By Tara-Lynn | Go With Flo | Web Designer, WordPress Expert & Systems Strategist
WordPress maintenance for small businesses is the ongoing practice of running scheduled technical tasks that keep a WordPress website secure, fast, and functioning correctly after launch. It includes updating core software, themes, and plugins; verifying backups; testing contact forms; monitoring site speed; and scanning for security issues.
Most small business owners skip all of it.
Not on purpose. It just never comes with instructions. You build the site, you launch, you go back to running your actual business, and the WordPress dashboard sits quietly in a tab you have not opened since November.
And then one day something breaks, or gets hacked, or starts loading so slowly that clients bounce before they even see your homepage.
This checklist covers what actually needs to happen to keep your WordPress site healthy, and how often to do it.
Key Takeaways
WordPress maintenance is not optional. It is the ongoing cost of having a website that works.
Plugin updates are a security issue, not just an admin task. Outdated plugins are one of the most common WordPress hack entry points.
Backups only count if they work. A backup you have never tested is a file you hope works when you need it most.
Site speed affects your Google ranking directly. Core Web Vitals are a confirmed Google ranking factor.
Contact forms break silently. They need to be tested monthly, not assumed to be working.
SSL certificates expire. A lapsed SSL puts a “not secure” warning in your visitor’s browser before they reach your homepage.
User accounts accumulate. Old admin accounts from contractors, assistants, or previous developers are an active security risk if they have never been removed.
If you are managing a WordPress site yourself and have not done a proper maintenance review recently, this checklist is a good place to start.
What WordPress Maintenance Actually Involves
WordPress is not a platform you set up and walk away from.
Unlike Squarespace or Wix, where the platform handles technical updates in the background, WordPress puts you in charge of the infrastructure. That is part of why it is so flexible and so widely used. It is also why it requires actual ongoing attention.
WordPress maintenance covers three broad areas:
Security: Keeping your site protected from hacks, malware, and unauthorised access.
Performance: Keeping your site fast, functional, and easy for visitors to use.
Content and structure: Keeping your information accurate, your links working, and your site reflecting your current business.
None of these areas maintain themselves. And none of them announce when they have stopped working.
The Monthly WordPress Maintenance Checklist
1. Update WordPress Core, Themes, and Plugins
WordPress releases regular updates to its core software. Theme and plugin developers release updates to add features, fix bugs, and patch security vulnerabilities.
Skipping these updates is one of the most common reasons WordPress sites get hacked. When a vulnerability is discovered in a plugin, developers patch it in an update and publicly document the fix, which also tells anyone paying attention exactly what the old version is vulnerable to.
An unupdated plugin is an open door with a sign on it.
How to do it: Log into your WordPress dashboard. Go to Dashboard > Updates. You will see pending updates for core, themes, and plugins. Update core first if there is one. Then update plugins one at a time, checking your site after each update. Do not update everything at once. One update breaking something is manageable. Twelve updates breaking something simultaneously is a significantly worse afternoon.
How often: Monthly at minimum. Weekly is better, especially for security plugins and page builders.
2. Verify Your Backups Are Working
If you have a backup plugin installed, when did you last confirm that it is actually running?
And when did you last test whether a backup could actually be restored?
A backup plugin that is installed but not configured is not a backup solution. It is a plugin sitting in your dashboard, theoretically doing something, and quietly giving you a false sense of security.
Real backups are:
- Automated, so they run whether you remember or not
- Frequent, ideally daily or at minimum weekly for active sites
- Stored off-site, meaning somewhere other than your hosting server, because if the server goes down your backup goes with it
- Tested, meaning you have confirmed at least once that the backup files can actually be used to restore your site
How to do it: Open your backup plugin (UpdraftPlus and BlogVault are two solid options for small business WordPress sites) and check the last successful backup date, where files are being stored, and your retention settings. If you have never tested a restoration, that is the thing worth doing this month.
How often: Check backup status monthly. Test a restoration at least once or twice a year.
3. Test Every Contact Form
Contact forms break. This is not a matter of if, it is when.
Plugin conflicts, hosting configuration changes, email deliverability issues, overzealous spam filters, all of these can cause a contact form to stop delivering messages to your inbox with zero visible indication that anything has changed.
The visitor fills in the form. They get a confirmation message. You get nothing. They move on. You never know.
How to do it: Fill out every form on your site using a non-business email address. Submit it. Check your inbox. Check your spam folder. Confirm the message arrived. If it did not, the most common fix is WP Mail SMTP, which addresses the email deliverability configuration issues that cause the majority of WordPress contact form failures.
