WordPress is the most popular Content Management System, or CMS, with over half the CMS market. That’s a pretty good endorsement for it, but it also means it’s a bigger target for hackers. Because of this, updating your WordPress website is just as important for site functionality & security as updating your Windows computer.


WordPress Maintenance Schedule


  • Uptime monitoring
  • Full Backups
  • Security Scans
  • WordPress Updates


  • Comment Spam Cleanout
  • Database Optimization
  • 404 Checks
  • Speed Testing
  • Security Audit
  • Verify Website Email working
  • Verify contact forms working


  • Website Review
  • SSL Certificate check
  • Plugin/Theme Licenses
  • Content Review
  • PHP updates
  • Privacy Policy & Terms of Service
  • Verify all logins
  • Review Website Emergency Plan

A couple of additional items which are one-time items:

  • Website Copyright
  • 404 Page
  • Proper SEO tool setup

24/7 Uptime Monitoring

Your website needs to be up & running and available to your customers 24/7. The only way to know for certain if your website is up and running is to monitor it.

A simple way to monitor if your website is up & running is to use a monitoring service like Uptime Robot. Their basic free plan allows you to monitor your site at 5 minute intervals and have them email you if your website has a problem.

Full Backups

Your website is only as good as your latest backup. 

Website backups are probably the single most critical item for you to make sure is done. And not all hosting companies even offer backups, let alone handle them automatically or on demand. Some of the quality managed WordPress hosting companies do include regular backups with easy backup restore.

In addition to having your host backing up your website daily (and especially if your host doesn’t), you’ll want a 3rd party service that stores your backups off-site. UpdraftPlus is one plugin solution that will do this for you on a set schedule—  but they will not provide the storage for the backups. You’ll need something like Google Drive or Dropbox to store the files.


While Updraft can restore files from a backup under normal circumstances, there are times that isn’t possible. For those you’ll need an emergency plan and a WordPress professional who knows what they are doing to handle it.

Security Scans

Do you know if your website is has been hacked?

In a lot of cases when a website is hacked the hacker does NOT deface the website. In fact all they may do is add a small JS snippet to your website footer which only triggers on a small number of visitors. Why would they do this? Simple, they want the hack to go unnoticed for as long as possible, and they want to infect as many people as they can.

Sucuri has a free malware scanner which does a good job of detecting a number of types of malware, but it can’t detect everything (because it’s just scanning your website as a visitor would). Due to that, it’s important to have a website scanner with full access to your website scanning regularly.

And you don’t just want to scan for malware, you want to check for known vulnerabilities, blacklist status, website errors and out-of-date software. For this we recommend iThemes Security Pro.

WordPress Updates

There are three main areas that you need to check: 

  • plugins
  • WordPress version
  • themes

Most frequently, new versions will be available for your plugins.

When to Update

I generally recommend setting a time each week to check on your site. It’s kinda like taking out the trash, it doesn’t take long, and it prevents some smelly problems.

If weekly is really killing you, monthly works pretty well too for simple sites. Any less often than that and you’ll probably be forgetting too much of what goes on.

Before you Update

Before you update, you should always make sure that you have a backup of your website (and can restore it if needed). Rarely does anything go wrong, but better safe than sorry.

If this already is sounding daunting, check out our Maintenance services.


Some plugins (specifically those from 3rd parties like CodeCanyon and those acquired directly from a developer) will not show that they need updating in the main WP updates screen. For these plugins you will need to manually check their versions. I recommend that you keep of a list of all plugins that you didn’t get from the main WordPress repository, as those will need to be checked manually.

If you had a developer build you a site and they aren’t maintaining it for you, there are a couple of things you need to do:

  1. Check to see if there’s actually any security installed (hint: if there’s a user with the name “admin” your developer knew NOTHING about WP security), if not you’ll need to setup some security or get a maintenance plan with someone who actually cares about security.

  2. Go through every plugin and determine if it came from the WordPress repository or from a 3rd party (some developers are notorious for installing plugins with no license for getting them updated)

Updating from Plugins Screen

On the Plugins screen you will see a few pieces of information. First, at the top of the screen it will list how many updates are available. Then for each plugin which has a new version it will display a yellow notice. The notice will include a link to details regarding the new version and it will include a link to update the plugin now.

