WordPress Maintenance Checklist: 27 Tasks for Agencies (2026)

If you manage WordPress sites for clients (one, ten, or three hundred), the cost of skipped maintenance lands on you, not the client. A missed plugin update becomes a vulnerability alert on Friday night. A stale backup becomes a four-hour restore that you cannot bill for. A neglected uptime monitor becomes the call from a client asking why their site has been down all afternoon.

This checklist exists because most “WordPress maintenance” advice is written for someone running one personal blog. The real operational question for agencies and freelancers is different: what do you do on every client site, how often, and what can you automate so you are not doing it by hand at 11pm?

Below are 27 tasks grouped by frequency: daily, weekly, monthly, quarterly, yearly.

Each one specifies what the task is, why it matters, and which infrastructure or platform makes it run without human attention. Make the checklist yours; the cadence below is a starting point, not a rulebook.

Why is WordPress Website Maintenance Important?

WordPress maintenance is the routine work of keeping core, plugins, themes, security, performance, and database operations updated and monitored across every site you run. Skipped maintenance compounds: performance degrades, vulnerabilities accumulate, search rankings slip, and at some point a site breaks in a way that costs you a full day to fix.

The underlying reason is that a WordPress site is not one product. It is a stack. Core, plugins, themes, hosting, and your client’s content were not designed to work together. They are kept compatible by people doing maintenance. When that work stops, the stack drifts apart.

For agencies and freelancers, the operational stakes are also reputational. Clients pay for care plans because they expect their site to stay up, stay fast, and stay safe. Demonstrating that work, through reports, uptime data, and vulnerability records, is the difference between a renewed contract and a churned one.

How often should each task run?

There is no universal answer, but most care-plan operators converge on this rough cadence:

• Daily: uptime checks, automated backups, vulnerability scanning, AI-plugin auditing, attack-defence posture.
• Weekly: WordPress core, plugin, and theme updates with rollback protection. Cache hygiene. Post-update version review.
• Monthly: comment moderation, broken-link and 404 audits, unused-plugin cleanup, PageSpeed and Core Web Vitals review, PHP error inspection, form testing.
• Quarterly: credentials and user audit, image alt-text review, premium licence checks, security log review, database optimisation, RSS health, media library cleanup, client maintenance reports.
• Yearly: content audit and SEO review, backlink hygiene, copyright and About page review.

Sites with higher traffic or revenue exposure (WooCommerce, membership, lead-gen) compress this cadence. A site with one form submission a week and 200 visitors a month tolerates a looser rhythm. The key principle: vulnerability scanning and backups are non-negotiable daily; everything else flexes with site value.

The 27-task WordPress maintenance checklist

Plugins, themes, and WordPress core should be updated as soon as patches are released, especially if a known vulnerability exists. Everything else below is about catching what those updates do not address.

Daily WordPress maintenance tasks

1. Check uptime

A site that is down is a site losing revenue, search ranking, and client trust. User experience and SEO ranking both suffer from unresponsive sites, and you only know about an outage as fast as your monitoring tells you.

Set up automated uptime monitoring with email and Slack alerts. WP Umbrella runs continuous uptime checks (1–60 minute intervals) from EU, US East, US West, Asia, and Australia, so a regional outage at your monitoring location does not produce a false positive. For a deeper walkthrough, see our WordPress uptime monitoring guide. Hyperping is a standalone alternative if you only need single-purpose uptime monitoring.

2. Back up every site (off-site)

Daily off-site backups are the single most important task on this list. A backup stored on the same server as the site is not a backup; it is a copy that dies with the host. A WordPress backup must include both the files (wp-content, themes, plugins, uploads) and the database, and it must be restorable in one click when a client calls panicking.

Several backup plugins are available, but pick one that is actively maintained, supports PHP 8.4+, and stores backups off-site:

• UpdraftPlus is widely used; the free tier supports cloud destinations (S3, Google Drive, Dropbox) and the plugin remains actively maintained.
• BackWPup is a solid free option with cloud destinations supported.
• Duplicator combines backup with migration capability, useful when you also move sites between hosts.
• WP Umbrella ships incremental encrypted backups (files plus database), 50-day retention, GDPR-compliant EU storage, and one-click restore, designed for agencies running backups across many client sites from one dashboard.

A previously popular option, BackUpWordPress, has not received updates for over a year and reports PHP 8.4 compatibility failures. Avoid recommending it to clients. If you want the manual fallback for one-off cases, our guide to backing up WordPress without a plugin walks through the SFTP and phpMyAdmin path.

