/* ✅ The Copyable Checklist */
✅ Website Maintenance Checklist (copy this)
WEEKLY (~30 min) [ ] Backup ran and is restorable [ ] Security scan / login logs reviewed [ ] Uptime + error logs checked [ ] Contact form test submission [ ] Visual check of key pages MONTHLY (~2-3 hrs) [ ] Software, plugin & theme updates (test first) [ ] Remove unused plugins/themes [ ] Speed check on top 3 pages [ ] Content edits: prices, dates, dead links [ ] Search Console: errors + coverage [ ] Review user comments/spam QUARTERLY (~2-3 hrs) [ ] Full restore test from backup [ ] Domain, SSL & licence expiry review [ ] Content & SEO audit of key pages [ ] Password + user-account cleanup [ ] Performance deep-dive (Core Web Vitals)That’s roughly 6 hours a month done properly. Prefer it handled? Our website maintenance service runs the whole list for £45/month.
Introduction
This website maintenance checklist is the one we actually work through for client sites, published in full. Copy it, print it, put the weekly block in your calendar. It’s yours. The honest part of this guide is what comes after the checklist: the time it really takes, and the two jobs that go catastrophically wrong when they’re skipped.
Why the urgency underneath a humble checklist? In 2025, Patchstack logged 11,334 new WordPress vulnerabilities, and for the heavily exploited ones, the weighted median time from disclosure to first exploit was just 5 hours (Patchstack, State of WordPress Security in 2026, retrieved 9 July 2026). If you want the wider context of what website maintenance includes before the task-level detail, start there.
ℹ️ Transparency: We sell website maintenance at a published £45/month, so we benefit if you decide DIY isn’t for you. The checklist is complete and genuinely usable on its own, and every statistic is cited with a retrieval date.
Weekly Website Maintenance Checks
Weekly checks take about 30 minutes and exist to answer one question: if something broke this week, would you know? In April 2026, the government’s Cyber Security Breaches Survey found 46% of UK small businesses identified a breach or attack in the previous year (GOV.UK, Cyber Security Breaches Survey 2025/2026, retrieved 9 July 2026). Most discovered it late.
The five weekly jobs:
- Verify the backup ran, and spot-check it’s restorable. Not “the plugin says success”. Open the backup file listing and confirm this week’s date is there.
- Skim security and login logs. You’re looking for repeated failed logins, new admin users you didn’t create, and files changed at odd hours.
- Check uptime and error reports. Five minutes with your uptime monitor or hosting dashboard catches expired certificates and failing pages.
- Send yourself a test through the contact form. Broken forms are silent revenue leaks. Nobody phones to tell you your form doesn’t work.
- Eyeball your key pages. Home, services, contact. Done.
The form test earns its place on this list. Of the emergency fixes we’ve handled, the quiet failures (a form that stopped sending after a plugin update) cost owners more enquiries than any hack, because they run undetected for weeks.
Monthly Website Maintenance Checks
Monthly is where the real defensive work happens, because updates are the job. In 2025, 91% of new WordPress vulnerabilities were in plugins and 9% in themes, with just 6 reports against WordPress core (Patchstack, retrieved 9 July 2026). Your plugin list is your attack surface.
The six monthly jobs: apply updates (after testing on a copy of the site, never straight to live), delete plugins and themes you no longer use, run a speed check on your top three pages, fix stale content and dead links, review Google Search Console for errors, and clear comment spam.
Two of these quietly protect revenue rather than security. Speed first: Deloitte’s Milliseconds Make Millions study found a 0.1-second improvement in mobile load time lifted retail conversions by 8.4% (web.dev, retrieved 9 July 2026). And content: last year’s prices on your services page don’t just look sloppy, they generate mispriced enquiries you then have to renegotiate.
Quarterly Website Maintenance Checks
Quarterly tasks are the ones everyone skips, and they’re the ones that determine whether a bad day becomes a bad month. The headline job is the full restore test: actually rebuilding a copy of your site from a backup, end to end.
Why so serious about it? Because a backup you’ve never restored is a hope, not a plan. Backups fail silently: disks fill, plugins mis-configure, hosting migrations quietly break the schedule. The restore test is the only proof the recovery plan works.
The other four quarterly jobs take an hour or two combined. Check domain, SSL and software licence expiry dates (an expired domain takes the site and your email down together). Remove old user accounts and rotate passwords. Audit your key pages for accuracy and search performance. And run a proper Core Web Vitals check rather than the quick monthly speed skim.
