Most WordPress maintenance checklists are written for people who manage their own websites. They tell you what to do: update your plugins, run backups, scan for malware.

This isn't that kind of checklist.

If you're paying for a WordPress care plan, you shouldn't be managing these tasks yourself. The whole point is having someone else handle them. But how do you know if your provider is actually doing the work?

This WordPress maintenance checklist helps you evaluate whether your care plan is comprehensive or just checking boxes. Use it to ask better questions about what you're getting, and what might be falling through the cracks. For a broader overview of what care plans include and how to choose a provider, see our complete WordPress care plans guide.

Weekly Tasks Your Provider Should Handle

A calendar with weekly refresh arrows representing regular WordPress update and maintenance cycles

WordPress Core, Theme, and Plugin Updates

What should happen: All available updates applied weekly, with critical security patches applied faster (often within 24-48 hours of release).

How to verify: Ask for a maintenance report. A good provider can show you what was updated and when. If they can't produce documentation, they may not have a real process.

Red flag: Updates are only happening monthly, or no visibility into when updates were applied. When a critical vulnerability is announced, you shouldn't wait 3 weeks for a patch.

Pre-Update Backups

What should happen: A full backup (files and database) should be created immediately before any updates are applied.

How to verify: Ask about their update process. Is there a backup specifically tied to each update cycle, separate from daily scheduled backups?

Red flag: Updates applied without backups, or backups that occur only on a schedule, regardless of update timing.

Visual and Functional Testing

What should happen: After updates, someone verifies the site still works. Pages load, forms submit, key functionality operates correctly. Better providers use staging environments to test before pushing to production.

How to verify: Ask about their testing process. Do they test in staging first? Do they do visual regression testing? What happens if an update breaks something?

Red flag: "We update and let you know if anything breaks." That's reactive, not proactive. You shouldn't be the one discovering broken functionality.

Daily Tasks Your Provider Should Handle

Automated Backups

What should happen: Full daily backups of your site's files and database, stored offsite (not on the same server as your website).

How to verify: Ask where backups are stored and how long they're retained. 30 days is standard. Ask how quickly the site could be restored from backup if needed.

Red flag: Backups stored only on the same server, or retention periods of less than 14 days. If your server fails, server-only backups fail with it.

Uptime Monitoring

What should happen: Your site is checked at regular intervals (every 1-5 minutes is common) and someone is alerted immediately if it goes down.

How to verify: Ask who gets alerted when the site goes down. Is it your provider, or just you? What's their response process?

Red flag: "We recommend you set up your own uptime monitoring." If monitoring isn't included, you'll be the last to know when there's a problem. Probably when a constituent tells you.

Security Scanning

What should happen: Automated scanning for malware, file changes, and suspicious activity. Alerts reviewed by humans, not just logged.

How to verify: Ask about their security stack. What are they scanning for? How often? What happens when something is detected?

Red flag: Security scanning as an add-on or premium feature. Basic security monitoring should be table stakes for any care plan.

Monthly Tasks Your Provider Should Handle

Database Optimization

What should happen: Cleaning up overhead in your WordPress database by removing post revisions, spam comments, transient data, and other accumulated cruft that slows things down.

How to verify: This is harder to verify directly. Ask if it's part of their maintenance routine.

Red flag: Not necessarily a red flag if not mentioned, but a sign of a more thorough provider if it's included.

Performance Review

What should happen: Checking site speed metrics and addressing issues that could affect user experience or search rankings.

How to verify: Ask if they monitor Core Web Vitals or page speed metrics. Do they proactively address performance issues, or only when you report slowness?

Red flag: No awareness of your site's performance metrics. Speed matters for user experience and SEO.

Security Audit

What should happen: Review of user accounts, login activity, and security configurations. Checking for unused admin accounts, weak passwords, or suspicious access patterns.

How to verify: Ask about their security review process beyond automated scanning.

Red flag: Security limited to automated scanning with no human review.

What Should Happen When Things Go Wrong

An alert notification with a responsive action arrow, representing how WordPress care providers should handle website incidents

This is the most important part of the checklist, and the hardest to evaluate until you actually need it.

When an Update Breaks Something

What should happen: They detect the issue (ideally before you do), roll back if necessary, and fix the problem. No additional charges for fixing update-related issues.

