Website Maintenance Checklist

The last three "emergency" website projects we took on had the same root cause: zero maintenance for 18+ months. One had 47 unpatched plugin vulnerabilities. Another had been serving malware for 6 weeks without anyone noticing — their Google rankings had dropped 62% before a customer reported the browser warning. The third had a database that had grown to 4.7GB because nobody had cleaned post revisions, spam comments, or transient caches since 2022.

Each of these businesses paid $8,000-22,000 for emergency recovery. Each could have been prevented with $200/month in basic maintenance. The math is not complicated. Yet industry surveys consistently show that 45% of small businesses perform zero website maintenance after launch.

This checklist is what we use internally for every site we manage. It's organized by frequency — weekly, monthly, quarterly, and annual — with specific tools and time estimates for each task.

Weekly Tasks (30 Minutes Total)

These tasks should be automated wherever possible. You're not doing them manually every week — you're verifying that automated systems are working.

1. Uptime Monitoring Verification

• What: Confirm your uptime monitor is active and alerting correctly
• Why: 23% of downtime goes unnoticed for 4+ hours without monitoring
• Tools: UptimeRobot (free, 50 monitors), Better Stack ($29/mo), Pingdom
• Time: 2 minutes (check dashboard, verify last alert test)

Set monitoring to check every 1-3 minutes. Configure alerts via SMS and email — not just email, because email alerts get buried. Test that alerts actually fire by temporarily pausing and resuming the monitor.

2. Backup Verification

• What: Verify that automated backups completed successfully
• Why: 60% of businesses that discover their backups are broken find out during a crisis
• Tools: UpdraftPlus (WordPress), Vercel's deployment history (Next.js), automated database dumps
• Time: 5 minutes (check backup logs, verify file sizes are reasonable)

3. Security Scan Review

• What: Review automated security scan results
• Why: 30,000 websites are hacked daily — automated scanning catches 80% of common vulnerabilities
• Tools: Sucuri SiteCheck (free), Wordfence (WordPress), Mozilla Observatory, npm audit (Next.js)
• Time: 10 minutes (review alerts, flag anything for investigation)

4. Broken Link Check

• What: Run automated broken link scan or review crawl report
• Why: Broken links hurt UX and waste crawl budget — Google downgrades sites with excessive 404s
• Tools: Screaming Frog (free up to 500 URLs), Ahrefs Site Audit, our SEO Checker (free)
• Time: 10 minutes (scan + fix or redirect broken URLs)

Monthly Tasks (2-3 Hours Total)

Monthly tasks require human judgment and can't be fully automated. Block a recurring 3-hour window for these.

1. Software Updates

For WordPress sites:

• Update WordPress core (check compatibility notes first)
• Update all plugins (one at a time, test after each)
• Update the theme
• Check PHP version compatibility
• Time: 30-60 minutes

For Next.js / Vercel sites:

• Run npm audit and address vulnerabilities
• Update dependencies with npm outdated review
• Update Next.js if a new minor version is available
• Check Vercel dashboard for deployment warnings
• Time: 15-30 minutes (far fewer moving parts)

2. Performance Audit

• What: Run PageSpeed Insights on your 5 most important pages
• Why: Performance degrades gradually — new images, added scripts, plugin updates all add weight
• Tools: Google PageSpeed Insights, GTmetrix, Chrome DevTools Lighthouse
• Targets: LCP < 2.5s, INP < 200ms, CLS < 0.1, PageSpeed score > 80
• Time: 20 minutes (test + document scores for trend tracking)

Track scores monthly in a spreadsheet. A 5-point drop in one month is normal variance. A 15-point drop means something changed — investigate immediately.

3. Content Review

• Check that all product/service information is current
• Verify pricing is up to date
• Review and respond to new reviews/testimonials
• Update any time-sensitive content (seasonal offers, event dates)
• Check that blog posts from 12+ months ago still have accurate information
• Time: 30-45 minutes

4. Analytics Check

• Review traffic trends — any sudden drops?
• Check top landing pages for performance
• Review 404 error report
• Check search console for crawl errors or manual actions
• Verify conversion tracking is firing correctly
• Time: 20 minutes

5. Form and Functionality Testing

• Submit a test entry through every form on the site
• Verify email notifications are being received
• Test any e-commerce checkout flows
• Check that chat widgets, booking systems, and integrations are working
• Test on mobile (not just desktop)
• Time: 15-20 minutes

Form testing catches silent failures that lose you leads. We've audited sites where the contact form had been broken for months — the form appeared to submit successfully to the user, but the notification email was going to a deactivated address. That business lost an estimated $40,000 in leads during that period.

