WordPress Website Maintenance Checklist for Small Businesses

Content Team |
WordPress Website Maintenance Checklist for Small Businesses

Most small business WordPress sites get neglected between launches. The designer finishes, hands over the login credentials, and the owner visits once a month to post something new. Meanwhile, plugin updates pile up, the database bloats, the contact form stops delivering emails, and one morning the site returns a blank screen or a "critical error" message.

This checklist is for small business owners and their assistants who manage their own WordPress site without a dedicated developer on call. It is organized by frequency: weekly tasks that take 15 to 30 minutes, monthly tasks that take 1 to 2 hours, and quarterly tasks that take a half day. Run each cadence on a fixed schedule, and most WordPress problems become preventable rather than recoverable.

Quick Answer

For a small business WordPress site, the minimum viable maintenance schedule looks like this:

Cadence Time needed Core tasks
Weekly 15-30 min Verify backup ran, install plugin/theme updates, test your key business form or booking flow
Monthly 1-2 hr WordPress core update, security scan, user audit, performance test, broken links, database cleanup, content review
Quarterly 3-4 hr Full restore test, credential rotation, plugin audit, hosting plan review, login hardening check

If your site takes bookings or processes payments, the weekly business-flow test is the most important item on this list. One broken booking form can mean dozens of missed appointments before anyone calls to ask why they never got a confirmation.

Weekly Checklist (15-30 minutes)

1. Confirm the backup ran

Why it matters for your business: Automated backups fail silently. You only discover a missing backup after a security incident or a failed update. At that point, losing a week of orders, bookings, or contacts feels both avoidable and expensive.

What to check:

  • Open your backup plugin dashboard (UpdraftPlus, BlogVault, WPvivid, or your host's backup panel).
  • Confirm the most recent automated backup completed without errors.
  • Confirm backup files are stored off-site: a cloud destination such as Google Drive, Dropbox, S3, or Backblaze. A backup stored only on the same server as the site does not protect you from server failure or account suspension.

Red flag: Last successful backup was more than 48 hours ago, or the log shows a failed job.

2. Install available plugin and theme updates

Why it matters for your business: A common source of WordPress site compromises is unpatched plugins or themes rather than WordPress core. Keeping plugins current is one of the highest-leverage security actions you can take as a non-technical site owner.

What to check:

  • Log into WP Admin and open Dashboard → Updates.
  • Install all available plugin and theme updates.
  • If a plugin shows a major version bump (for example, 4.x → 5.0), read the changelog before clicking Update. Major versions can rename settings, change integrations, or require manual configuration steps.
  • After updating, open the home page, a blog post, and your most important form or checkout page. Confirm they load and behave correctly.

Red flag: Any plugin flagged as having a known vulnerability in your security plugin's audit, or any plugin that has not received an update in more than 12 months.

3. Test your most important business flow

Why it matters for your business: Forms, booking systems, and checkout pages break silently after plugin updates, server configuration changes, or email service key expirations. Visitors keep trying to submit. Emails keep not arriving. Bookings keep getting lost. You do not find out until a client mentions it.

What to check:

  • Contact form: submit a test entry. Confirm the email arrives in the correct inbox within five minutes.
  • Booking system: make a test appointment using a secondary test email account. Confirm the confirmation email fires, the calendar entry is created, and the staff notification arrives.
  • WooCommerce checkout: place a test order in your payment gateway's test or sandbox mode. Confirm the order confirmation email and the admin notification both arrive.

Red flag: The form submits without an error on screen, but no email arrives. The booking confirmation fires but the calendar entry does not appear.

4. Review WordPress Site Health

Why it matters for your business: WordPress has a built-in diagnostic screen at Tools → Site Health that flags critical server and configuration issues before they cause visible problems. Most small business site owners have never opened it.

What to check:

  • Open Tools → Site Health.
  • Any item listed as "Critical" should be resolved the same day. These typically include outdated PHP versions, missing HTTPS, or plugin conflicts.
  • "Recommended" items can wait for the next monthly session but should not be left accumulating.

Red flag: Any "Critical" issue, especially those involving PHP version, HTTPS configuration, or inactive plugins holding the site back.

5. Check uptime monitor status

Why it matters for your business: If your site goes down, you want to know within minutes, not when a client calls. Uptime monitoring is the cheapest business continuity tool available, and several offer a free tier adequate for small business sites.