How often: Monthly, without exception.
4. Check Your Site Speed
Site speed is not just a user experience issue. It is an SEO issue.
Google has confirmed that Core Web Vitals, a set of metrics measuring loading performance, interactivity, and visual stability, are part of its ranking signals. A slow site is harder to rank and harder to convert, because most visitors will leave a page that takes more than three seconds to load.
Speed can degrade over time even when you have not changed anything, because your hosting server accumulates load, your database grows, your media library fills up with unoptimised images, and plugins add code that runs on every page.
How to do it: Run your site through Google PageSpeed Insights (free) or GTmetrix (free tier available). Look at both mobile and desktop scores. The most common causes of speed issues are uncompressed images, no caching plugin, too many active plugins, and poor-quality hosting. ShortPixel handles image compression. WP Rocket or W3 Total Cache handle caching. If the speed problems point to hosting, that is worth a separate conversation.
How often: Monthly. Run a speed check before and after any major site changes.
5. Scan for Malware and Security Issues
WordPress sites are a common target for automated attacks, not because hackers are specifically interested in your wedding photography business, but because WordPress powers over 40% of the web and a successful automated script can hit thousands of sites at once.
A compromised site can distribute malware to your visitors, get blacklisted by Google (which removes it from search results entirely), or be used to send spam emails without your knowledge. Most business owners find out their site has been hacked from a client who received a weird email, or from their hosting provider suspending the account.
How to do it: Install and run a security plugin like Wordfence (free tier available) or Sucuri. These tools scan your site for known malware signatures, monitor for unusual login activity, and alert you to known vulnerabilities in your installed plugins. Enable two-factor authentication on your WordPress admin account if you have not already.
How often: Run a scan monthly. Enable real-time monitoring so you are alerted to anything unusual between scheduled checks.
6. Check Your SSL Certificate
SSL (Secure Sockets Layer) is the technology that puts HTTPS at the start of your website URL and the padlock icon in your visitor’s browser bar. It confirms that the connection between their device and your site is encrypted and secure.
When an SSL certificate expires, browsers display a “Not Secure” or “Your connection is not private” warning before visitors reach your homepage. Most people will close the tab immediately.
Most hosting providers include SSL certificates and renew them automatically. But automatic renewal can fail. And some hosts require manual renewal on lower-tier plans.
How to do it: Type your domain into a browser and look for the padlock. If it is missing or you see a security warning, contact your hosting provider immediately. You can also use SSL Labs’ free SSL Server Test (ssllabs.com/ssltest/) for a detailed certificate check.
How often: Check monthly. If your host offers SSL expiry alerts, enable them.
7. Review User Accounts and Login Access
How many people have admin access to your WordPress site right now?
If you have ever worked with a developer, a VA, a designer, a social media manager, or anyone else who needed to log in, those accounts may still exist with full admin privileges. Former contractors. People you no longer work with. Possibly a web designer from three years ago whose access you forgot to revoke.
Every unused admin account is a potential security risk. If the person’s email account gets compromised, someone else now has a backdoor into your site.
How to do it: Go to Users > All Users in your WordPress dashboard. Review every account. Remove anyone who no longer needs access. Downgrade permissions for anyone who does not need admin-level access (editors, authors, and contributors all have lower permission levels for a reason). Change the default “admin” username if it still exists on your site.
How often: Quarterly, or immediately after any contractor or team member relationship ends.
8. Check for Broken Links
Broken links happen every time a page URL changes, a post gets deleted, or an external website you have linked to goes offline or restructures its content.
They frustrate visitors who click and land on a 404 error page. They also signal to search engines that your site is not being actively maintained, which has a quiet, cumulative effect on your rankings over time.
How to do it: Use the Broken Link Checker plugin (free) to automatically scan your site for broken internal and external links. Alternatively, Ahrefs Webmaster Tools offers a free site audit that flags broken links as part of a broader crawl report. Fix broken internal links by updating the URL. For broken external links, either remove the link or replace it with a current source.
How often: Monthly.
9. Check Your WordPress Site Health Score
WordPress has a built-in diagnostic tool that most people have never opened.
Site Health (found under Tools > Site Health in your dashboard) runs a series of checks and flags any issues it identifies, things like PHP version, inactive plugins, HTTPS status, scheduled tasks, and more. It categorises results as critical issues, recommended improvements, or passing tests.
It is not a comprehensive security audit, but it is a fast, free diagnostic that often surfaces problems you would not otherwise know about.
