WordPress maintenance doesn’t fail because it’s hard. It fails because it’s relentless: the same small tasks, every week, on every site, forever — and “forever” is exactly where busy people quietly stop. Nobody decides to abandon their sites. The weekly pass slips to fortnightly during a launch, the restore test gets skipped because backups “have been fine,” and the gap does the damage.
So this checklist is built to be sustained, not admired. Three cadences, every task justified, and honest time estimates. If a task matters more than the others, we say so.
The weekly pass.
Same day every week, in the calendar, non-negotiable. The routine only protects you while it’s boring.
- 01
Run updates — with a restore point first
Before touching anything, confirm there is a backup from today that you could actually restore. Then run core, plugin and theme updates — and never on a Friday afternoon; you want a business day of runway if something regresses. This is exactly the step a safe-update pipeline automates: restore point, update, screenshot, verify, roll back. - 02
Click through your key pages — desktop and mobile
Homepage, contact page, one product or service page, checkout or your main form. Updates break layouts and interactions far more often than they break servers, and none of that shows up in an admin dashboard. Ninety seconds of looking — on a phone as well as a laptop, because that is where breakage hides — catches most of it. - 03
Review the week of uptime
Scan your uptime monitor for the week: any incidents, how long, what time of day? A site that blips at 3am every night is telling you about a hosting or cron problem before it becomes a daytime outage. No monitor yet? Checks every five minutes are table stakes; set one up before next week. - 04
Send a test through every important form
Forms fail silently: the page says thanks, the email never arrives. Submit each form that matters and confirm the notification lands where a human reads it. A dead contact form is the most expensive quiet failure on a business site — it costs leads daily and appears in no error log.
The monthly hour.
The weekly pass keeps a site alive; the monthly hour keeps it healthy. This is where the highest-value task on the entire page lives — first on the list for a reason.
- 01
Restore-test one backup — the step everyone skips
We will say this as plainly as we can: a backup you have never restored is a guess, not a safety net. Once a month, restore a recent backup into a staging or local environment, click around, and confirm your content survived. If that sounds like work — it is, and it is the single highest-value hour on this page. The how and why are in our backup strategy guide. - 02
Crawl for broken links
Run a broken-link crawl — a desktop crawler or an online checker is fine — and fix or redirect what it finds. Broken links leak search authority and quietly erode trust, and they accumulate whether or not you ever touch the site. - 03
Audit your plugins — remove the abandoned
Check each plugin's “last updated” date on its listing. Anything untouched by its developer for a year or more is a security liability with no patch coming — plan its replacement now, not after the CVE. Then deactivate and delete what you no longer use: deactivated code is still attack surface. - 04
Glance at performance and Core Web Vitals
Run your key pages through PageSpeed Insights and note the trend, not the score. You are watching for regressions — the new plugin or the unoptimized hero image that just added a second to every visit. Catching drift monthly is cheap; discovering it in a rankings drop is not. - 05
Audit user accounts
List every administrator account and remove anyone who no longer needs access — former contractors especially. Stale admin accounts are one of the most common ways WordPress sites get taken over, and deleting one takes a minute. While you are there: no shared logins, and two-factor for anyone with admin.
The quarterly audit.
Slow-moving risks with long fuses. None of these will page you this month; any of them can take you fully offline next year.
- 01
Check your PHP version
Confirm your host has you on a currently supported PHP release. Old PHP is slower and, worse, stops receiving security patches. Upgrading is usually one dropdown in the hosting panel — take a backup, switch, and click through the site the same day. - 02
Review theme and plugin licenses
Premium licenses lapse quietly, and a lapsed license means no more updates — unpatched vulnerabilities that never even appear on your updates screen. Confirm every commercial theme and plugin still has an active license attached to a card that works. - 03
Check SSL and domain expiry — and set reminders
Look up the expiry dates for your domain and SSL certificate, and put calendar reminders 30 days ahead of each. Auto-renewal fails more often than anyone admits — usually an expired card — and a lapsed domain is the most total outage there is. - 04
Do a content-rot pass
Read your key pages like a stranger: outdated prices, expired offers, staff who left, a copyright year from three years ago. Content rot never breaks the site — it breaks the impression the site exists to make, which is arguably worse.
The honest part.
Read in one sitting, this checklist is easy. Fifteen to thirty minutes a week, an hour a month, an afternoon a quarter. For one site, it’s a habit. For five, it’s a part-time job. For twenty, it’s a role — and the moment it competes with billable work or an actual product, it loses.
The checklist is easy to read and brutal to sustain. That sustained relentlessness is, quite literally, the product we sell: the same list, run every week by a team that does nothing else, with screenshot-verified updates, byte-checked backups with weekly restore drills and every action logged in a dashboard you can audit. Plans start at $250 per site — which is either expensive or cheap, depending entirely on what your hours cost.
Either way: run the checklist. Yours or ours, but somebody’s, every week.