I will let you in on something embarrassing. Three years ago, I had a maintenance client — a real estate agency in Makati — whose site got hacked. Not because they were a high-profile target. Because I forgot to update a plugin for six weeks. Six. Weeks. The attacker used a known vulnerability in an outdated contact form plugin and injected pharmacy ads into every page. It took me four hours to clean it up. The client was understanding, but I felt like an idiot.
That day, I created a maintenance checklist. And I have stuck to it ever since. Here is exactly what I do, every single month, for every site I manage.
1. Update Everything (But Not Blindly)
Plugin updates come out constantly. Some fix security holes. Others break things. My rule: wait 48 hours after a major plugin release, check the support forums for panic threads, then update on a staging copy first. If staging survives, I push to production.
For security patches though? No waiting. I update immediately. A zero-day vulnerability does not care about your staging schedule.
2. Clean the Database
WordPress databases get bloated. Post revisions, spam comments, transients that never expired, orphaned metadata. I use WP-Optimize or run a manual cleanup script. On one e-commerce site, I removed 18,000 old cart sessions and the database shrank by 40%. The site felt noticeably faster after that.
3. Test the Backup
Everyone says they have backups. Hardly anyone tests them. I restore a random backup once a quarter. If it does not restore cleanly, the backup system is broken. Period. I use UpdraftPlus for most sites, but the principle applies to any system: untested backups are Schrodinger is backups. They both exist and do not exist until you try.
4. Check Uptime and Performance
I have UptimeRobot pinging every site every five minutes. If a site goes down, I know in five minutes, not five hours. I also run a quick PageSpeed Insights check monthly. If scores dropped since last month, something changed — new plugin, theme update, bloated content — and I investigate.
5. Review User Accounts
This one is boring but critical. I check who has admin access. Remove ex-employees, contractors who finished their project, and that intern from 2022 who still has an account for some reason. I also enforce two-factor authentication everywhere. No exceptions.
6. Scan for Malware and Vulnerabilities
I run a security scan with Wordfence or Sucuri. Most months it comes back clean. The months it does not? I am glad I checked. One time, a scan found a backdoor in a pirated theme a client installed without telling me. Lesson learned: always scan, even when you trust the site owner.
7. Content and SEO Health Check
Broken links annoy users and hurt SEO. I run Broken Link Checker (or Screaming Frog for larger sites) and fix anything dead. I also check Google Search Console for crawl errors, manual actions, or mobile usability issues.
8. SSL Certificate Renewal
If you are not using Let is Encrypt with auto-renewal, set a calendar reminder for your SSL expiry. I have seen sites go down because a cert expired on a Sunday and nobody noticed until Monday. It takes two minutes to check. Do it.
What Happens If You Skip Maintenance?
Your site does not explode immediately. It degrades slowly. Updates pile up. Backups silently fail. Performance drifts. Then one day, a plugin conflict crashes your checkout page on Black Friday. Or a hacker defaces your homepage right before a product launch.
Maintenance is not sexy. But it is what keeps your business alive online. If you are running a WordPress site and do not have a monthly routine, steal this one. Modify it. Make it yours. But do not skip it.
And if you are a business owner who would rather focus on your actual business than babysit a website — well, that is exactly what I do for my monthly maintenance clients. I handle the boring stuff so they do not have to.