WordPress sites don’t maintain themselves. They’re built on layers of software — core, themes, plugins — that all require regular attention to stay secure, fast, and functional. Without a structured routine, small issues pile up into expensive emergencies.
This checklist covers every maintenance task your WordPress site needs in 2026, organized by frequency. Whether you handle maintenance yourself or work with a professional service, this is your reference for what should be happening behind the scenes.
Daily tasks (5 minutes or automated)
Uptime monitoring. Use a tool that checks your site every one to five minutes and alerts you immediately if it goes down. UptimeRobot offers a free tier that covers most small business needs. Your maintenance provider should handle this automatically. Don’t wait for a customer to tell you your site is offline.
Automated backups. Your backup system should run at least once daily, capturing both files and database, and storing copies offsite — not on the same server as your site. Verify today’s backup completed successfully. For e-commerce sites, consider real-time or hourly backups since transactions happen continuously.
Security scanning. Automated malware scanning should run daily in the background. Your security plugin or maintenance provider should flag any suspicious files, unauthorized changes, or unusual login activity immediately.
Comment moderation. If comments are enabled, review and moderate them daily. Spam comments aren’t just annoying — they can contain malicious links that harm your SEO and compromise visitor security.
Weekly tasks (15–30 minutes)
Apply WordPress core updates. When a new version is available, apply it. Minor releases — security patches and bug fixes — should be applied within a day or two. Major releases can wait a week while the community identifies any initial issues, but should not be delayed beyond that.
Update plugins one at a time. Check all available plugin updates. Read the changelog before updating — occasionally an update introduces breaking changes. Update one plugin at a time and verify your site still functions after each. If something breaks, you’ll know exactly which update caused it. In 2025, over 11,000 new vulnerabilities were found in WordPress plugins. Prompt updates close these holes before attackers exploit them.
Update your theme. Apply any available theme updates, especially those containing security patches. If you use a child theme, verify that the parent theme update doesn’t override your customizations.
Test key functionality. After updates, manually check the features your business depends on: contact forms (submit a test), checkout process (if e-commerce), booking systems, search, and navigation. Silent failures — like a form that stops sending emails but still shows a success message — are common after updates and can persist for weeks if nobody checks.
Review security logs. Check for unusual login attempts, blocked IP addresses, or flagged files. A sudden spike in brute force attempts may indicate your site is being actively targeted.
Monthly tasks (1–2 hours)
Database optimization. WordPress databases accumulate clutter over time: post revisions, expired transients, spam comments, trashed posts, orphaned metadata from deleted plugins. Each adds overhead to every database query. Clean monthly with WP-Optimize or Advanced Database Cleaner. Limit stored revisions to five by adding a constant to wp-config.php.
Speed test and comparison. Run your site through GTmetrix or Google PageSpeed Insights. Compare the results to last month. If speed has degraded, investigate — a new plugin, unoptimized images, or database bloat are the usual culprits. Aim for total load time under three seconds and a PageSpeed score above 80 on both mobile and desktop.
Broken link scan. Scan for 404 errors and broken internal and external links. Broken links frustrate visitors and hurt SEO. Screaming Frog or the Broken Link Checker plugin can automate this.
Google Search Console review. Check for crawl errors, security issues, Core Web Vitals problems, and indexing status. Address any flagged issues. This is also where you’ll first see if Google has detected malware on your site.
Backup verification. Don’t just trust that backups are running — actually test one. Download a recent backup and verify you could restore from it. A backup you’ve never tested is a backup you can’t trust when you need it most.
User account audit. Review all WordPress user accounts. Remove any that are no longer needed. Verify that no unauthorized accounts have been created — unknown admin accounts are a common sign of compromise. Check that every active account uses the minimum permission level necessary.
Deep security scan. Beyond daily automated scanning, run a thorough manual review. Check for unknown files in your uploads directory (there should be no PHP files there). Verify that .htaccess and wp-config.php haven’t been modified. Review file integrity across core directories.
Quarterly tasks (2–4 hours)
Plugin audit. Review every installed plugin. Deactivate and delete any you’re not actively using — each unused plugin is an unnecessary security risk and performance drag. For plugins you keep, check when they were last updated by their developer. A plugin that hasn’t been updated in 12 months or more may have unpatched vulnerabilities.
PHP version check. Ensure your site is running a supported PHP version. PHP 8.2 or 8.3 is recommended for 2026. Older versions don’t receive security patches and run significantly slower. Test compatibility on a staging environment before upgrading on production. Note that WordPress 7.0, expected in 2026, drops support for PHP 7.2 and 7.3 entirely.
SSL certificate verification. Confirm your SSL certificate is valid and not approaching expiration. Check for mixed content warnings — HTTP resources loading on HTTPS pages. An expired or misconfigured SSL triggers browser warnings that destroy visitor trust and hurt search rankings.
Cross-browser and mobile testing. Test your site in Chrome, Firefox, Safari, and Edge on both desktop and mobile. Look for layout issues, broken features, or slow-loading pages. Mobile traffic typically accounts for over half of visits — a site that only works well on desktop is losing visitors.
SEO health check. Review your XML sitemap, robots.txt, meta tags, and structured data. Ensure nothing has broken during updates. Check that your canonical tags are correct on key pages. Verify Google is indexing the pages you want indexed and not indexing ones you don’t.
Password rotation and security hardening review. Update passwords for all WordPress admin accounts, hosting, FTP/SFTP, and database access. Use strong, unique passwords managed with a password manager. Verify that two-factor authentication is active on all admin accounts. Confirm file editing is disabled in the dashboard and directory browsing is blocked.
Annual tasks
Full site audit. A comprehensive review of every aspect: performance, security, SEO, content, functionality, and design. This is your opportunity to plan improvements for the year ahead. A professional audit can reveal issues you’ve been living with without realizing they’re hurting your business.
Content audit. Review all published content. Update outdated statistics and dates. Fix or redirect broken links. Improve underperforming pages. Consolidate thin content. Update screenshots and examples. Refreshing existing content often delivers better SEO results than publishing new pages.
Legal compliance review. Ensure your privacy policy, terms of service, and cookie consent are current and compliant with applicable regulations including GDPR and CCPA. Review after any changes to how you collect or process data.
Hosting and renewal management. Evaluate whether your hosting still meets your needs. Check expiration dates for your domain, SSL, hosting, and premium plugin licenses. Set calendar reminders to avoid lapses.
Don’t want to handle this yourself?
This checklist is thorough for a reason — WordPress maintenance is real, ongoing work. If you’d rather spend your time on your business instead of plugin updates and security scans, that’s exactly what MaintPress is for. Our plans cover every task on this list, starting at $39 per month with no contracts.
MaintPress keeps your WordPress site fast, secure, and updated — so you can focus on your business.
