search authority and quietly erode trust, and they accumulate whether or not you ever touch the site.
    
-   03
    
    ### Audit your plugins — remove the abandoned
    
    Check each plugin's “last updated” date on its listing. Anything untouched by its developer for a year or more is a security liability with no patch coming — plan its replacement now, not after the CVE. Then deactivate and delete what you no longer use: deactivated code is still attack surface.
    
-   04
    
    ### Glance at performance and Core Web Vitals
    
    Run your key pages through PageSpeed Insights and note the trend, not the score. You are watching for regressions — the new plugin or the unoptimized hero image that just added a second to every visit. Catching drift monthly is cheap; discovering it in a rankings drop is not.
    
-   05
    
    ### Audit user accounts
    
    List every administrator account and remove anyone who no longer needs access — former contractors especially. Stale admin accounts are one of the most common ways WordPress sites get taken over, and deleting one takes a minute. While you are there: no shared logins, and two-factor for anyone with admin.
    

quarterly · an afternoon across the estate

## The quarterly audit.

Slow-moving risks with long fuses. None of these will page you this month; any of them can take you fully offline next year.

-   01
    
    ### Check your PHP version
    
    Confirm your host has you on a currently supported PHP release. Old PHP is slower and, worse, stops receiving security patches. Upgrading is usually one dropdown in the hosting panel — take a backup, switch, and click through the site the same day.
    
-   02
    
    ### Review theme and plugin licenses
    
    Premium licenses lapse quietly, and a lapsed license means no more updates — unpatched vulnerabilities that never even appear on your updates screen. Confirm every commercial theme and plugin still has an active license attached to a card that works.
    
-   03
    
    ### Check SSL and domain expiry — and set reminders
    
    Look up the expiry dates for your domain and SSL certificate, and put calendar reminders 30 days ahead of each. Auto-renewal fails more often than anyone admits — usually an expired card — and a lapsed domain is the most total outage there is.
    
-   04
    
    ### Do a content-rot pass
    
    Read your key pages like a stranger: outdated prices, expired offers, staff who left, a copyright year from three years ago. Content rot never breaks the site — it breaks the impression the site exists to make, which is arguably worse.
    

the part other checklists omit

## The honest part.

Read in one sitting, this checklist is easy. Fifteen to thirty minutes a week, an hour a month, an afternoon a quarter. For one site, it’s a habit. For five, it’s a part-time job. For twenty, it’s a role — and the moment it competes with billable work or an actual product, it loses.

The checklist is easy to read and brutal to sustain. That sustained relentlessness is, quite literally, the product we sell: the same list, run every week by a team that does nothing else, with [screenshot-verified updates](/features/safe-updates), [byte-checked backups with weekly restore drills](/features/backups) and every action logged in a dashboard you can audit. [Plans start at $250 per site](/pricing) — which is either expensive or cheap, depending entirely on what your hours cost.

Either way: run the checklist. Yours or ours, but somebody’s, every week.

002 / questionshonest ranges included

## Checklist questions, answered.

How often should I update WordPress plugins?

Weekly is the sweet spot for most sites — current enough to stay patched, spaced enough to update deliberately. Security releases are the exception: apply those same-day or next-day. Always have a same-day backup before updating, avoid Friday afternoons, and look at the site afterwards instead of trusting the green checkmarks.

How long does WordPress maintenance take per site?

Honestly: 1–4 hours per site per month if you do everything on this checklist, including the restore test. A simple brochure site sits at the low end; a WooCommerce store or membership site at the high end, before anything breaks. Multiply by your site count before deciding to do it all yourself.

Can I automate all of this?

Most of it, partially. Auto-updates, backup schedules, uptime monitors and link crawlers all exist and all help. What does not automate well is judgment: noticing an update subtly broke a layout, deciding a plugin is abandoned, verifying a restore actually produced a working site. Automation with zero human review is how sites break silently for weeks.

If I only do one thing on this list, what should it be?

Restore-test a backup. Every other failure here eventually announces itself — a broken backup stays invisible until the day it is your only hope, which is the one day you cannot fix it. If your honest answer to “when did I last test a restore?” is “never”, do it this week.

start today · monthly · cancel anytime

## The checklist, run for you.

Everything above, every week, on every site — with proof in your dashboard: update screenshots, backup verifications, restore drills, uptime history. You keep the knowledge; we keep the calendar.

[Get started](/signup)[see plans & pricing →](/pricing)

---

Get started: https://wpcloudlab.com/signup · Talk to an engineer: https://wpcloudlab.com/contact · Full agent index: https://wpcloudlab.com/llms.txt
