WordPress Maintenance Checklist and Guide

Your website is a vital asset for your business. When there’s an issue with it — like a broken form, slow-loading pages, or harmful links left on your blog — it can seriously hamper your visitors’ experience. In turn, it can sour their impression of your website and brand. 

To ensure you’re maximizing the results you get with your website, make time for WordPress maintenance. The checklist below will show you what to do, how frequently to do it, and if there are automations available.

There are 15 WordPress maintenance tasks you can do to ensure your site is fast, secure, and well-optimized for visitors as well as search engines. Use this checklist as your guide:

There are a number of ways to secure your WordPress passwords and login when initially setting up your website. WordPress security plugins will help you do things like:

• Enforce strong passwords for all users.
• Enable two-factor authentication for admins and editors.
• Limit login attempts.

If you didn’t initially configure these types of settings to secure the login, do so now. Going forward, you’ll also want to force WordPress users (non-subscribers) to update their passwords. 

One way to do this is to manually send a notice to each user asking them to change their password. I’d recommend using a WordPress security plugin to force the reset though.

SiteGround’s Security Optimizer plugin includes this tool under Post-Hack Actions.

Select the option and all users will be logged out and required to generate a new password upon logging in again. 

📆 How frequently should you do it? 

At least twice a year.

🤖 Can you automate this task? 

No, but you can streamline it by using the Security Optimizer plugin to ensure that every user resets their password.

Website backups have lots of uses. 

If your site gets hacked or hijacked, you can restore it to a version before your site was corrupted. If the code gets messed up either by human error or a plugin conflict, the backup restore will fix things for you as well.

There are numerous ways to backup your site. 

One option is to configure backups via your hosting account. With a SiteGround hosting plan, for instance, you can enable automated backups or generate them manually as needed.

You can also create automated backups with a WordPress backup plugin. 

📆 How frequently should you do it? 

It depends on the size and complexity of your site as well as how frequently you update it. 

If your hosting provider allows for daily backups, though, take advantage of them. If not and you aren’t updating your site that often, weekly or monthly backups are fine. 

It’s also a good practice to generate a backup before making any big changes to your site.

🤖 Can you automate this task? 

Yes, both your hosting provider and WordPress plugin will do this for you.

Whenever the WordPress development team has a new security, maintenance, or core update to push out, a notification will appear in your WordPress Dashboard under Updates. 

Before installing any WordPress update, make sure to back up your website. 

📆 How frequently should you do it? 

Update WordPress whenever updates become available. 

They’re not always predictable as you can see from the WordPress Release history. So it’s a good idea to log into WordPress at least once a week to see if any core updates are waiting for you. 

🤖 Can you automate this task? 

Yes. 

You can enable automatic updates for just the maintenance and security releases or you can enable them for every update. There’s a link to do this in WordPress on the Updates screen.

The WordPress Updates panel will also alert you to any themes that need updating. 

These updates might include improvements to the theme, new demos or starters sites, or they might patch a vulnerability. Because of this, it’s important to update your theme as soon as possible. 

📆 How frequently should you do it? 

Try to log into WordPress at least once a week. Not every theme update will be urgent, but it’s still a good idea to install them as soon as you can.

🤖 Can you automate this task? 

Yes. You can add this line to the wp-config.php file at the root of your site:

add_filter( 'auto_update_theme', '__return_true' );

Some security plugins will also allow you to enable automatic updates. 

The other alert you’ll find under Updates pertains to your plugins. 

The more plugins you install on your site, the more frequently you’ll see these updates. Plugin updates usually improve performance and patch vulnerabilities, so it’s important to implement them as soon as they come through. 

📆 How frequently should you do it? 

At the very least, once a week. Exploited plugins are one of the most common reasons for security breaches, so it’s critical that they stay updated. This goes for both active and inactive plugins on your site.

🤖 Can you automate this task? 

Yes. There are various ways to do this. You can do it from the Plugins panel in WordPress. Click Enable auto-updates next to any or every plugin you want to apply this setting to.

If you have a SiteGround hosting account, you can automatically update your plugins from the WordPress > Autoupdate screen.

You can also do it manually by adding this line to the wp-config.php file: 

add_filter( 'auto_update_plugin', '__return_true' );

Your hosting server only has a limited amount of storage. Even if you haven’t reached maximum capacity, it’s helpful to clear out unused files. This will not only lighten your server, it’ll also reduce clutter and make it easier for you to manage everything. 

There are various places to check in WordPress when doing your cleanout: 

• Pages: Delete trashed pages, drafts you don’t need, as well as older versions.
• Posts: Delete trashed posts, drafts you don’t need, as well as older versions.
• Media: Delete old files as well as any placeholder images and files imported by your theme.
• Themes: You can only use one theme at a time, so you can delete other installed themes.
• Plugins: Delete inactive plugins you don’t need.

Most of this work will have to be done manually, but it shouldn’t take long to do so long as you stay on top of it.

📆 How frequently should you do it? 

Set a reminder for yourself every three to four months to do a WordPress clean up. 

🤖 Can you automate this task? 

