Website Maintenance Checklist: What to Review Every Month

Keeping CMS software, themes, and plugins current is one of the most impactful maintenance tasks for security. The majority of WordPress site compromises occur through outdated plugins with known vulnerabilities. Running updates regularly — and testing that the site still works correctly after each update — is essential.

Before running updates, document the current version of the CMS and all major plugins so you have a reference point if an update causes issues. Test major updates on a staging environment before applying them to the production site where possible.

After updates, run a website health check to confirm the site is still reachable, HTTPS is active, and response time has not degraded significantly. Updates — particularly major version changes — can affect server configuration, security headers, and caching behavior.

• Is the CMS (WordPress, Drupal, etc.) on the latest stable release?
• Are all active plugins updated to their current versions?
• Are themes (active and inactive) updated?
• Has PHP version compatibility been verified for the current server?
• Have updates been tested on staging before production deployment where possible?

Backups are the safety net for everything else on the maintenance checklist. If a plugin update breaks the site, a malware infection corrupts files, or a hosting incident destroys data, a recent backup is what enables recovery. The backup is only as good as the last verified restore test.

Check that automated backups are running and completing successfully. Verify the retention period — how many backup copies are stored and for how long. Confirm that backups are stored in a location separate from the primary hosting environment so a hosting incident does not also destroy the backups.

For agency clients, document the backup schedule, storage location, and retention period in the care plan records. Know how to initiate a restore and how long it would take — before you need to do it under pressure.

• Are automated backups configured and running successfully?
• When was the last successful backup completed?
• Are backups stored in a separate location from the hosting environment?
• How long is the backup retention period?
• Has a restore been tested recently to confirm backups are usable?

SSL certificates and domain registrations are the two renewal deadlines most commonly missed in website maintenance workflows. Both require proactive tracking because the consequences of missing them are immediate and complete: browsers block expired SSL sites, and expired domains take the site and email offline simultaneously.

Include the certificate expiry date and the domain registration expiry date in your monthly maintenance review. If either is within 45 days, initiate the renewal process immediately — do not wait for the auto-renewal reminder that may or may not reach the right person.

For domains and certificates managed by the client (rather than the agency), verify that the client has active access to the registrar account and the email address on file for renewal notifications. This is a care plan administration task that is easy to skip but important to maintain.

• When does the SSL certificate expire?
• Is SSL auto-renewal configured and working?
• When does the domain registration expire?
• Is the domain registrar email address current?
• Are there any subdomains with separate SSL certificates to check?

A monthly security review does not need to be exhaustive. The goal is to check for common signs of compromise and verify that basic security configuration is in place. Check admin user accounts: are there accounts that should no longer have access? Check file permissions if you have server access. Review login activity for unusual patterns.

Run a security header check to confirm that key browser protections are still in place. Security headers are commonly lost after plugin updates or configuration changes and may not be noticed unless specifically checked.

For WordPress sites, check whether security plugins are active and their scans are completing. Review whether the site is behind a web application firewall and whether that protection is still configured correctly.

• Are all active admin users still authorized to have access?
• Are security headers present (HSTS, X-Frame-Options, X-Content-Type-Options)?
• Is the login page protected against brute force attempts?
• Is there any unusual activity in error or access logs?
• Are security plugin scans completing without critical alerts?

Performance is part of website health, not just visitor experience. A site that is consistently slow may indicate a resource problem that will eventually lead to more serious issues: a hosting plan that has been outgrown, a database growing too large, or a plugin consuming excessive memory.

Run a response time check and compare it to previous months. If response time has increased significantly without a clear explanation, investigate: check for new plugins, recent content volume increases, or changes in traffic patterns.

Review caching configuration if the site has caching set up. Caching plugins and CDN configurations can change after updates or migrations, and a cache that has been inadvertently disabled can significantly affect response time.

• Is server response time within the expected range for this site?
• Has response time changed compared to previous months?
• Is caching configured and working correctly?
• Is the database within a manageable size for the hosting plan?
• Is there any image or media content that could be better optimized?

The maintenance checklist is also the basis for the monthly client report. Every item on the checklist corresponds to something the client is paying for as part of their care plan. Summarizing what was reviewed, what was found, and what was addressed gives the client visibility into the service they are receiving.

Not every client needs the same level of detail. Technical clients may want to see specific version numbers, backup counts, and response time data. Non-technical clients want to know: is my site healthy, are you watching it, and did anything need to be fixed this month.

Sending the report consistently — even in months where everything is healthy — reinforces the value of the care plan. A report that says 'everything checked out healthy this month and your SSL certificate is valid through next April' is still a valuable communication.

• Has the maintenance log been updated with this month's work?
• Has the client received a health summary for the month?
• Are any open items from last month resolved or documented as in-progress?
• Is the SSL expiry date current in the client record?
• Is the domain expiry date current in the client record?