What to check:

  • Log into your uptime monitor (UptimeRobot has a free plan; BetterStack and Pingdom offer paid options with more check frequency and regions).
  • Confirm all monitored URLs are green.
  • Review the weekly summary email if your monitor provides one.

Red flag: Any outage longer than five minutes in the last seven days, even if the site is currently up.

Monthly Checklist (1-2 hours)

1. Verify a backup is actually restorable

Why it matters for your business: A backup file you have never tested is a hypothesis. Backup jobs can complete without errors but produce archives that are corrupted, incomplete, or stored in a format that cannot be restored under pressure.

What to check:

  • Once a month, download your latest backup archive.
  • Restore it to a staging site, a local WordPress environment, or a temporary server instance.
  • Open the front page and the WP admin. If both load and function correctly, your backup is real.
  • For plugin comparisons and off-site storage options, see FS Code's roundup of the best WordPress backup plugins.

Red flag: The restore fails, the restored site throws database errors, or the admin is inaccessible after restore.

2. Update WordPress core

Why it matters for your business: WordPress core updates include security patches, PHP compatibility fixes, and performance improvements. A version left behind for more than a month can have known exploitable vulnerabilities that automated scanners actively probe for.

What to check:

  • Dashboard → Updates. Install the latest stable WordPress core release.
  • If you have a staging environment, apply the update there first. Run the weekly flow tests (contact form, booking, checkout) before promoting to production.
  • If you do not have staging, take a fresh manual backup immediately before updating core.
  • After the update, confirm your admin works, pages render correctly, and key plugins are still functioning.

Red flag: Running a WordPress version more than one or two minor releases behind the current stable.

3. Run a security scan and review the activity log

Why it matters for your business: Malware on WordPress sites can sit dormant for weeks, harvesting contact data, sending spam from your domain, or quietly redirecting visitors to phishing pages. A monthly scan catches infections while they are still early.

What to check:

  • Run a full malware scan from your security plugin. Options include Wordfence, Solid Security (formerly iThemes Security), MalCare, Sucuri SiteCheck, and Jetpack Scan. For a comparison, see FS Code's guide to the best free WordPress security plugins.
  • Review the activity log: failed login attempts, blocked IPs, unexpected file changes outside of update windows.
  • Confirm your SSL/TLS certificate is valid and not expiring within the next 30 days.

Red flag: Any malware detected, unusual spikes in failed logins, or SSL expiry within 30 days.

4. Audit user accounts

Why it matters for your business: Inactive Administrator accounts are one of the most common and most avoidable WordPress security risks for small businesses. Former staff, ex-contractors, and test accounts with admin access represent real exposure.

What to check:

  • Users → All Users. Review every account with Editor or Administrator access.
  • Remove or downgrade any account belonging to someone no longer working on the site.
  • Confirm every Administrator account has two-factor authentication (2FA) enabled.
  • Confirm the Administration Email Address under Settings → General is a mailbox you actively monitor. WordPress sends recovery and security alerts to that address.

Red flag: Any active admin account belonging to someone no longer with the business.

5. Run a performance pass

Why it matters for your business: Slow pages lose visitors before they book or buy. Google's Core Web Vitals affect search rankings, and a significant share of small business visitors arrive on mobile rather than desktop, where performance gaps tend to be largest.

What to check:

  • Test the home page and a key services or booking page through Google PageSpeed Insights (pagespeed.web.dev).
  • Record the mobile score. Below 50 on mobile is a priority issue; below 70 should be on your radar.
  • Identify the top two issues flagged (usually image weight, render-blocking JavaScript, or slow Time to First Byte).
  • For plugin-based solutions in the speed category, see FS Code's list of free WordPress speed plugins.

Red flag: Mobile PageSpeed score below 50, LCP above 4 seconds on mobile, or Core Web Vitals showing "Poor" in Google Search Console.

6. Check for broken links

Why it matters for your business: A broken link to your services page or booking form means a lost lead. Broken external links frustrate visitors. Both accumulate silently every time you change a slug, delete a post, or link to an external page that disappears.