3. Run vulnerability scanning

Vulnerability scanning is what catches the plugin or theme that becomes exploitable between scheduled updates. Modern WordPress vulnerability scanners check installed components against a CVE-tracked database and surface anything that needs patching now rather than next week.

Three categories of tool serve this task:

• Continuous infrastructure scanning runs every few hours across every site you manage, independent of the site itself. WP Umbrella checks every 6 hours against the Patchstack vulnerability database, ranks by CVE severity, and surfaces what is exploitable today.
• Endpoint firewall plugins like Wordfence and Sucuri install on the site and combine scanning with a WAF and malware detection. They are single-site oriented and harder to operate at portfolio scale. Our WordPress security plugins comparison goes deeper on the trade-offs.
• Vulnerability database services like Patchstack are the underlying database many of the above use, and are available directly via their own platform with virtual patching as an add-on.

A quick agency-fit comparison of the vulnerability-scanning options worth considering in 2026:

Tool	Free tier	Core feature	Agency fit
WP Umbrella	14-day trial, all features	Continuous Patchstack-integrated vulnerability scanning across every client site, central dashboard	Built for managing a portfolio of sites
Patchstack	Limited free tier	Vulnerability database plus virtual patching add-on	Strong for CVE-driven workflows
Wordfence	Free firewall and scanner	Endpoint firewall, malware scanner, threat feed	Best for single high-value sites
Sucuri	Paid only	Off-site WAF and reactive cleanup service	Useful as incident-response layer

4. Audit AI plugins and AI-generated code

AI plugins are now widespread on WordPress sites: chatbots, content generators, code assistants. They tend to require more elevated permissions than traditional plugins, often touching the database or admin area, and their attack surface is different in kind.

The pattern is real. In 2025, the AI Engine plugin (versions 2.8.0 to 2.8.3) shipped with a missing capability check on its MCP function, letting authenticated subscriber-level users run wp_create_user, wp_update_user, wp_update_option and several other privileged operations: full privilege escalation from a low-rights account. The vulnerability is tracked as CVE-2025-5071 and was disclosed via the GitHub Advisory Database.

For every AI plugin on a client site, check:

• It comes from a known developer and is actively maintained (not a one-month-old fork).
• It has not had unpatched critical CVEs in the last 12 months.
• Its declared permissions match what the site actually needs.

If you have added AI-generated custom code to a site, route it through a human review before it touches production.

5. Maintain defence against AI-assisted attacks

The attack surface that emerged through 2025 is genuinely different. AI-driven botnets now bypass legacy CAPTCHAs, rotate through residential proxy networks, generate context-aware phishing comments that slip past spam filters, and rewrite XSS payloads until they evade WAF rules. Malware families like Parrot TDS detect AI training crawlers and serve them clean content while continuing to exploit human visitors.

The scale is the part that surprises agency operators when they see the numbers. Wordfence’s network alone blocks over 6.4 billion brute force attempts per month plus 55 million exploit attempts, and that is one vendor’s slice of the traffic.

Defence posture for 2026 client sites:

• Two-factor authentication on every admin account; passkey login where the setup supports it.
• Behaviour-based rate limiting rather than IP-based blocking alone (residential proxies sidestep IP rules).
• An auto-updating vulnerability scanner that catches the AI-plugin patches as soon as they ship.
• A WAF, either endpoint (Wordfence, Sucuri) or off-site (Cloudflare, Sucuri cloud).

Weekly WordPress maintenance tasks

6. Update WordPress, plugins, and themes with rollback

Update WordPress core, plugins, and themes as patches are released. The risk is that any update can break a site, which is why doing this across a portfolio without rollback protection is dangerous.

When you trigger an update in WP Umbrella, the platform monitors the update process and automatically rolls back the plugin to its previous version if the update breaks the site. This is the difference between updating 50 sites in one batch and updating 50 sites in 50 careful steps.

7. Empty the cache

Caching makes WordPress fast by serving static versions of posts and pages rather than rebuilding each page from the MySQL database on every request. After plugin updates, theme changes, or significant content edits, stale cache can mask new behaviour. Flush the cache and re-test.

8. Review version-specific changes after a WordPress core update

Major WordPress releases ship behaviour changes that can affect sites even when the visible UI looks identical. After every core update, check what changed under the hood.

WordPress 6.8 introduced speculative loading, which pre-loads pages in the background when a visitor hovers over a link. It makes sites feel faster but can conflict with some caching plugins or add unexpected server load. After updating, test that speculative loading and your caching layer are not fighting each other.