6. SSL Certificate Check

• What: Verify SSL certificate is valid and auto-renewing
• Why: Expired SSL = browser security warning = instant visitor loss + SEO penalty
• Tools: SSL Labs Test (free), UptimeRobot SSL monitoring
• Time: 2 minutes (most hosts auto-renew, but verify)

Quarterly Tasks (4-6 Hours Total)

1. Full Security Audit

• Review all user accounts — remove unused accounts, especially admin-level
• Check for unauthorized files in the web root
• Review file permissions (WordPress: 644 for files, 755 for directories)
• Run a deep malware scan (Sucuri, Wordfence premium, or manual inspection)
• Verify two-factor authentication is active on all admin accounts
• Review security headers (CSP, X-Frame-Options, HSTS)
• Time: 60-90 minutes

2. SEO Health Check

• Full site crawl with Screaming Frog or Ahrefs
• Check for duplicate titles, missing meta descriptions, thin content
• Review internal linking structure
• Verify structured data is valid (Google Rich Results Test)
• Check sitemap accuracy — all important pages included, no orphans
• Review Google Search Console for new issues
• Time: 60-90 minutes

3. Content Freshness Audit

• Identify pages with outdated statistics or references
• Update "best of [year]" posts with current year data
• Refresh underperforming blog posts with better content
• Remove or consolidate thin pages that aren't ranking
• Add internal links from new content to relevant older content
• Time: 45-60 minutes

4. Dependency Audit (Next.js / Modern Sites)

• Run npm audit and resolve all high/critical vulnerabilities
• Check for deprecated packages that need replacement
• Review bundle size — has it grown significantly?
• Update Node.js version if needed
• Review Vercel deployment logs for warnings
• Time: 30-45 minutes

5. Database Optimization

WordPress:

• Delete post revisions (keep last 3-5 per post)
• Clean spam and trashed comments
• Remove transient caches
• Optimize database tables (WP-Optimize plugin)
• Delete unused plugin data (leftover tables from uninstalled plugins)

Supabase / PostgreSQL:

• Review query performance in Supabase dashboard
• Check for missing indexes on frequently queried columns
• Clean up old log entries and temporary data
• Review Row Level Security policies for correctness

Time: 30 minutes

Annual Tasks (Full Day)

1. Hosting Review

Is your hosting plan still the right fit? Review:

• Traffic growth — do you need a higher tier?
• Pricing changes — are you on a legacy plan that's no longer competitive?
• Performance benchmarks — how does your host compare to alternatives?
• Support quality — have they been responsive when you needed help?
• Geography — is your hosting region optimal for your audience?

2. Domain Renewal and DNS Review

• Verify domain auto-renewal is enabled
• Check domain expiration dates (including any secondary domains)
• Review DNS records — remove stale entries pointing to old services
• Verify domain registrar lock is enabled (prevents unauthorized transfers)
• Check WHOIS privacy is active

3. Design Refresh Assessment

• Compare your site to current design trends and competitors
• Review heatmaps and session recordings for UX issues
• Assess whether your site still reflects your brand accurately
• Check mobile experience on latest devices
• Evaluate whether a full redesign is needed (typically every 3-4 years)

4. Accessibility Audit

• Run WAVE or axe DevTools on key pages
• Check color contrast ratios (WCAG 2.1 AA minimum: 4.5:1 for text)
• Verify keyboard navigation works throughout the site
• Test with a screen reader (VoiceOver on Mac, NVDA on Windows)
• Review alt text on all images
• Check form labels and error messages for clarity

Accessibility isn't just ethical — it's legal. ADA website accessibility lawsuits increased 12% year-over-year in 2025. An annual audit and remediation protects your business and improves UX for everyone.