What to check:

  • Google Search Console → Pages report. Look for 404 errors on your own URLs. These are pages Google tried to crawl and found missing.
  • For a deeper internal sweep, use Ahrefs Webmaster Tools (free tier covers up to a few hundred pages) or the Broken Link Checker plugin.
  • For each broken URL: set a 301 redirect if the page moved to a new address, or remove the broken link if the destination no longer exists. Do not blanket-redirect all 404s to your homepage. Google treats those as soft 404s, which is worse than a clean 404.

Red flag: 404 errors on high-value pages such as your services page, booking page, or most-linked blog posts.

7. Clean the database

Why it matters for your business: Post revisions, expired transients, trashed posts, and spam comments accumulate in the database over time. The bloat slows down every query, including form submissions and admin page loads.

What to check:

  • Use WP-Optimize, Advanced Database Cleaner, or WP-Sweep (all have free tiers) to delete: post revisions beyond the last five per post, expired transients, trashed posts, and spam comment rows.
  • Optimize tables after cleanup (equivalent to defragmenting the table structure).
  • If admin pages are noticeably slower than front-end pages, check the wp_options table for oversized autoloaded data left behind by uninstalled plugins.

Red flag: WP admin responding significantly slower than the front end, or database size increasing rapidly month over month without a corresponding growth in content.

8. Review content performance

Why it matters for your business: Service pages and blog posts that generated leads last year can drift out of relevance without editorial attention. Outdated claims, stale pricing references, or broken examples erode both user trust and search rankings.

What to check:

  • Google Search Console → Performance. Filter to the last 28 days. Sort by Clicks descending. Identify the top three pages with the largest click drop versus the prior period.
  • Open each page and look for what changed: outdated dates, broken external links, missing or stale information, poor mobile formatting.
  • Fix the issues you find. Refreshing three pages per month compounds significantly over a year.
  • For a more structural SEO review, work through our WordPress SEO audit checklist.

Red flag: Key service or booking pages dropping 20 percent or more in clicks with no obvious external cause.

Quarterly Checklist (3-4 hours)

1. Run a full disaster-recovery restore test

Why it matters for your business: You will not have time to figure out the restore process while your site is down and clients cannot book or buy. A quarterly drill means you know the process, know roughly how long it takes, and know your backup is actually usable.

What to check:

  • Spin up a staging environment or a temporary local WordPress install from scratch.
  • Restore from the latest backup using only what you would have in a real emergency. Time the process.
  • Confirm the site, WP admin, database, and all major pages load and function correctly.
  • Document the restore steps so any team member could follow them.

Red flag: Restore fails at any step, takes more than two hours, requires specialist help you would not have in an emergency, or produces a site that looks wrong.

2. Rotate credentials

Why it matters for your business: Passwords and API keys age. Former contractors, expired tokens, and credentials reused across services create risk that is invisible until it is not.

What to check:

  • Change: the WordPress admin password, hosting control panel password, sFTP or SSH credentials, and the WordPress database password (DB_PASSWORD in wp-config.php).
  • Regenerate WordPress secret keys and salts. Get fresh values from https://api.wordpress.org/secret-key/1.1/salt/ and replace the corresponding lines in wp-config.php. This silently logs out all active sessions, which is the point.
  • Update API keys with publish-level access: email marketing platforms, payment gateways, social scheduling tools.
  • Store all new credentials in a password manager (Bitwarden, 1Password, or similar). Do not reuse passwords across services.

Red flag: Any credential unchanged for more than a year, or any credential still accessible to a former contractor or employee.

3. Audit installed plugins and themes

Why it matters for your business: WordPress sites accumulate plugins that outlive their purpose. Each inactive plugin still ships code with the site and still represents attack surface, regardless of whether it is active.

What to check:

  • Plugins → Installed Plugins. For every plugin, ask: does it have an active current purpose? Has it received an update in the last six months? Is the developer still maintaining it on WordPress.org?
  • Deactivate and delete any plugin you cannot justify keeping. Do not deactivate and leave. Delete cleanly.
  • Check if any premium plugin licenses have lapsed. Expired licenses disable update checks silently, leaving you on a potentially vulnerable version without knowing.
  • Do the same review for inactive themes. Delete themes you do not use, keeping only the active theme and one default WordPress theme as a fallback.

Red flag: Plugins installed "just in case" that have not been used in months, or any plugin with an update gap of more than 12 months handling anything security-adjacent.