WordPress 6.9 (released December 2, 2025) added two features worth watching on client sites:

• Notes lets editors and admins leave comments directly on blocks inside the editor, with reply, resolve, and email-notification support. Useful for editorial workflows. They can pile up like comment spam if nobody cleans them up.
• Hidden blocks lets any block be hidden from the front end without deleting it. Handy for seasonal content and drafts, easy to forget. Spot-check client sites for old promotional banners or stale content sitting invisible in pages.

WordPress 6.9 also ships beta support for PHP 8.5 and 8.4. Most hosting environments are not yet on PHP 8.5; the practical floor for client sites is PHP 8.2.

Monthly WordPress maintenance tasks

9. Moderate comments

Akismet catches the bulk of WordPress comment spam, but it occasionally marks legitimate comments as spam. Once a month, scan the spam queue for false positives. A missed customer question or a real testimonial slipping into the spam bin is worse than the spam itself.

10. Audit broken links and broken images

External sites disappear. Pages move. Image URLs change when hosting reshuffles. The result is broken outbound links and missing media that quietly erode user experience and SEO.

Run a broken-link checker monthly across every client site. WP Umbrella offers a continous broken link monitoring that works on a portfolio of sites.

Replace broken outbound links with current sources or remove them entirely. For missing internal media, usually caused by URL changes or media-library cleanups gone wrong, restore the original file or update the reference.

11. Remove unused themes and plugins

Unused themes and plugins are still attack surface. Many of the most widely exploited WordPress vulnerabilities live in plugins that the site owner forgot was installed. Deactivating is not enough; delete what you do not use. Performance benefits are a secondary gain.

12. Review PageSpeed and Core Web Vitals

A one-off PageSpeed test every few months is not enough. Performance degrades gradually as content and plugins accumulate, and the right cadence is continuous monitoring with a monthly review of trend lines.

Google evaluates sites on three Core Web Vitals: LCP (how fast the main content loads, ≤2.5s target), INP (how quickly the site responds to clicks and taps, ≤200ms target), and CLS (whether the page layout shifts during load, ≤0.1 target). These directly affect rankings.

Two distinctions to keep in mind:

• Lab vs field data. PageSpeed Insights runs a simulated test (lab data). Google Search Console reports what real visitors experience (field data). Compare both.
• TTFB matters separately. A slow Time to First Byte usually means hosting or database issues; no amount of front-end optimisation will fix it.

If you have updated to WordPress 6.8 or 6.9, re-run performance tests after clearing the cache. Speculative loading interactions with caching are still being shaken out.

13. Audit 404 errors

404 errors are a normal byproduct of the web. Users mistype URLs, old pages get removed, search engines hold stale references. They become a problem when 404s pile up for pages that should exist or should redirect somewhere.

The fastest 404 audit: open Google Search Console, navigate to the Pages report, filter for “Not found (404)” status, and export the URL list. For URLs that should resolve, set up a 301 redirect to the current equivalent. For URLs that should not exist (deleted content, abandoned sections), let them 404 cleanly. There is no need to redirect every stale URL to the homepage.

14. Catch and resolve PHP errors

Poorly written plugins and themes generate PHP errors. Most are minor (deprecation warnings or notice-level issues), but they slow the site down, fill logs, and occasionally reveal information attackers can use.

On a single site, enable WP_DEBUG and WP_DEBUG_LOG to log errors to wp-content/debug.log, then disable debug mode afterward. Our WP_DEBUG and WP_DEBUG_LOG guide covers the wp-config.php constants and common gotchas.

For agencies running care plans across many sites, real-time PHP error monitoring is the operational fix. WP Umbrella surfaces PHP errors across every client site as they happen, so you find out before the client does.

15. Test contact forms

Form builders like WPForms make it easy to ship professional contact forms, but those forms can silently stop delivering when SMTP credentials drift, hosting changes affect outbound mail, or the email provider tightens deliverability rules. Send a test submission to every form on every client site monthly. Better still: configure a transactional email service (Postmark, SendGrid, Mailgun) so deliverability is independent of your hosting provider.

Quarterly WordPress maintenance tasks

16. Audit credentials and access

Strong, unique passwords on every account: WordPress admin, FTP/SFTP, database, hosting control panel. Use a password manager so every account gets its own credential.

Current guidance is the part most maintenance checklists get wrong. NIST SP 800-63B Rev 4, finalised July 2025 and replacing the prior guidance, explicitly tells systems not to force periodic password rotation. Forced rotation produced a predictable pattern (Spring2024! becomes Summer2024! becomes Autumn2024!), and that pattern was easier to attack than long unchanged passwords. The current standard:

• Minimum 15 characters when a password is the only authenticator.
• No mandatory complexity rules (no required mixes of upper/lower/special).
• Rotate on evidence of compromise, on staff departure, or after a security incident — not on a schedule.