Some caching plugins will give you the option to automatically purge unused and deleted files. For example, SiteGround’s Speed Optimizer plugin allows you to schedule weekly database maintenance. 

Among the options given, you can delete post and page drafts, older page and post versions, as well as anything in the Trash.

You’ll still have to clear out old and unused media, themes, and plugins.

If you have a blog on your website, then you may have received some spam.

Spam comments don’t always contain harmful links in them. However, that doesn’t mean they are harmless. As more and more of them flood into your blog, they have to be stored somewhere.

Go to Comments and click on the Spam tab to see what’s in there.

Once you’ve confirmed that the spam comments are indeed spam, use the Delete Permanently option to remove them. 

📆 How frequently should you do it? 

It depends on how frequently you publish content to the blog and how popular it is. If you’re not receiving a ton of comments in general, then spam might not be a serious issue. 

At the very least, aim for once a month when you’re performing other WordPress maintenance tasks. 

🤖 Can you automate this task? 

Yes. Your caching plugin can also help with this. The Speed Optimizer plugin, for instance, includes a Delete all comments marked as spam option in its weekly database maintenance feature.

While you might not see your database from the WordPress backend, it still needs to be cleaned up from time to time.

For example, if you delete plugins, some of them leave files behind. And these files can cause problems if they conflict with new plugins you install. 

Having a way to optimize and cleanse your database will ensure old and inactive files are removed. Many caching plugins give you a tool to do this so you don’t have to poke around in your server and manually find and delete them yourself. 

📆 How frequently should you do it? 

Unless you’re updating your blog or revising your plugins list often, you won’t need to do this task that much. Caching plugins can automatically do a database sweep for you once a week, but monthly or even quarterly should suffice. 

🤖 Can you automate this task? 

LiteSpeed Cache, W3 Total Cache, and WP-Optimize are performance plugins that come with database optimization tools. If you’re a SiteGround user, you can use their Speed Optimizer plugin instead.

It’s easy to lose track of your website when you’re caught up with running your business. But you don’t want to wait until all contact form submissions, new subscribers, or sales dry up to start paying attention.

Your forms are arguably the most important component of your website. While it’s not common for them to break, it can happen — usually because of a plugin or human error. 

To ensure that visitors and customers can convert without issue, go into your website and test out each of your forms regularly. 

📆 How frequently should you do it? 

If you have a small to medium website, once every few months will suffice. If you have a larger website, weekly tests work. 

🤖 Can you automate this task? 

No.

Consumers have short attention spans and their patience wears thin if they’re forced to wait for a service they expect to be fast. So if the pages on your site don’t load within a few seconds, you could be losing visitors all because they didn’t want to wait. 

It’s not enough to visit your website and to perceive that it’s fast enough. You need a tool that can objectively evaluate your site speed. Google’s Core Web Vitals (which now lives inside PageSpeed Insights) is your best resource for this.

In addition to providing you with a score between 0 and 100, it will show you how long the page takes to open and tell you what to fix to improve the loading speed. 

This speed testing tool only evaluates one page at a time, so you’ll need to run all your pages (or, at the very least, the most critical ones along the user journey) through it.

📆 How frequently should you do it? 

For smaller websites, once a month will suffice. For larger websites, at least once a week. 

If you stay on top of it, then you won’t have to make many adjustments each time you check.

🤖 Can you automate this task? 

No. 

You can’t always tell when a website has been breached. 

In some cases it’s obvious because you see the white screen of death or you’ve lost access to WordPress altogether. In other cases, the hacker or malware infection is working silently behind the scenes.

There are ways to detect security breaches before they have time to become a problem for you. 

Your WordPress security plugin is your first line of defense. You’re also going to need a security scanner to serve as a proactive detection system.

There are free website scanners like Sucuri and WPSec. Some security plugins have them, but that’s not always the case. Even when they do, they’re usually only included in the premium version of the plugin. 

Check your hosting plan to see if a security scanner and notification system is included. If not, consider investing in a premium solution. 

📆 How frequently should you do it? 

Daily. If that’s not feasible, then weekly.

🤖 Can you automate this task? 

Yes, but you’ll probably need to pay for it. 

If you’re using SiteGround for hosting, for instance, you can pay to have your website automatically scanned daily for threats. You’ll also receive a notification if any threats are found.

When visitors see a 404 error page on your website, it means the page no longer exists. It could’ve been deleted or the permalink changed. 

Visitors discover these nonexistent pages in search engine results, links on other websites, or even internal links within your own. 

To identify these 404 pages, Google Search Console is a helpful resource. You’ll find a list of all error pages under Pages > Not found (404).

To stop people from running into the error message, set up a 301 redirect for each of these pages. This tutorial will show you how to redirect visitors using a plugin or by manually configuring it.

📆 How frequently should you do it? 

If you haven’t updated your website, then a 404 error check isn’t really necessary. If you’re editing your content regularly, though, you should schedule a check at least once a month.

🤖 Can you automate this task? 

The Redirection plugin mentioned in the tutorial can be set up to automatically redirect visitors after a permalink changes. So too can Yoast SEO Premium.

