WordPress is not a set-and-forget platform. Without regular maintenance, plugins become outdated vulnerabilities, databases bloat, backups go missing, and site speed degrades. This monthly checklist covers every task that should be performed on a WordPress site each month.
How Long This Takes
For a typical small business WordPress site, this full checklist takes 45-90 minutes per month if you know what you are doing. Outsourcing this to a professional costs £120–200/month — less than 2 hours of a UK developer's time.
Security Tasks (Monthly)
- Update WordPress core — check Dashboard → Updates. Never skip core updates.
- Update all plugins — review each update's changelog before applying, especially for major version changes
- Update all themes — including inactive themes (they are still executable code)
- Run a malware scan — use Wordfence or Sucuri Scanner. Review and clear any warnings
- Review admin user list — check for any unfamiliar accounts created since last month
- Check failed login attempts — in Wordfence, review any login attack patterns and block repeat offenders
Backup Tasks (Monthly)
- Verify backups are running — check UpdraftPlus or your backup plugin log. Confirm the last backup completed successfully
- Check backup destination — log into your Google Drive or Dropbox and confirm backup files are actually there
- Test restore quarterly — once every 3 months, do a test restore to a staging environment to verify backups work
Performance Tasks (Monthly)
- Run PageSpeed Insights — record your score each month. A declining score signals something changed
- Optimise database — use WP-Optimize to clean post revisions, spam comments, transients, and orphaned data
- Check for broken links — use Broken Link Checker plugin or an online tool. Broken links hurt SEO and user experience
- Review Core Web Vitals — in Google Search Console, check the Core Web Vitals report for any newly flagged pages
Content & Functionality Tasks (Monthly)
- Test all forms — submit your contact form and confirm you receive the email. This is the most commonly broken thing on small business sites
- Check SSL certificate expiry — verify the certificate is valid and not expiring within 30 days
- Review 404 errors — in Google Search Console, check Coverage → Errors for 404s that should not be there
- Check Google Search Console for new issues — new security alerts, manual actions, or crawl errors
- Confirm uptime monitoring is active — verify UptimeRobot or similar is still monitoring and alerts are going to the right email
Quarterly Tasks (Every 3 Months)
- Full site speed audit with GTmetrix
- Review and remove unused plugins and themes
- Check hosting account disk usage — an unexpectedly full disk is often a sign of spam or malware
- Review and rotate server and database passwords
- Test site on multiple browsers and devices
The most skipped task: Testing the contact form. Over 30% of small business websites have a broken contact form that the owner does not know about — meaning they are losing enquiries silently every single month.
Related Reading
- WordPress Security Checklist: 15 Things Before Launch — foundational security before maintenance begins
- Why Is My Website Slow? — maintenance tasks that directly address speed
Let Us Handle Your Monthly WordPress Maintenance
NextCode Solutions offers fixed-price monthly maintenance retainers. We handle the full checklist above, plus send you a monthly report of everything done.
View Maintenance Plans