Combine this with two-factor authentication on every admin account, or passkey-based login where setup supports it.

17. Remove unnecessary WordPress users

Quarterly, audit the user list on every client site. Remove accounts for departed staff, former contractors, and anyone who no longer needs admin access. Demote rather than delete where audit history matters. Stale admin accounts with weak passwords are a recurring root cause of compromised sites.

18. Check image alt text

Alt text describes images for screen readers and contributes to SEO. Every image on a client site should have a descriptive alt attribute. Nowadays, this feature is included in most SEO plugins, like Yoast, SEOPress or Rankmath.

19. Check premium licence expiry

Premium plugins and themes typically run on yearly licences. When a licence lapses, the plugin keeps running but stops receiving security updates, which is the most dangerous state for any WordPress component. Quarterly, audit licence expiry dates across every site and renew or replace anything within 30 days of expiry. WP Umbrella’s changelog and licence-expiry monitoring tracks this automatically per site.

20. Review the security activity log

A site-level activity log records significant events: user logins, plugin activations, file changes, role changes, password resets. When something goes wrong, the log is the difference between “we don’t know what happened” and a forensic timeline you can show a client.

WP Activity Log (previously WP Security Audit Log, renamed by Melapress) is the standard free plugin for this. WP Umbrella records activity at the platform level across every client site, useful when you need a portfolio-wide view rather than per-site logs.

21. Optimise the WordPress database

WordPress stores everything in a MySQL database, and over time it accumulates rows you do not need: spam comments, post revisions, expired transients, orphaned metadata, log entries from plugins long since removed. The database keeps working but gets slower as it grows.

Quarterly, run a database cleanup. WP-Optimize is the actively maintained free option and handles spam comments, revisions, transients, and table optimisation in one pass. For sites under heavy plugin churn, occasional manual review in phpMyAdmin (or your hosting control panel’s database tool) catches orphaned tables that automated cleanup misses.

22. Check RSS feed health

RSS feeds are dated as a primary distribution channel but still drive subscribers, syndication, and platform integrations (newsletter tools, podcast aggregators, federated readers). Quarterly, validate that the feed at /feed/ parses cleanly and contains current posts. Plugins that touch the loop can quietly break feeds without producing visible errors.

23. Clean the media library

A long-running site accumulates images that are no longer used in any post or page: old hero images, replaced product photos, A/B tested variants. They take up server storage and clutter the library. Quarterly, audit unused media and remove what is genuinely orphaned. Compress the remaining media with Imagify or Smush; modern formats (WebP, AVIF) cut payload weight significantly.

24. Send maintenance reports to clients

If you run care plans, send a monthly maintenance report to every client. The report is what converts background work into visible value, and visible value is what renews contracts. A good report covers updates shipped, uptime numbers, security checks completed, performance trend, and any custom work that quarter. Our guide to selling WordPress maintenance plans goes deeper on the commercial side.

WP Umbrella generates white-label maintenance reports automatically from the platform’s monitoring data, with agency branding (name, logo, colours, domain) and 50+ customisable variables. Schedule them to send the first of each month and the work proves itself.

Yearly WordPress maintenance tasks

25. Audit content and SEO

Once a year, run a content audit against Google Analytics and Google Search Console data. The pattern to look for: pages with high impressions but low CTR (CTR-fix candidates), pages with high traffic but low engagement (intent-mismatch candidates), and pages that have decayed in position over time (refresh candidates).

Update the highest-leverage pages, refresh publication dates where the content has changed, and prune content that no longer serves a purpose.

26. Audit backlink profile (edge case)

Google has de-emphasised the disavow tool since 2020. Most algorithmically-detected spammy links are now ignored automatically rather than requiring manual disavow. For most sites this task is no longer worth doing yearly.

Run it when one of the following is true: you have inherited a site with a known toxic backlink profile, you have received a manual action notice in Search Console, or you have run aggressive negative-SEO campaigns against the site you can identify. Otherwise, leave the backlink profile alone. Disavowing legitimate links is more damaging than leaving spam ones in place.

27. Review the About and copyright pages

Once a year, walk the About page and any copyright notices to make sure they reflect reality: current team, current year, current legal entity. For copyright year, automate it with a PHP snippet so it never goes stale:

<?php echo date("Y"); ?>