A WordPress site that runs itself is a myth. Without regular maintenance, even a well-built site will accumulate outdated software, unverified backups, security gaps, and performance problems — often without any visible warning signs. This WordPress maintenance checklist covers every task that needs attention each month, so nothing important gets missed.
Whether you manage a single site or a portfolio of client sites, use this checklist as your baseline. Skipping even one category can leave a site vulnerable or slow.
1. Core, Plugin, and Theme Updates
Software updates are the single most impactful thing you can do for a WordPress site's security and stability. Most successful attacks exploit known vulnerabilities in outdated plugins or themes — vulnerabilities that were already patched in newer versions.
What to do every month
- Update WordPress core to the latest stable release.
- Update all active plugins. Check changelogs for breaking changes before updating on production.
- Update all active themes, including the parent theme if using a child theme.
- Deactivate and delete plugins that are no longer in use. Inactive plugins are still a risk if they contain vulnerabilities.
- Check for plugins that have been abandoned by their developers (no updates in over 12 months) and find alternatives.
Best practice: Test updates on a staging environment before pushing to production. A single incompatible plugin update can break a live site.
2. Backups
Backups are your last line of defense. They are only useful if they are current, complete, and actually restorable. Many site owners discover their backup system was broken only after they need it.
Monthly backup tasks
- Verify that automated backups are running on schedule. Check the last successful backup timestamp.
- Confirm backups include both the database and all site files.
- Test a restore on a staging environment at least once a quarter to confirm backup integrity.
- Ensure backups are stored off-site — not only on the same server as the site.
- Review your backup retention policy. Keeping at least 30 days of daily backups is a reasonable minimum.
Recommended frequency: Daily automated backups with manual verification monthly.
3. Security Check
Security is not a one-time setup. Threats evolve continuously, and a secure site today can be compromised tomorrow if monitoring lapses.
Security tasks for each monthly cycle
- Run a malware scan using a tool like Wordfence, Sucuri, or MalCare. Review and resolve any flagged files.
- Check the WordPress admin user list. Remove any accounts that should not exist.
- Review login activity for unusual access patterns — failed logins, unexpected IPs, off-hours access.
- Ensure login protection is in place: two-factor authentication, login attempt limits, or both.
- Verify that the site is running on HTTPS with a valid, non-expired SSL certificate.
- Check that the WordPress database prefix has been changed from the default
wp_.
4. Performance Review
Page speed affects both user experience and search rankings. Performance degrades gradually as content grows and plugins accumulate, which makes monthly checks essential.
What to measure and optimize
- Run a speed test using Google PageSpeed Insights or GTmetrix. Track the score over time to spot regressions.
- Check Core Web Vitals: Largest Contentful Paint (LCP), Cumulative Layout Shift (CLS), and Interaction to Next Paint (INP).
- Verify that caching is active and functioning correctly. Clear the cache after updates, then confirm it rebuilds.
- Review image sizes. Large uncompressed images are one of the most common performance killers.
- Confirm that a CDN is in use if the site has visitors from multiple geographic regions.
5. Database Cleanup
The WordPress database accumulates bloat over time: post revisions, spam comments, transients, and orphaned metadata. A bloated database slows down queries and inflates backup sizes.
Monthly database tasks
- Delete post revisions beyond a reasonable limit (e.g., keep the last 5 per post).
- Remove spam and trash comments.
- Clear expired transients from the options table.
- Run a database optimization to defragment tables.
Note: Always take a full database backup before running optimization or cleanup operations.
6. Monthly Maintenance Report
A maintenance report creates accountability and a paper trail. It documents what was done, what was found, and what action was taken.
What a monthly report should include
- Summary of all updates applied (core, plugins, themes) with version numbers.
- Backup status confirmation and storage location.
- Security scan results and any issues resolved.
- Performance score before and after any optimization work.
- Uptime summary for the month.