I frequently prefer to get the newest version of Plugins one at a time. So I click on the “update now” link for each plugin individually. This does take a little longer, but if something goes wrong, I know which plugin was the problem. If you only have one plugin which has a new version, this isn’t an issue.

Once you have selected a plugin to update, you will see an “Update Plugin” screen. This will tell you the steps as they happen. When updating an active plugin, you need to remain on this screen until you see both “Plugin updated successfully.” and “Plugin reactivated successfully.” Deactivated plugins will not display a “reactivated” message. If there is an error it will be displayed here.

Checking & Updating 3rd Party Plugins

Cautionary Tale: The best known example of a 3rd party plugin is Revolution Slider.

This is the #1 selling slider plugin and it’s very powerful. A lot of theme developers (you those thousands of themes you see on ThemeForest) use Revolution Slider in their themes since it’s so popular. However the downside is that when you get the plugin free with the theme, you don’t get updates (well you *may* with new theme versions, but no guarantees).

Revolution Slider, thanks to its popularity, has become a target of hackers. Especially since very few people ever update it. Basically this means that if a hacker can find a vulnerability with a version over a year old, they can still hack thousands of sites.

So, how do you check these plugins for updates?

Unfortunately, the old fashioned way. Manually.

Go to your plugins screen and look at the version number of the plugin. Then go to the developers site (or if no link is provided, google the plugin name, that typically gets you the developer within the first couple of hits) and check to see their current version. If you don’t see something obvious you can do a page search (Ctrl + F) for the word “version” or “revision”. Also you can look for “release notes”. Typically one of those will yield you the current version number.

Compare the current version you find on the developer site with what you have. If the developer lists a more recent version, you should probably update.

If it’s a premium plugin that came included with a theme, you can see if the theme has been updated and includes the most recent version for you (note that you may need to manually install that most recent version). If you don’t want the hassle of manual updating or you can’t find a recent copy of the plugin, you’ll need to purchase a license. For Revolution Slider that’s about $20.

If your premium plugin didn’t come with a theme (for example a developer included it as a “gift” without a license code), then you will probably need to purchase a license to get updates. Depending on what the plugin is that could be anywhere from $10 – $300 bucks. Some plugins even have licenses that expire annually (they are the gift which just keeps on giving).

Instructions for entering license codes vary by plugin, but I can’t think of a premium plugin from a reputable company that didn’t include directions on how to enter your license code. The good news is that once your code is entered, updates normally show up in the main WordPress updates screen.

WordPress Version

WordPress releases updates to the core WordPress files every few months and it is important to make these updates. As well as getting new features, updating your core files also means you get any new security patches.

When a new version of the core files is available, you will see a yellow notice at the top of your WordPress screen when you login. And this notice will continue to show up on many of the internal pages. All you need to do is click on the notice and you will taken through the steps to update. Remember to backup your database and files first.

Seriously, you need to back up both together. Some core updates upgrade your database, which means it could not be compatible with an older version of the core files.

Theme Version

Most theme authors provide new versions to their themes from time to time. Prior to installing these updates it is very important that you read the release information. Also make sure to check out a live preview of the updated theme, the developer may have made some significant visual changes. Depending on which files were changed, it may affect the settings and changes you have made to the theme.

If you (or your developer) have made changes to the theme files (they are supposed to be made in a child theme, but not everyone follow that guideline), all of those changes could be lost on updating to the new version. If you have made a lot of changes to your theme, it may not be in your best interests to update. However, if there have been significant updates for security holes, you need to look at how you can get those updates.

If your theme is a paid theme the update may or may not be included in the price that you paid (especially if the theme was included in a website built for you by a developer). In order to get the new version you may have to pay additional money (some are one time purchases, some are yearly subscriptions).

There are two ways to update to a new version of a theme. Some themes are housed in the main WordPress Themes Directory. These can be updated directly in WordPress with just a few clicks.

For themes acquired elsewhere, you will need to go to the author’s site (or your web designer) and get the theme there, then upload it to your site. This is sometimes not a straightforward process and you may need assistance with it. Good authors will provide detailed instructions.