5. Disaster Recovery Test

• Restore your site from backup to a staging environment
• Verify all content, images, and functionality survived the restore
• Document the recovery procedure step-by-step
• Time the full recovery process (target: under 4 hours)
• Verify your team knows who does what during an incident

What to Automate vs. What Needs Human Eyes

Automate These (Set and Forget)

• Uptime monitoring: UptimeRobot or Better Stack — alerts within 60 seconds of downtime
• Backups: Daily automated backups with 30-day retention minimum
• Security scanning: Sucuri or Wordfence on autopilot with alert thresholds
• SSL monitoring: UptimeRobot includes SSL expiry monitoring in free tier
• Dependency updates: Renovate Bot or Dependabot for automated PR creation
• Performance monitoring: SpeedCurve or web-vitals tracking in analytics

These Need Human Review

• Content quality: AI can't judge if your pricing page is still accurate
• UX review: Automated tools catch accessibility issues, not confusing navigation
• Brand consistency: Does the site still represent who you are?
• Competitive analysis: Are competitors doing something better?
• Conversion review: Are forms, CTAs, and funnels still optimized?

The Real Cost of NOT Maintaining Your Website

Let's make the business case with actual numbers from our client work:

• Hacking recovery: $5,000-25,000 (malware cleanup, security hardening, reputation repair, Google reconsideration request)
• SEO recovery from malware: 3-6 months to regain rankings after a Google Safe Browsing warning — during which you lose 60-90% of organic traffic
• Downtime revenue loss: Average small business loses $427/minute during downtime according to Gartner research
• Customer trust: 65% of users who encounter a hacked or broken site never return — the lifetime value of those customers is gone permanently
• Legal liability: If customer data is breached due to negligent maintenance, you face potential fines under GDPR, CCPA, or industry-specific regulations

Maintenance Plans: DIY vs. Managed

DIY Maintenance

• Cost: $0-50/month (tool subscriptions only)
• Time investment: 4-8 hours/month
• Pros: Lowest cost, full control, deepest understanding of your site
• Cons: Requires technical knowledge, easy to deprioritize, no expertise for complex issues
• Best for: Developers maintaining their own sites, technically skilled small business owners

Agency-Managed Maintenance

• Cost: $100-500/month (basic to comprehensive)
• What's included (typical): Updates, backups, security monitoring, monthly reports, 1-2 hours of content changes
• Pros: Professional expertise, consistent execution, someone to call in emergencies
• Cons: Recurring cost, dependency on external team
• Best for: Most businesses — the cost is modest relative to the protection

WordPress vs. Next.js/Vercel: Maintenance Differences

WordPress Maintenance Burden

• Core updates: 6-9 per year (some require testing)
• Plugin updates: Weekly (8-15 plugins typical)
• Theme updates: Monthly
• PHP updates: Annual
• Security patches: Ongoing (plugin vulnerabilities are constant)
• Database cleanup: Quarterly
• Total effort: 6-10 hours/month for proper maintenance

Next.js / Vercel Maintenance Burden

• Framework updates: 3-4 per year (usually non-breaking)
• Dependency updates: Monthly (automated with Renovate/Dependabot)
• No plugin layer — all code is first-party
• No database in many cases (static sites on CDN)
• Vercel handles SSL, CDN, scaling, and infrastructure
• Security surface: minimal — no admin panel, no database exposed
• Total effort: 2-4 hours/month for proper maintenance

This difference compounds over years. A WordPress site demands consistent, knowledgeable attention. A Next.js site on Vercel is closer to "set and forget" for infrastructure — you focus maintenance time on content and business logic rather than patching and updating.

Recommended Tools for Each Task

• Uptime monitoring: UptimeRobot (free) or Better Stack ($29/mo for advanced features)
• Security scanning: Sucuri SiteCheck (free) + Wordfence (WordPress, $119/yr premium)
• Performance testing: Google PageSpeed Insights (free) + GTmetrix (free tier generous)
• SEO auditing: Screaming Frog (free up to 500 URLs) + Google Search Console (free)
• Broken link checking: Screaming Frog or Ahrefs Site Audit ($99/mo includes this)
• Accessibility: WAVE browser extension (free) + axe DevTools (free)
• Backups: UpdraftPlus (WordPress, free) or hosting-provided (Vercel: deployment history)
• Dependency management: npm audit (free) + Renovate Bot (free for open-source)
• Analytics: Google Analytics 4 (free) + Google Search Console (free)

You can build a complete maintenance monitoring stack for $0-50/month using free tools. The tools aren't the expensive part — your time and discipline are.

The single most important thing you can do after reading this article: block 3 hours on your calendar, one month from today, recurring monthly. Label it "Website Maintenance." The checklist exists. The tools are free. The only missing ingredient is the discipline to actually do it — or the budget to hire someone who will.