How to do it: Go to Tools > Site Health in your WordPress dashboard. Review any critical issues and work through them. The recommended improvements can usually wait, but the critical ones should be addressed promptly.
How often: Monthly.
Quick Reference: WordPress Maintenance at a Glance
| Task | How Often | Tools / Notes |
|---|---|---|
| Update core, themes, plugins | Monthly (weekly for security plugins) | WordPress dashboard > Updates |
| Verify backup status | Monthly | UpdraftPlus, BlogVault |
| Test restoration | Twice yearly | Restore to staging environment if possible |
| Test all contact forms | Monthly | Use a non-business email; check spam folder |
| Check site speed | Monthly | Google PageSpeed Insights, GTmetrix |
| Malware scan | Monthly | Wordfence (free), Sucuri |
| Check SSL certificate | Monthly | Browser padlock check, SSL Labs |
| Review user accounts | Quarterly | Users > All Users in dashboard |
| Check for broken links | Monthly | Broken Link Checker plugin, Ahrefs |
| Run Site Health check | Monthly | Tools > Site Health in dashboard |
Who Should Be Doing This?
Everything in this checklist is something a non-technical business owner can learn to do.
The question is whether you actually will.
Consistency is what makes maintenance work. Checking your plugins once and never again is not maintenance. Running a malware scan the day after your site gets hacked is not maintenance. Maintenance is the thing that happens on a schedule, whether you feel like it or not, whether you are busy or not, whether you have a launch coming up or not.
For a lot of small business owners, the honest answer is that this is not where their time should go. Not because they cannot do it, but because the cost of their time doing it is higher than the cost of having someone do it for them. And because it simply will not happen consistently unless someone else is accountable for it.
Go With Flo’s WordPress maintenance plans handle all of this on a scheduled basis, so you do not have to remember, track, or worry about any of it. If you want to understand what that looks like in practice, our web maintenance service page is the place to start.
And if you are not sure whether your current hosting setup is even capable of supporting a healthy, fast site, that is what Post 3 of this series covers.
WordPress maintenance is not glamorous. It is not the part of running a business that anyone talks about at networking events. But it is the difference between a website that quietly supports your business and one that quietly undermines it.
Most of the things that go wrong on small business websites are preventable. Not with big technical knowledge or expensive tools. With a checklist and a calendar reminder.
If you want to hand that checklist off entirely, Go With Flo’s web maintenance services are here.
Frequently Asked Questions
How often should I update my WordPress site?
WordPress core, themes, and plugins should be checked for updates at minimum once a month. Security plugins and page builders often release updates more frequently, so weekly checks are better practice for those. Always update plugins one at a time and verify your site after each update.
What happens if I never update my WordPress plugins?
Outdated plugins are one of the most common entry points for WordPress hacks. Plugin developers patch security vulnerabilities in updates and publicly document what was fixed, which also tells attackers what older versions are vulnerable to. Sites running outdated plugins are significantly more likely to be compromised.
Do I really need a backup plugin if my host does backups?
Many hosting providers offer backups, but the terms vary significantly. Some budget hosts retain backups for only 24 to 48 hours and do not guarantee restoration. A dedicated backup plugin like UpdraftPlus or BlogVault gives you control over backup frequency, retention, and off-site storage, independent of what your host provides.
How do I know if my WordPress site has been hacked?
Signs of a WordPress hack include content you did not create appearing on the site, new admin accounts you did not set up, unusual redirects sending visitors to unrelated sites, warnings in Google Search Console, and your hosting provider suspending your account. A security plugin like Wordfence running in real-time monitoring mode will alert you to suspicious activity before it becomes a full compromise.
What is a WordPress maintenance plan and what does it include?
A WordPress maintenance plan is a service where a professional handles your ongoing site upkeep on a scheduled basis. This typically includes plugin and core updates, backup monitoring, security scanning, broken link checks, contact form testing, and speed monitoring. It removes the need for the business owner to remember, schedule, or execute any of these tasks themselves. Go With Flo’s maintenance plans are available for small business WordPress sites of all sizes.
Can slow hosting cause WordPress maintenance problems?
Yes. Poor-quality hosting affects more than just site speed. It can cause unreliable backups, failed cron jobs (which WordPress uses to run scheduled tasks like automatic updates), email deliverability issues that break contact forms, and reduced ability to handle traffic spikes without crashing. If your site maintenance problems keep coming back despite doing everything right, hosting quality is worth investigating.