Frequently paid themes will include API keys which once setup allow you to update the theme with just the click of a button.

Worry-Free WordPress Benefit: 24/7 Monitoring, Updates, Security Scans, and Backups

For clients who are signed up for our Worry-Free WordPress Care Plans we handle all of this. Your website is monitored 24/7 for uptime including monitoring your website’s SSL status. We also scan your website daily for known vulnerabilities, blacklist status, out-of-date software, and malware.

Comment Spam Cleanout

If you have a website that doesn’t need comments, then I recommend just disabling comments.

If you do want comments on your website, then you’ll need to setup a method to fight comment spam or you’ll end up with a significant spam problem which can even lead to your website getting blacklisted.

Database Optimization

Your website’s database can easily become filled with excess junk over time. Just like your desk if you don’t regularly clean it up. 

There are several ways you can clean out your website’s database.

  • Periodically cleaning your website database with a plugin like WP Optimize.
  • Periodically cleaning your website database with a service like ManageWP’s optimization widget to clean out spam, post revisions, and database overhead.
  • Periodically as part of your website speed optimization using a plugin like Breeze or WP Rocket.

404 Checks / Broken Link Fixes

Broken links are when you have a link that goes to a 404 not found page, or non-existent servers, etc. Basically, it’s a link that when you click it doesn’t go anywhere useful. Unfortunately, they are a nightmare to find without a broken link finding tool.

Google (and other search engines) really hate broken links. Too many broken links and you run the risk of losing your search engine rankings.

A tool like Dead Link Checker will analyze all the links on your site and give you a report of any failed tests. You can then go relink these items to relevant content.

Speed Testing

The faster your website loads, the happier your visitors and search engines will be with it. I recommend periodically checking your website’s loading time using services like Pingdom, GTmetrix, and Google’s PageSpeed Insights. I always recommend using several different services to check your website as they will vary in the data they report.

Your goal should be a website that normally loads in under 2 seconds. 

Security Audit

Periodically you should do a security audit of your website. 

  • Check the security logs of your security plugin
  • Review the settings of your security plugin
  • Review the users on your website to see if any need to be removed
  • Check your website’s blacklist status and website reputation with major anti-virus software vendors

Verify website email working

Let’s be honest, most people have no idea if their website email is working or if it has a good deliverability score.

The first thing you should do is give your email a test using a service like Mail Tester to see if your website is actually delivering email. If it’s not or it has a low deliverability score, then I recommend you check out my article on how to fix your website email for good.

Verify contact forms working

If you aren’t getting regular contact form submissions there could be three reasons:

  1. Form works fine, but no one is filling it out.
  2. Form is broken and you are missing form fills.
  3. Form is being filled out and you aren’t getting the emails.

First thing you should do is grab a device where you aren’t logged into your website (I like to grab my phone) and send yourself a contact form! I particularly like to use my phone (with wifi turned off) so that I can test to make sure that mobile works as well. If it fills and you get the contact form, then you’re good to go! If not, you’ll need to dig into it.

Second thing you should make sure is that contact forms are being stored to your website’s database. This can be using a plugin which stores it (like Gravity Forms, Forminator, Contact Form 7 Database Addon, etc) or with an SMTP plugin that stores all emails from your website. Personally, I like redundancy and storing it in both.

Third, if the forms are going through fine but you aren’t getting the email, read the above on testing and fixing your website email.

Website Review

At least once a year you should review your website’s plugins and themes to make sure that you still need all of it. 

Plugins get discontinued, and better plugins come out, and sometimes the functionality of a plugin even gets incorporated into the core of WordPress. It’s important to review all of your plugins to make sure they are still supported and their functionality is still needed.

SSL certificate check

Does your website have an SSL? If the answer is no, then you should get one. Many hosting companies offer a basic certificate for free, and Namecheap has very inexpensive ones ($5/year) if your hosting doesn’t provide them for free. Unless you are running a decent sized eCommerce business, there generally isn’t a reason to pay for more expensive SSLs.