That said, it’s still good to review Google Search Console to ensure all 404 errors have been caught.

The 404 error check will help you fix errors that visitors encounter when coming from outside your website. For broken links within the pages of your site, though, you’ll need to use a different process.

There are plenty of free online tools that’ll scan each page looking for broken links. Brokenlinkcheck.com does a good job.

Once you’ve verified that the links are broken, you can do one of two things. You can remove the link entirely. Or you can edit it so it goes to the correct permalink.

📆 How frequently should you do it? 

Do this at the same time as you do your 404 error check. 

🤖 Can you automate this task? 

Yoast SEO Premium will check for broken links. It will even automatically redirect them for you.

Your forms aren’t the only parts of the website that need to be tested. There are other aspects of your website design or features that may need to be fixed or improved over time. 

When performing a quality assurance test, start with the big issues (i.e. the ones that Google pays attention to when ranking websites). For instance: 

• Mobile responsiveness
• Accessibility
• SEO

You can use PageSpeed Insights to get a sense for some ways to improve upon these factors. Your SEO plugin will also give you helpful insights regarding search engine optimization.

However, it’s also important to do a manual review of your site’s design and functionality. 

Spend some time viewing each page (if that’s reasonable) from the point-of-view of a visitor. Make sure everything looks good, notice if there are any broken images or formatting, test out all the interactive areas, and so on.

If time allows, you might also want to do A/B testing to improve the user experience and increase your conversion rates. 

📆 How frequently should you do it? 

These website checks don’t need to be done too frequently. Aim for once every six months for smaller sites and once a month or every quarter for larger ones. 

🤖 Can you automate this task? 

No. While PageSpeed Insights can detect some of the more obvious issues, it can’t automate this work. 

There are many different reasons to review and edit your website’s content. For example: 

• Something in your business has changed and the website contains incorrect info.
• You’ve removed one of your areas of focus and need to delete irrelevant content.
• You have a blog and want to regularly publish content to it.
• Your most important web pages aren’t ranking in search results. 
• Your store runs sales throughout the year and you need to update the current offer.

After you review the design of your website, go through and read all of your content. If you have a larger site, focus on the most important pages. Or the ones that are underperforming (depending on your main goals here). 

Edit them as needed. 

📆 How frequently should you do it? 

It depends on what type of website you have. 

For instance, a blog or a website with a blog should be updated at least once a week with new content. However, a small business website might only need to be tweaked once a month or every two months.

To make it easier on yourself, plan to do this whenever you do your website QA. 

🤖 Can you automate this task? 

No. However, Google Analytics and Google Search Console will be useful tools. They’ll help you identify problem areas, missed opportunities with keywords, and more.

Yes. While every website should receive ongoing maintenance, WordPress websites in particular need careful maintenance. 

One of the main reasons for this is because WordPress is self-hosted. Unlike a platform like Wix or Squarespace that handles hosting, security, and speed on behalf of its users, WordPress doesn’t. 

But that’s a good thing. This allows you to continually fine-tune the performance of your website instead of leaving it in the hands of an organization that doesn’t have a vested interest in your website or business.

Website maintenance is about more than just security and speed, too. Wix users, for instance, might be off the hook when it comes to those two tasks. However, they still need to do things like fix 404 errors, review their analytics, and update their content.

Some WordPress maintenance tasks take no more than 30 seconds to execute — like updating plugins. While you should always back up your website before performing any maintenance, maintenance mode itself is not always needed.

For more extensive maintenance work, you might want to put WordPress into maintenance mode. This post will show you how to enable WordPress maintenance mode manually or with a free WordPress plugin.

Some maintenance tasks take longer than others. You could spend anywhere from a minute to a few hours on it in a given day.

For example, updating a WordPress theme takes less than a minute to complete. On the other hand, testing your website speed and then implementing optimizations can take 30 minutes or more depending on how slowly your pages are loading. 

Not every maintenance task needs to be done every day or even every week though. So you’ll have to figure out if you have the time to devote to it. 

To speed things up, consider automating some of the more mundane and routine tasks like backups and updates. You can do a lot of this with the tools provided by your web host as well as with choice plugins.

Yes. If you’d rather not deal with WordPress maintenance, you can outsource it. There are various managed WordPress maintenance and support services available. 

For example: 

You can outsource your own website as well as client websites to these providers as well. So if you’re looking for a way to generate recurring revenue without expending too much energy, managed WordPress maintenance would allow you to do that.

If you bought a car and failed to maintain it for a long period of time, you’d definitely see a downturn in its performance. And if you continue the neglect the car, it will eventually break down completely.

The same rule applies to websites. If you fail to maintain your website, you’ll deter people from visiting it. No one wants to use a poorly designed website that has broken links and forms, is slow and insecure, uses outdated plugin software, or constantly breaks.

Fortunately, WordPress sites are easy to maintain. Routinely carrying out maintenance tasks on your website will ensure that your site is safe, secure, and performing at the best of its capacity. 

The WordPress maintenance checklist above will help you to get started.