“Maintenance” is one of those words that sounds dull until something breaks. Most site owners pay for it without quite knowing what they are paying for, and a smaller number do not pay for it at all, on the theory that the site seems to be running fine. Both groups would benefit from a plainer description of what the work actually involves.
A WordPress site is a small piece of software running on a server, plugged into a database, talking to several other pieces of software at the same time. Keeping it healthy is less like dusting a piece of furniture and more like running a small fleet — small enough to be manageable, big enough that neglecting it has consequences. Here is what those consequences are, and what ongoing care really covers.
What “maintenance” is actually doing
The word covers a handful of activities that happen on different cadences. Some happen monthly. Some happen weekly. Some happen continuously in the background. Together they keep the site reliable, secure, and ready to recover if something goes wrong.
Updates. WordPress itself, every active plugin, and the theme all release new versions regularly — for security fixes, bug fixes, and compatibility. Applying those updates is the most visible part of maintenance, and the one most people mean when they use the word.
Security monitoring. Watching for malicious traffic, scanning files for changes, blocking automated attacks, monitoring login attempts, and reviewing user accounts. This work is mostly invisible until something happens, which is exactly when you want it to have been happening.
Backups. Taking regular copies of the site files and the database, storing them somewhere other than the server itself, and — this is the part people forget — verifying that a backup can actually be restored. An untested backup is a hopeful guess.
Performance checks. Page speed drifts. Plugins add weight. Databases grow. Caches get out of date. A periodic look at the site’s actual performance, on real connections, catches the slow drift before users notice it.
Functional checks. Filling in the contact form to make sure it still emails the right person. Clicking the buy button. Checking that newsletter sign-ups land where they should. Small, important things that fail quietly when nobody is looking.
Database optimisation. Old revisions, expired transients, orphaned data — the database accumulates clutter over time. Periodic optimisation keeps queries fast and the file size sensible.
Hosting and uptime monitoring. Checking that the site is actually responding, that SSL certificates are current, that domain renewals are not about to lapse, and that the host’s resource usage is not heading somewhere awkward.
“But WordPress can update itself”
This is the comeback that comes up most often, and it deserves an honest answer. Yes, WordPress can apply many updates automatically. For low-stakes sites with simple setups, that is often enough.
The problem is that automatic updates do not catch the second half of the job. Auto-updates can break things, and they update without anyone watching. The first you know about a broken update is the next time you open the site and find the layout collapsed, the checkout missing, or a key plugin showing a fatal error. Without someone monitoring the site after updates, you are essentially trusting every plugin developer to never ship a bug. That is a generous assumption.
The other thing auto-updates do not do is decide. Sometimes a plugin update should not be applied immediately. The release notes might warn of a database migration that needs care, a deprecated feature, or a known compatibility issue with another plugin you are using. A human looking at the release notes will hold off. An automated process will press the button.
The serious answer to “WordPress can update itself” is that it can apply patches, but it cannot make judgements, and it cannot tell you afterwards whether the site still works. Those are the parts maintenance actually covers.
What backups should actually include
Backups are the part of maintenance where the gap between what people think they have and what they actually have is widest. The pattern repeats itself: a site owner gets locked out, or a plugin update breaks something, or the hosting account gets compromised, and the conversation about backups starts in a hurry.
A backup that protects you in those moments has a few specific properties.
It includes everything. Site files and the full database, not just one or the other. A files-only backup will not restore your content. A database-only backup will not restore your media library.
It is stored elsewhere. A backup that lives on the same server as the site is not a backup. If the server is compromised, the backup goes with it. Real backups live somewhere unconnected — a separate storage service, ideally with versioning.
It is recent. Daily for active sites is a sensible default. Weekly for sites that change rarely. The right cadence depends on how much work you are willing to lose if you have to restore.
It has been tested. A backup nobody has ever restored is, statistically, a backup that probably will not restore. Periodically — quarterly is reasonable — somebody should attempt an actual restore to a staging environment to confirm that the process works end to end.
Security in plain terms
Most WordPress sites are not targeted because they are interesting. They are targeted because they exist, and because automated tools sweep the web for known vulnerabilities at scale. The site does not need to have any commercial value for an attacker to want to use it — for spam relays, for SEO link injection, for hosting phishing pages, for cryptocurrency mining, or as a foothold into other accounts.
The realistic security baseline is not about preventing every conceivable attack. It is about reducing exposure to the common ones. Strong passwords on every account. Two-factor authentication for administrators. Limited login attempts. Up-to-date core, plugins, and theme. File integrity monitoring so that unauthorised changes get noticed. Removing unused plugins and themes entirely, because every dormant plugin is still a potential attack surface.
None of that is exotic. It is just discipline, applied continuously, by somebody who is paying attention.
What six months of neglect looks like
It is fair to ask what actually happens to an unmaintained WordPress site. Sometimes nothing visible — for a while. The real picture, over months, looks something like this.
- Plugins fall several versions behind. Some begin showing PHP warnings on the front end. Performance drops gradually.
- One plugin develops a known vulnerability. Within days, automated scanners begin probing for it. Within weeks, one of them succeeds.
- Spam pages start appearing in Google’s index, served from your site. You do not know yet.
- The contact form starts failing silently. Sales enquiries stop arriving and nobody notices for weeks.
- An SSL certificate lapses. Visitors see a warning. Conversions stop.
- A hosting renewal lapses. The site goes offline for a weekend.
- You finally try to restore from a backup. The backup is six months old, was never tested, and turns out to be only the database.
Most of those failures cost more to fix than a year of maintenance would have cost to prevent. The relationship between maintenance spend and the cost of incidents is roughly the same shape as insurance, with the same trade-off. Most months you pay for nothing visible. In the month it matters, you are very glad you did.
What good maintenance feels like
A site that is being looked after well feels boring to its owner. Nothing dramatic happens. Updates get applied on a schedule. Performance stays steady. The forms still work. The backups are there. Once or twice a year, a security alert prompts a quick action. The rest of the time, the site simply runs.
That is the goal. Maintenance is not glamorous, and it is not supposed to be. It is the quiet floor under everything else the site is trying to do — sell, inform, capture leads, run a business. When the floor holds, you do not think about it. When it gives way, you think about nothing else.
The short version
WordPress maintenance covers updates, backups, security, performance, and the small functional checks that catch silent failures. It is not “auto-updates plus hope.” It is the ongoing, undramatic work of keeping a small piece of software working in an unfriendly environment. The cost of doing it well is modest. The cost of skipping it is paid in incidents, downtime, and the slow erosion of everything the site is supposed to be doing for the business.