If you do have an SSL, you should check to make sure it is configured properly using a service like Why No Padlock. You should also keep track of the renewal date and make sure that your hosting is either auto-renewing it or you are updating it at renewal time. There are also services which monitor your SSL for issues and send you alerts about upcoming renewals.

Plugin/Theme licenses

If you have any paid themes or plugins on your website (or third party scripts to paid services) then you’ll want to keep a spreadsheet of when those items come up for renewal and make sure that you have up to date licenses for them. Depending on the theme or plugin, it may or may NOT tell you when it needs to updated if it comes from a third party.

Worry-Free WordPress Benefit: Free Licenses

For clients who are signed up for our Worry-Free WordPress Care Plans we track their premium licenses and remind them about updates needed. We also provide free licenses for a number of popular WordPress plugins. In some cases, the amount of free licenses alone makes up the cost of the their Worry-Free WordPress care plan.

Content review

This is a bit like spring cleaning for your website. About once a year it’s a good practice to do a content review of your website. Go through all of your website’s content: blog posts, pages, and any other custom post types you have. Make sure that your content is still needed, and if it’s not, then remove it and set a 301 redirect to the appropriate location.

PHP Updates

PHP is the software that powers WordPress. Just like your operating system, PHP releases a new major version about every year, and with most hosting companies you need to either manually set your site to use the current version or you need to request your hosting update you to the new version.

Worry-Free WordPress Benefit: PHP checking

For clients who are signed up for our Worry-Free WordPress Care Plans we track PHP versions for all of our websites and either update it automatically for you; or instruct you on what you need to request of your hosting company.

Privacy policy & terms of service

Your website’s privacy policy should be reviewed and updated about once a year. We use and recommend Termly which has a free basic privacy policy to cover you for most cases and you can get an updated version of your policy annually to copy into your website. Take a look at our article on building your own privacy policy.

Verify all logins

Many people only try to login to their various service providers when there is a problem. Unfortunately, if they haven’t logged in lately, this can be a big problem. 

In fact, people have lost their entire domains (websites, email, everything) because they hadn’t logged in and updated their contact information. It took 75 days to get their domain back, and they were lucky to even get it back.

So, at least every year you should make sure to log into all of the following and make sure that all of your contact information is up to date:

  • Registrar – this is where you registered the domain. Make sure your account info (name, email, phone, credit card) is up to date as well as making sure that your domain registration info is up to date.
  • Nameservers – if this is different from your registrar
  • Website hosting – this is where your website is hosted
  • Email hosting – this is your admin login for your email hosting where you can manage email accounts, and update credit card info.
  • Any other domain related services you have

Review website emergency plan

We all hope that nothing goes wrong with a website, but sometimes things do go wrong. Sometimes it’s the white screen of death, sometimes it’s PHP errors, sometimes it’s plugins, sometimes it’s your website’s hosting itself. It’s important to have an emergency plan in place. 

For some things (like 503 errors) your hosting company can usually fix them. And depending on that company, that could be 5 minutes or a couple of days. But, for things like plugin errors, or software settings you are likely on your own for resolving them. That’s the time it pays to have a WordPress developer on retainer to turn to when things don’t go right. 

Website copyright

Many people don’t think about their website copyright info, but it’s important to have on your website. Your copyright info should consist of:

  • the copyright symbol ©, the word “Copyright”, or both
  • the year of publication – this can either be the current year for regularly updated websites or can be a year range (ie: original website launch year to current year)
  • the name of the copyright owner

A common example is: © 2020 Company Name. 

In fact, many WordPress themes automatically put in the copyright symbol, current year, and name of website.

404 Page

When a website visitor lands on a URL that doesn’t exist your 404 page is triggered. This could happen because you changed a URL or it could happen because they just made a typo. It’s important to have a 404 page that gives your website visitor somewhere to go so they don’t just leave.

Proper SEO tool setup

Many people just install an SEO tool and then forget about it, without ever configuring it properly. Mostly, because they don’t have any idea how to configure it properly. It’s important that you follow the directions for your SEO tool and get it configured properly the first time.

3 thoughts on “WordPress Website Care & Maintenance: How to Do-It-Yourself

Leave a Reply

Your email address will not be published. Required fields are marked *