If you ask a WordPress site owner what maintenance means, they will usually mention updates. Click the update button on plugins, click the update button on WordPress core, done. That is part of it, but maintenance done well is broader and quieter than that. It is a set of small checks that keep small problems small, and a few of them are almost universally skipped. Here are the five that we see neglected most often, and what they do for you when they are not.
1. Testing your backups by actually restoring one
Most WordPress sites have backups configured somewhere. Far fewer sites have backups that actually work. The difference only becomes visible the day you need them, which is the worst possible time to discover the problem.
The common failures are familiar. The backup plugin stopped running silently three months ago after an update. The off site destination ran out of storage and quietly rejected new uploads. The backups are full file backups but exclude the database. The backups are database backups but exclude the uploads folder. The backups exist but they are encrypted and no one has tested the decryption key.
The cure is to actually restore. Pick a recent backup, spin up a temporary staging site, and restore it. If it works, you know. If it does not, you have time to fix the process while the live site is still healthy. We recommend doing this at least quarterly for any business critical site.
2. Reviewing who has admin access
WordPress user lists accumulate. Over a couple of years, a single site picks up a freelancer who built the contact form, a developer who did a one off integration, a marketing contractor who needed to publish a post, the original designer who set up the brand colours, and a couple of plugins that quietly created their own user accounts. Most of them never get removed.
Each one of those accounts is a way into your site. If any of them was given administrator level access, they can do anything, including unintentionally importing a compromise from their own laptop. If a freelancer’s password ends up in a breach somewhere on the internet years later, your admin login is on the list.
Open the users page once a quarter. Anyone who does not need access today gets removed. Anyone who only needs to publish content does not need the administrator role, they need the editor role at most. Apply least privilege as a default and you remove a lot of risk for very little effort.
3. Cleaning up the database
The WordPress database grows quietly over time. Post revisions accumulate without limit if you do not configure WordPress to cap them. Auto drafts pile up. Transients that were never cleaned out fill the options table. Plugins leave behind their own data when removed. Spam comments, if you are not running good filtering, can balloon the comments table. Action Scheduler logs from various plugins can run to hundreds of thousands of rows.
None of this breaks the site immediately. It just makes everything slightly slower. Page loads spend more time waiting on database queries. Admin pages take longer to render. Backups grow larger and take longer to run. Over a couple of years, a small site can end up with a database many times the size of its actual content.
A quarterly database cleanup, ideally with proper tools rather than aggressive auto delete plugins, keeps the site lean. Configure post revision limits in wp-config.php. Empty trashes. Drop unused option keys left by uninstalled plugins. Reindex slow tables. Then take a fresh backup.
4. Auditing the document root for files that should not be there
This is one of the most overlooked checks, and it is the one that flagged a recent Sydney agency compromise we audited. The attacker had dropped fifteen malicious files into folders that mirrored the names of WordPress pages on the site. Nobody had looked at the document root for months. If they had, the files would have been spotted in minutes.
The document root of a WordPress site should contain WordPress core files and very little else. If you find folders that you do not recognise, .php files outside of wp-admin, wp-content and wp-includes, backup archives, .sql dumps, or developer copies of files with names like wp-config.bak, something is wrong. Investigate every file you cannot account for.
A monthly look at the document root, either via SFTP or your host’s file manager, is a fifteen minute task that catches a category of attack most monitoring does not.
5. Rotating salts, keys, and application passwords
WordPress uses a set of cryptographic secret keys and salts, defined in wp-config.php, to sign cookies and protect session data. They are generated when WordPress is installed and almost no one ever changes them again. If they have leaked at any point, every session token issued since is technically still valid, and an attacker who captured one once could still use it.
Rotating these once or twice a year invalidates every existing session, forces everyone to log in again, and gives you a clean reset. The same logic applies to application passwords used by plugins and integrations, API keys for services that connect to your site, and any one off tokens you may have issued for migrations or testing.
Anytime a staff member or contractor leaves, or any time you suspect a credential may have been exposed, rotation is essential. The five minutes it takes is the cheapest security upgrade you will ever do.
Why these tasks get forgotten
The common thread between these five is that none of them produce visible results. Restoring a test backup, removing a contractor’s old admin account, cleaning out post revisions, scanning the document root, rotating cryptographic keys. The site looks identical before and after. The work is invisible until the day it is the difference between recovering from a problem in an hour or rebuilding the site from scratch.
That is exactly why they get skipped. The reward for doing them is the absence of a problem, and humans are bad at valuing absences. A good support routine builds them in as a habit so the question of whether they are worth doing today never comes up.
Need a hand?
If you would like Smart Coding to take these tasks off your plate and run them on a regular schedule, get in touch. We run them as part of the standard support work on every WordPress site we manage and we would be happy to add yours to the routine.