4. Review the hosting plan

Why it matters for your business: Shared hosting that handled 100 visits per day feels very different at 500 or 1,000. The bottleneck is rarely obvious. Page load time creeps up, admin pages start timing out under traffic, and checkout abandonment rises without a clear reason.

What to check:

  • Log into your hosting control panel and check current resource usage: CPU, memory, storage, and monthly bandwidth versus your plan's limits.
  • Run a speed test on a typical business-hours day. Compare Time to First Byte against the same test from last quarter.
  • If TTFB consistently exceeds 600 ms on a page-cached site, the hosting plan is likely the bottleneck, not the plugins.

Red flag: Frequent 503 errors under normal traffic, TTFB above 1 second even with caching active, or the hosting dashboard showing CPU or memory limits being hit regularly.

5. Harden login security

Why it matters for your business: Automated brute-force attacks against WordPress login pages are constant. A small number of additional controls reduce exposure without requiring any ongoing effort.

What to check:

  • Confirm two-factor authentication is active on every Administrator account.
  • Confirm your security plugin's login rate limiting is active and configured. Most security plugins include this.
  • Consider moving the WordPress login path away from the default /wp-admin and /wp-login.php URLs. See our guide to changing your WordPress login URL for the step-by-step process.

Red flag: Any Administrator account without 2FA active, or the login page receiving thousands of requests per day with no rate limiting in place.

Practical Scenarios

Service businesses: bookings and appointments

If your site takes appointments, your most critical maintenance item is the weekly booking flow test. A missed booking confirmation or a broken calendar integration means a real client never received their confirmation. They may show up, they may not. Either outcome costs you.

Prioritize: the weekly booking end-to-end test, plugin updates applied on staging before production (booking plugins touch email, payment, and calendar integrations that can break together), and daily backups where the schedule allows.

Be careful with: updating your booking plugin and your payment gateway plugin at the same time in production. Update one, test, then update the other.

eCommerce with WooCommerce

A broken checkout is the costliest maintenance failure for a WooCommerce site. The loss is measured in hours of abandoned carts before anyone notices.

Prioritize: the weekly checkout test in real test mode (not "I think it still works"), WooCommerce and payment extension updates applied to staging first, and monthly database performance checks (WooCommerce writes to the database heavily under normal usage).

Be careful with: updating WooCommerce core alongside multiple extensions at the same time. Update WooCommerce first, test thoroughly, then update extensions individually.

Local and brochure businesses

Your site is your first impression and often your primary lead generator. A broken contact form or a slow page on mobile loses leads to a competitor even when the site looks fine to you on a desktop browser.

Prioritize: the weekly contact form test, the monthly mobile performance check, and keeping the Google Business Profile consistent with whatever your site says about hours, services, and pricing.

Be careful with: letting the site run without any review for months because "nothing seems wrong." Silent drift is still drift. Forms break, links go stale, and page speed degrades without visible symptoms until traffic and rankings drop.

Mistakes to Avoid

  • Trusting a backup you have never tested. Backup files can be corrupt or incomplete. Run a full restore test at least once per quarter before you need to do it for real.
  • Updating plugins in production without a staging step. One bad plugin update can break a booking form or checkout for hours. Test on staging first, especially for major version changes.
  • Leaving admin accounts for people who left the business. This is the most common and most preventable WordPress security failure in small business contexts. Check the user list every month.
  • Testing the contact form only at launch. SMTP configurations, API keys, and email service delivery settings break periodically. Test the form every week, not just when you remember.
  • Ignoring Site Health warnings. The items WordPress surfaces in Tools → Site Health rarely resolve themselves. Critical items left unaddressed become incident causes.
  • Keeping plugins installed "just in case." Inactive plugins still ship code and still represent attack surface. Delete anything without an active purpose.
  • Measuring performance only on desktop. A 90 desktop score can coexist with a 35 mobile score if images are not properly optimized for mobile viewports. Check both.
  • Skipping the quarterly restore drill. You will not regret doing it. You may deeply regret skipping it.

Recommended Next Step

Start the weekly checklist today. Open your backup plugin and confirm the last backup succeeded. Go to Dashboard → Updates and install any pending plugin or theme updates. Then submit your contact form and confirm the email arrived.

Set a recurring calendar block for the first Monday of each month. Block two hours. Run the monthly checklist with this page open and tick each item.

If you want a shorter, printable view focused only on the monthly cycle, see our monthly WordPress maintenance checklist.