The maintenance checklist that admits what doesn't matter

9 May 2026 9 min read

The WordPress Maintenance Checklist for Non-Tech Owners

TL;DR: Most WordPress checklists pad the count with tasks that don’t move the needle. This one is shorter and grouped by frequency. 5 minutes a week, 45 minutes a month, 2 hours a quarter. At the bottom: the five things to put in writing if you outsource it.

Every “ultimate WordPress maintenance checklist” on page one of Google looks the same. Twenty bullet points. Three plugin recommendations per bullet. A reassuring stock photo of a hand on a mouse. The promise: do all twenty things and your site is safe. What actually happens: you do none of them, read the next checklist, and feel guilty again.

The list below is shorter because I’ll tell you which tasks you can skip. If you run a small business site (brochure, lead-gen, small shop), 45 minutes a month covers about 90% of what matters. The other 10% is what you put in writing with whoever does it for you.

What “maintenance” means

Four layers: WordPress core, plugins, themes, and the monitoring + backup pair that catches things when they go wrong. More on that in the previous post about what skipping it costs you.

Plugins are by far the dominant attack surface. Of the 11,334 vulnerabilities Patchstack recorded in 2025, 91% came from plugins, 9% from themes, six total from core itself. That’s why this checklist leans heavily on the plugin layer. Database optimization, image compression and broken-link audits are real tasks, but none of them is the reason your site gets owned.

Weekly: 5 minutes

Open the dashboard. Go to Updates. You’re looking for one thing: is anything tagged as a security release? If yes, that goes through staging today or tomorrow. If not, leave it for the monthly batch.

That’s the whole weekly task. Don’t click “Update All.” The weekly check exists to catch the urgent stuff. The actual updating happens once a month.

Worth a quick look: the email from your monitoring tool (UptimeRobot or similar) for the past week. If it shows anything other than 100% uptime, ask why. Three downtime alerts in the same week is a hosting problem, not a WordPress problem.

Monthly: 45 minutes (when nothing breaks)

Schedule it. Calendar reminder, first Monday of the month, blocked off. Monthly maintenance always fails on the same point: it’s never the most urgent thing on a Monday morning. Until the day your shop is offline.

Pull a fresh staging copy. A real one: same PHP version, same database, same theme. Not just a file backup. Most managed hosts have a one-click staging option. If yours doesn’t, fix that first. Updating production directly is how every broken-WooCommerce horror story begins.
Apply all pending updates on staging. Core first, then plugins (security-tagged ones first within that group), then themes. After each batch, refresh and click around. If something looks wrong, you know which update caused it.
Click through the critical paths. Brochure site: homepage, contact form (submit a real test), main service page. Shop: add to cart, checkout, payment with a real (then refunded) Stripe test. Five minutes. Catches the broken-block bugs that staging exists for.
Push to production. Either re-apply the same updates manually on live, or use the host’s “push staging to live” button if you trust it.
Verify the last backup. Open your backup tool. Does the last successful run match yesterday? Is the file actually in off-site storage (S3, Backblaze, Dropbox, not on your own server)? If you’re not sure, restore one. A backup you’ve never restored is a backup you don’t have.
Skim the security log. If Wordfence, Sucuri, or your host’s firewall is enabled, look at the past month. Repeated 404s on /wp-login.php are background noise. Successful logins from a country no one on your team is in, are not.

If everything clicks through, you’re done in 45 minutes. If a plugin update breaks something on staging, budget 1 to 3 hours and don’t push to production until it’s fixed. That variance is the real cost of WordPress maintenance. Not the average, but the spike when an update fails.

Quarterly: 2 hours

Once every three months, look at the layers underneath the dashboard. The monthly routine keeps the site running; the quarterly one keeps it from accumulating debt.

Plugin audit. List every active plugin. For each: do you actually use it? When was the last update from the author? Over 12 months ago? Then it’s on the path to abandonment. In 2024, 1,614 plugins were removed from the WordPress.org repository for unresolved security issues. Replace those before they get pulled. Delete the ones you don’t use.
PHP version check. Open your hosting panel. What PHP version is the site running? Older than 8.2? Plan a migration this quarter. End-of-life PHP stops receiving security patches and eventually breaks newer plugins.
Test a backup restore. Pick a recent backup, restore it to staging, confirm it boots and shows the homepage. This is the only test that proves the chain works.
Form spam review. Open the form submissions or the inbox they go to. If 80% is spam, the form needs hCaptcha or honeypot protection. If you store submissions in the database, check how many. I’ve seen sites with 90,000 contact-form rows nobody ever read. That’s the actual cause of database bloat people then blame on “needing optimization.”

