Who This Guide Is For
This guide is for business owners and site administrators responsible for a WordPress site that needs to remain healthy, secure, and performant over years, not just months. You may manage the site yourself or oversee a team or agency that handles it. Either way, you need to know what maintenance actually involves so nothing falls through the cracks.
Before You Start
You should have admin access to your WordPress installation and your hosting environment. You should also have a backup system in place — if you do not, setting one up is the first maintenance task, not something you do later. If your site is business-critical and you have no backup, stop reading and fix that now.
Step 1: Establish a Backup Routine
Backups are not optional. They are the foundation that makes every other maintenance task safe. Without a verified backup, every update is a gamble.
Configure automated daily backups of both the database and the file system. Store backups off-site — not on the same server as the site. A server failure that takes down the site should not also destroy the backups. Cloud storage or a separate backup service works.
Test your backups quarterly by restoring one to a staging environment. A backup you have never restored is a backup you do not know works. The first time you discover a backup is corrupted should not be during a crisis.
Retain at least thirty days of daily backups. Storage is cheap. Discovering a problem three weeks after it happened and having no backup from before that point is expensive.
Step 2: Manage Core and Plugin Updates
WordPress core updates and plugin updates are the most visible maintenance task and the most commonly mishandled. The goal is to stay current without breaking the site.
WordPress core: minor updates (6.4.1 to 6.4.2) are security patches and should be applied within a week of release. Major updates (6.4 to 6.5) may introduce compatibility issues and should be tested on staging first.
Plugins: update monthly at minimum. Before updating, check the plugin’s changelog for breaking changes. Update on staging first if you have a staging environment. If you do not, take a backup immediately before updating on production.
The update cadence: set a recurring calendar event — monthly for routine updates, immediate for security releases. WordPress publishes security advisories that should be on your radar. A plugin with a known vulnerability that sits unpatched for months is the most common entry point for WordPress compromises.
Remove plugins you are not using. Every installed plugin is attack surface. Deactivated plugins can still be exploited if they have vulnerabilities. If you are not using it, delete it.
Step 3: Monitor Performance
A WordPress site that loads in two seconds today may load in five seconds in six months if nobody is watching. Performance degrades gradually through database bloat, unoptimised images, accumulated post revisions, and plugin overhead.
Monitor three metrics:
- Page load time: use an external monitoring tool that loads your site from a real browser and measures how long it takes. Set an alert if load time exceeds three seconds.
- Server response time (TTFB): the time between the request and the first byte of the response. This measures server performance independent of page content. If TTFB increases, the issue is server-side — database queries, PHP processing, or hosting resource limits.
- Database size: WordPress databases grow over time with post revisions, transient data, and plugin-generated records. Monitor the size and clean periodically.
Schedule a quarterly performance check: load the site fresh, check the metrics, compare to previous quarters, and investigate any degradation. Most performance issues are gradual and invisible without measurement.
Step 4: Maintain Security Beyond Updates
Updates are the baseline, not the complete security picture. Additional ongoing security tasks:
- Review user accounts quarterly. Remove accounts for people who no longer need access. Change the passwords of admin accounts at least annually.
- Check file permissions. WordPress files should have appropriate permissions (644 for files, 755 for directories). Incorrect permissions can allow unauthorised modification.
- Monitor for malware. Use a security plugin or external scanner that checks for known malware signatures and file modifications. Run scans weekly.
- Review login activity. If your site logs login attempts, review them monthly for unusual patterns — failed logins from unexpected locations, brute-force attempts, or successful logins at unusual times.
- Enforce strong passwords. If any admin account has a weak password, it is the single easiest attack vector. Enforce minimum password requirements.
Step 5: Set a Maintenance Calendar
Consolidate all maintenance tasks into a single calendar with defined frequencies:
| Task | Frequency |
|---|---|
| Backup verification (restore test) | Quarterly |
| WordPress core update | Within 1 week of release |
| Plugin updates | Monthly (immediate for security patches) |
| Performance check | Quarterly |
| Database cleanup | Quarterly |
| Security scan | Weekly (automated) |
| User account review | Quarterly |
| Full site health audit | Annually |
Assign each task to a specific person. Maintenance without ownership is maintenance that does not happen. If you use a support agency, confirm which tasks they handle and which are your responsibility. Assumptions about who is doing what are the most common cause of maintenance gaps.
Common Mistakes
- No backups, or backups on the same server. A backup that is destroyed alongside the site is not a backup. Store off-site and test regularly.
- Ignoring plugin updates for months. Every month of delay is a month where known vulnerabilities are exploitable. Monthly updates are the minimum.
- Keeping unused plugins installed. Deactivated plugins are still vulnerable. Delete what you do not use.
- No performance baseline. If you do not know how fast the site should load, you cannot detect degradation. Measure and record a baseline, then compare quarterly.
- Treating maintenance as optional during busy periods. Maintenance is cheapest when it is routine. A missed quarter of updates turns into a risky batch update that is more likely to break something.
What Good Looks Like
A well-maintained WordPress site looks like this: core and plugins are within one version of current. Backups run daily and have been verified within the last quarter. Performance metrics are stable or improving. Security scans run weekly with no unresolved findings. A maintenance calendar exists with named owners for every task, and every task is actually happening on schedule.
Next Steps
If WordPress maintenance is part of a broader security posture, How to Keep Your Systems Secure After Launch covers the wider security picture. For sites where performance has already degraded, Performance Optimisation is the service engagement for remediation. If you want maintenance handled for you, our Support Retainers include WordPress maintenance as a core offering.
Alex
I’m a software developer and CEO of Digital Royalty, helping growing teams scale their SaaS platforms without losing quality, visibility, or control. I focus on building structured, maintainable systems with clear processes, reporting, and accountability. With over a decade of experience across agency and in-house roles, I specialise in delivering long-term, scalable solutions that support complex, evolving products.