WordPress Maintenance Checklist: What to Do Every Week and Every Month

[ins_single_breadcrumb]
[ins_single_header]
[ins_single_thumb]

WordPress Maintenance Checklist: What to Do Every Week and Every Month

A WordPress site needs roughly an hour of attention every week and a longer session once a month to stay healthy. The checklist below is the same set of tasks a managed care plan runs on your behalf. Use it to maintain a site yourself, or use it to evaluate whether the provider you’re paying is actually doing the work.

Weekly (15–30 minutes)

1. Apply pending plugin and theme updates. Run updates one plugin at a time when possible; click through to the front-end after each one to confirm nothing visibly broke. Skip updates from plugins that haven’t tested against the current WordPress major release — wait a week and watch the plugin’s support forum first.

2. Verify the most recent backup completed. Open your backup plugin or hosting backup dashboard. Confirm the most recent backup is dated within 24 hours, includes both database and files, and is at least the expected size (suspiciously small backups usually mean the backup ran against a half-broken site).

3. Check uptime monitoring for outages. If you’re using UptimeRobot, BetterUptime, or similar, scan for any downtime events in the past 7 days. Investigate anything over 5 minutes. Repeated short outages usually indicate hosting plan limits being hit.

4. Look at the security log. Check failed login attempts, blocked IPs, and any file integrity warnings. Spikes in failed logins targeted at /wp-login.php mean a brute-force attempt is in progress and you need rate limiting or 2FA enforced.

5. Review form submissions and contact-page sends. Form failures are common after plugin updates and produce no error visible to the site owner — only the customer notices the broken form. Send a test through your contact form and any order forms.

Monthly (1–2 hours)

1. Test a backup restore. Restore the most recent backup to a staging environment or local install. If you can’t restore it, your backup is theoretical. This is the single most-skipped maintenance task and the one that bites hardest during an incident.

2. Run a full malware scan. Use Wordfence, Sucuri, or your host’s scanner. Address anything flagged, even if it’s a “potentially suspicious file” — investigate before dismissing.

3. Run a page-speed test on key pages. Use PageSpeed Insights or GTmetrix on the homepage, a product page (for WooCommerce), and any high-traffic landing page. Compare against the previous month’s numbers. Regressions over 20% mean a recent change degraded performance.

4. Audit installed plugins. Disable and delete anything not in active use. Look for plugins that haven’t been updated in over a year — these are unmaintained and a security liability. Replace if there’s an alternative; remove if there isn’t.

5. Check SSL certificate expiry. Most certificates auto-renew (Let’s Encrypt is on a 90-day cycle), but auto-renewal can silently fail. A 60-day-out check catches problems while there’s time to fix them.

6. Review user accounts. Remove old admin accounts (former employees, departed contractors). Confirm all active admin accounts have strong passwords and 2FA enabled.

7. Check disk space and database size. Sites accumulate cruft: orphaned post revisions, expired transients, unused media files. If the database is over 1 GB on a site that doesn’t justify that size, run a cleanup. If disk usage is over 80% of your hosting plan, prune or upgrade.

8. Spot-check critical user flows. For WooCommerce: complete a test transaction end-to-end (use a real card if your gateway supports refunds, or a test mode if available). For content sites: submit through every form, sign up for the newsletter, test the search.

Quarterly (half a day)

1. Review the technical stack. Are you on the current major WordPress version? Current PHP version? Current WooCommerce major? Lagging stacks accumulate compatibility debt that turns one update into a full-day project.

2. Audit user roles and permissions. Confirm only the people who need admin access have it. Editor, Shop Manager, and Contributor roles cover most needs; admin should be limited to the people who actually do site maintenance.

3. Review hosting plan fit. Check actual resource usage (CPU, memory, bandwidth) against your plan limits. If you’re regularly over 60%, you’re one traffic spike away from outages. If you’re below 20% on a premium plan, you may be overpaying.

4. Run a full security audit. Sucuri or Wordfence full scan, file permission audit, wp-config.php review, database user permissions check, removal of unused themes (even inactive themes can be vulnerability vectors).

5. Performance optimization pass. Beyond the monthly page-speed check: review caching configuration, image optimization status, CDN configuration if applicable. Quarterly is the right cadence to address gradual performance drift.

Annual

1. Review and renew domain registrations at least 60 days out. Expired domains cause more outages than any other category and are the hardest to recover from.

2. Audit all third-party integrations. APIs, payment gateways, email senders, analytics tags. Deprecated integrations are silent failures.

3. Review and update the disaster recovery plan. If the host disappeared tomorrow, what’s the path back to a functioning site? Make sure backups, credentials, and contact info are all somewhere other than the affected systems.

What This Adds Up To

Roughly 4–6 hours per month per site, plus annual overhead. Spread across the year, that’s about $300–$600 in time at a $100/hour rate — which is why managed plans starting at $99/month are economical even before you factor in the value of someone else absorbing the unpredictable emergencies.

If you’d rather not run this checklist yourself, Synergetic’s Care Plans handle all of it on a fixed monthly fee. The full maintenance service overview compares the DIY vs managed tradeoff in more depth.

[ins_post_cta]
Shopping Cart
Scroll to Top