Annually: 1 hour

User cleanup. Open Users. Delete anyone with admin or editor access who no longer works with you. Old admin accounts from a previous developer or agency are a common compromise vector.
Password rotation. Reset your own admin password. Force-reset other users if you can. Yearly is a defensible compromise. If you suspect a leak, do it that day.
Renewal audit. Open your registrar, your hosting provider, and your SSL certificate (if not Let’s Encrypt). Are auto-renewals actually enabled? When does each one expire? An expired domain is the fastest way to lose a business overnight. The cause is almost always “we thought it was on auto-renew.”
SEO baseline check. Pull last year’s Search Console data. Compare top queries and pages year-over-year. Sudden drops point to algorithm hits, indexing problems, or technical regressions. A GEO audit covers the AI-search side of the same question.

What other checklists make you do, and why you don’t need to

This is where those 20-item lists get bulky. The tasks below are not useless, but they don’t keep your site safe or fast. Time better spent on the items above.

Weekly database optimization. A WordPress database fragments the way a hard drive fragments: barely. Modern MySQL handles it. The real performance problem is bloat from plugins that store every form submission, abandoned cart, or revision forever. Plus autoloaded options that grow without limits. Find and fix the source plugin. Don’t run an optimizer weekly and call it maintenance.
Manually checking for broken links every month. Useful once a year as part of the SEO baseline, not monthly. The plugins that scan continuously add measurable database load without proportional value.
Image optimization sweeps. Compress images at upload time with one set-and-forget plugin (or, better, before upload). A monthly “optimize everything” pass is fixing a problem you should have prevented.
Running a security scanner constantly. One scan during the monthly session is enough for most sites. Daily scans on a small site are CPU you’re paying for to detect things that won’t happen.
Updating themes you don’t use. Don’t update them. Delete them. WordPress keeps inactive themes around as a fallback; one default theme is enough.

If you outsource: five things to put in writing

Most non-technical owners eventually outsource this. The price spread is enormous: from €15/month for an automated update bot pretending to be a service, to €200+/month for an agency. What you should be paying for:

Updates tested on staging before they hit production. Not “we have a backup so we can roll back.” That means your live shop went down first.
Off-site backups, daily, with a quarterly restore test. The backup file landing somewhere is half. Proving it restores is the other half.
A monthly report showing what was updated, what was held back, and why. If you can’t see what you’re paying for, you’re paying too much.
A named response time for a critical security incident. “We’ll get to it” is not a response time. Two hours, four hours, same business day: pick a number.
Plugin replacement when an author abandons one. Every checklist says to replace abandoned plugins. Almost no maintenance contract actually includes that work. Get it in writing or budget for it separately.

Anything below that bar is an automated update button with a markup. That one’s free in WordPress.

FAQ

How long does WordPress maintenance take per month?

If nothing breaks: 30 to 45 minutes per month for a small site, plus 5 minutes a week for a security check. If something breaks during an update, add 1 to 3 hours to debug it on staging. That spike (not the average) is why most non-technical owners outsource it.

Do I need a security plugin like Wordfence?

If you’re updating WordPress core, plugins, and themes consistently and tested via staging, a security plugin adds limited value and a noticeable performance cost. The value is in the patches, not in the firewall layer. Where security plugins genuinely help: virtual patching during the window between vulnerability disclosure and an official patch. Especially when the patch never arrives (46% of vulnerabilities published in 2025 had no patch at disclosure).

Is database optimization actually useful?

For most small business sites: no. The real database problem is bloat from poorly-coded plugins (form submissions stored forever, abandoned carts that never expire, autoloaded options), not fragmentation. Fix the source. Don’t run an optimizer plugin every week and call it maintenance.

What should I ask for if I outsource WordPress maintenance?

Five things, in writing: (1) updates tested on a staging copy before production, (2) off-site backups, daily, with a restore test once per quarter, (3) a monthly report showing what was updated and what was skipped, (4) a named response time for a critical security incident, (5) plugin replacement when an author abandons a plugin. If a provider quotes a low monthly fee but won’t commit to staging or off-site backups, you’re paying for an automated update button. That one’s free in WordPress.

How often should I back up?

Daily for any site that takes orders, comments, or form submissions. Weekly is enough for a brochure site that changes monthly. Off-site is non-negotiable: a backup on the same server as the site is gone the moment the server is. The single most important thing is a quarterly restore test. A backup you’ve never restored is a backup you don’t have.

Wrap-up

Keeping a WordPress site healthy isn’t complicated. It’s repetitive, with a small unpredictable spike when an update breaks something. Scheduling it or outsourcing it is precisely so that spike doesn’t collide with the worst possible Tuesday. 5 minutes weekly, 45 minutes monthly, 2 hours quarterly. The other ten things every checklist tells you to do are mostly busywork. You can skip them and lose nothing meaningful.