The Two Jobs That Go Wrong DIY
Across the emergency cases we’ve taken on, two failure patterns account for nearly all of them. Neither is about technical skill. Both are about verification steps that DIY schedules skip.
The untested update. An owner clicks “update all” on a live site. One plugin conflicts with the theme, the site white-screens, and there’s no staging copy to compare against. Recovery depends entirely on the second failure pattern being avoided, and it usually isn’t.
The unverified backup. The backup plugin reported green ticks for months, but the files were landing in a storage bucket that was deleted at some point, or stopped at 2GB, or backed up the database without the images. The owner discovers this at the exact moment they need the backup. One anonymised example from our own casebook: a trades site that white-screened after an update was rebuilt over two weeks from archived copies and old email attachments, because eight months of “successful” backups were empty files.
This risk profile is also why some owners exit the treadmill entirely: our guide to migrating from GoDaddy to a static site covers the architecture route that removes the database, and most of the attack surface, altogether.
When Should You Hand Maintenance Off?
The arithmetic is straightforward. Our checklist runs roughly 6 hours a month done properly, and published UK maintenance plans cluster at £40-£99 a month (per our July 2026 price check of providers’ own pages). If your working hour is worth more than about £10-£15, or if you know the quarterly restore test will never actually happen, handing off is the rational choice.
Here’s the pattern we see in practice: DIY owners do the monthly updates and skip the verification jobs (restore tests, staging, log reviews), because verification feels optional right up until it isn’t. But the verification jobs are precisely what professionals are paid for. The checklist above is honest about that: it’s not that the tasks are hard, it’s that the discipline is relentless.
Hand-off checklist, if you go that route: confirm the plan includes tested updates (not just “updates”), restore-tested backups, a response-time commitment, and a monthly report. Our own managed website care plan covers the full list above for £45/month, everything included. Whichever provider you pick, make them show you what’s excluded before you sign.
Frequently Asked Questions
How do you do website maintenance?
Work through a fixed cycle: weekly, check your backup ran, skim security and uptime logs, and test your contact form. Monthly, apply software and plugin updates (test first), review site speed, and update stale content. Quarterly, do a full restore test and a licence, domain and SSL review. The copyable checklist above covers all 16 tasks.
Do I need to pay for website maintenance?
No, but the work has to happen either way. DIY runs roughly 6 hours a month on our checklist, and the risk clock is unforgiving: Patchstack measured a 5-hour weighted median time to first exploit for heavily exploited WordPress flaws in 2025. Paying £40-£99 a month buys someone else racing that clock for you.
What maintenance do websites need?
Six recurring workstreams: software and plugin updates, backups (with restore tests), security scanning, uptime and performance monitoring, fixes, and content updates. The mix varies by platform. WordPress sites are update-heavy because 91% of the ecosystem’s 11,334 new 2025 vulnerabilities were in plugins, per Patchstack’s 2026 whitepaper.
Is maintaining a website difficult?
The individual tasks are learnable; the discipline is the hard part. Updates, backups and log reviews are simple until the week you skip them. The failure stories that reach us are rarely about skill. They’re about a backup nobody verified or an update nobody tested, discovered at the worst possible moment.
What are the steps involved in website maintenance?
Four steps per cycle: check (backups, uptime, security logs), update (software, plugins, content), test (forms, key pages, site speed), and review (restore tests, licences, SEO health each quarter). Run weekly, monthly and quarterly passes. The full 16-task breakdown with time estimates is in the checklist above.
Conclusion
The checklist is 16 tasks: five weekly, six monthly, five quarterly, roughly 6 hours a month done with discipline. The two that are non-negotiable are the ones DIY schedules always drop: test updates before they touch the live site, and restore-test your backups quarterly. Everything else is recoverable; those two decide whether a bad update is a nuisance or a two-week rebuild.
Copy the checklist and run it yourself, or hand the whole thing to our website maintenance service at £45/month and get the verification discipline included. And if you’re still weighing up whether the spend is worth it, the full UK price comparison puts every published plan side by side.
References
- Patchstack. State of WordPress Security in 2026. https://patchstack.com/whitepaper/state-of-wordpress-security-in-2026/ (retrieved 9 July 2026)
- GOV.UK, Department for Science, Innovation and Technology. Cyber Security Breaches Survey 2025/2026 (30 April 2026). https://www.gov.uk/government/statistics/cyber-security-breaches-survey-20252026/cyber-security-breaches-survey-20252026 (retrieved 9 July 2026)
- Google web.dev / Deloitte. Milliseconds Make Millions. https://web.dev/case-studies/milliseconds-make-millions (retrieved 9 July 2026)