How to verify: Ask directly: "If an update causes a conflict and breaks something on my site, what happens? Is fixing it included, or is that extra?"

Red flag: Update-related issues treated as separate support tickets or billed at an hourly rate. Updates are inherently risky. Fixing what they break should be part of the service.

When the Site Goes Down

What should happen: They're alerted immediately, investigate the cause, and restore service as quickly as possible. You receive communication about what happened and what's being done.

How to verify: Ask about their incident response process. What's the typical response time? How will you be kept informed?

Red flag: You have to report outages to them. If you're discovering downtime before your provider, their monitoring isn't working.

When There's a Security Incident

What should happen: Immediate investigation, malware removal if needed, identification of how the compromise occurred, and steps to prevent recurrence.

How to verify: Ask if malware cleanup is included or billed separately. What's their process for investigating breaches?

Red flag: Malware cleanup is an expensive add-on. Some providers charge $100-300+ for cleanup, creating a perverse incentive to avoid preventing infections in the first place.

When You Need Help Beyond Maintenance

What should happen: Clear communication about what's included and what would be additional. For requests outside the plan scope, a reasonable hourly rate without gouging.

How to verify: Ask about their hourly rate for work beyond routine maintenance. Is there a minimum? How are requests prioritized?

Red flag: Hourly rates significantly higher than market ($200+/hour) for care plan clients, or minimum charges that turn small requests into expensive projects.

For context on what maintenance services typically cost at different tiers, see our WordPress maintenance pricing guide.

The Tasks Most Providers Skip

A puzzle with missing pieces representing WordPress maintenance tasks that many providers neglect or skip

Based on what we see when onboarding sites from other providers, here are the WordPress maintenance checklist items most commonly neglected:

Real Monitoring (Not Just Uptime Checks)

Many providers claim to monitor your site, but they're only checking if the server responds. Real monitoring includes:

  • Uptime checks every few minutes
  • Performance monitoring (is the site slow?)
  • SSL certificate monitoring (is it about to expire?)
  • Response to alerts, not just logging them

Testing Updates Before Applying Them

"We update weekly" doesn't mean they test first. Many providers bulk-apply updates across all their clients, then wait to see what breaks. Staging-first updates take more time but catch problems before they reach your live site.

Proactive Communication

Good providers tell you when something notable happens: a security patch applied, a potential issue addressed, a recommendation for improvement. If you never hear from your provider unless you contact them first, you're getting reactive service.

Actually Knowing Your Site

The best maintenance includes familiarity with your specific site: its plugins, its quirks, its history. When every support interaction starts from zero, something is wrong with the relationship.

How to Use This WordPress Maintenance Checklist

You don't need to interrogate your provider with every question on this list. Pick a few that matter most to your situation:

If security is your top concern: Focus on the security scanning, incident response, and malware cleanup questions.

If you've experienced downtime: Focus on monitoring, response times, and what happens when things go wrong.

If you're not sure what you're getting: Ask for a sample maintenance report. A provider who can't show you what they're doing probably isn't doing much.

If you're shopping for a new provider: Use the red flags as a filter. Any provider triggering multiple red flags is probably not the right fit.

What FatLab's Maintenance Includes

A complete shield with all elements connected, representing comprehensive WordPress maintenance coverage

For reference, here's how we handle the tasks on this checklist:

  • Updates: Weekly, tested in staging before production. Critical security patches within 24-48 hours.
  • Backups: Daily automated backups with 30-day retention, stored offsite. Pre-update backups before every update cycle.
  • Monitoring: 24/7 uptime and performance monitoring with immediate response. We typically know about issues before clients do.
  • Security: Cloudflare Enterprise WAF, real-time malware detection, and automatic remediation. Malware cleanup included at no extra cost.
  • Support: Full troubleshooting support (not just maintenance tasks). When something breaks, we fix it.
  • Communication: Proactive updates when something notable happens. You won't just hear from us when there's a problem.

Are all organizations' needs the same? No. But this is the standard we think any WordPress maintenance checklist should measure against.

Not sure if you need a care plan at all? Start with our guide on what WordPress care plans include and whether they're right for your organization.

Evaluating your current provider or shopping for a new one? See our comparison of WordPress maintenance services or explore FatLab's care plans.