The Annual Website Maintenance Checklist Every Owner Needs

Websites decay quietly: stale plugins, lapsed licences and forms that stop sending. This month-by-month maintenance calendar keeps your site secure, fast and legally tidy without eating into your working week.

Websites decay quietly

A website is closer to a vehicle than a printed brochure: it needs servicing whether or not anything looks wrong. Plugins fall behind security patches, PHP versions reach end of life, SSL certificates and domains lapse, contact forms silently stop delivering, and legal pages drift out of date while the law moves on. None of these announce themselves. You usually find out from a customer, or worse, from Google.

The fix is not heroic effort but a calendar. Below is a maintenance rhythm sized for a small UK business: a short monthly routine, plus a month-by-month schedule that spreads the annual jobs so no single month hurts.

The monthly fifteen-minute routine

  • Run pending CMS, plugin and theme updates. On WordPress, take a backup first, or better, test on a staging copy.
  • Confirm the automated backup actually ran and is stored somewhere other than the same server. Follow the 3-2-1 rule: three copies, two types of storage, one off-site.
  • Submit your own contact form and confirm the message arrives, including any autoresponder.
  • Glance at Google Search Console for new errors, manual actions or security warnings.
  • Check uptime: a free monitor such as UptimeRobot emails you when the site goes down, so you are not relying on customers to tell you.
  • Skim your key pages on a phone. Broken layouts and expired offers hide in plain sight.

Need a hand with this?

Our team delivers Website Maintenance for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →

The month-by-month calendar

Spread the bigger jobs across the year. Shift the months to suit your trading peaks; the point is that every job has a slot.

  • January: full content audit. Prices, team members, opening hours, and the copyright year in the footer.
  • February: access review. Remove former staff and old agency accounts, rotate passwords, and switch on two-factor authentication everywhere it is offered.
  • March: accessibility check against WCAG 2.2. Keyboard navigation, colour contrast and image alt text.
  • April: performance audit. Run PageSpeed Insights on your five most-visited pages and log the Core Web Vitals.
  • May: backup restore drill. Actually restore a backup to a test environment. An untested backup is a hope, not a plan.
  • June: imagery review. Replace photography that no longer reflects the premises, team or products.
  • July: licence audit. Premium plugins, themes, fonts and stock images: confirm each is current and registered to your business.
  • August: SEO health check. Crawl for broken links (Screaming Frog's free tier covers 500 URLs), fix redirect chains, refresh title tags on key pages.
  • September: legal review. Privacy policy, cookie banner behaviour and terms, checked against current UK GDPR and PECR guidance.
  • October: renewals audit. Domain, hosting, SSL and email services: confirm auto-renew is on and payment cards have not expired.
  • November: capacity check before the Christmas peak if you sell online, and test the checkout end to end.
  • December: annual analytics review. What did people actually visit, search for and abandon? Feed the answers into next year's plan.

Updates and backups: the non-negotiables

Most compromised small-business sites are breached through outdated software rather than clever attacks. Set plugins to auto-update where you trust them, and diarise the rest. Keep an eye on your PHP version too: hosts eventually retire old versions, and a forced upgrade with no testing is how sites break on a random Tuesday.

For backups, what matters is restorability, not existence. Managed hosts often keep their own copies, but those sit on the same infrastructure as your site. Keep an independent off-site copy (tools like UpdraftPlus can push to Google Drive or Dropbox automatically) and prove you can restore it at least once a year.

Renewals and licences nobody remembers

Quiet expiries cause loud outages. The domain is the big one: if it lapses, your website and your email both stop, and late-recovery fees are painful.

  • Domain: auto-renew on, registrar account in the business's name, and a registrant email address that outlives any single employee.
  • SSL: Let's Encrypt certificates renew automatically, but confirm the renewal job is actually working. Paid certificates expire annually and can take email down with them on some setups.
  • Premium plugins and themes: when a licence lapses the software keeps working but stops receiving security updates, which is the worst failure mode because it is invisible.
  • Stock images and fonts: licences are often tied to the agency that built the site. Make sure yours were purchased in, or transferred to, your name.

Security and access hygiene

Once a year, treat your website like an ex-employee audit: who can log in, and should they still? Remove dormant admin accounts, downgrade anyone who does not need full rights, and enable two-factor authentication on the CMS, hosting panel and domain registrar. Run a malware scan (Wordfence and Sucuri both offer free scanners for WordPress) and put the site behind a basic web application firewall; Cloudflare's free tier is enough for most small sites.

Remember the regulatory side too: if personal data is breached, UK GDPR requires certain breaches to be reported to the ICO within 72 hours. Knowing exactly who your host, developer and registrar are, and how to reach them quickly, is part of being able to meet that deadline.

Key Takeaway

Put maintenance on the calendar, not the to-do list. Monthly: updates, backup checks and form tests. Annually, spread across the months: a genuine restore drill, a licence and renewals audit, legal page review, and accessibility and performance checks. Assign one named owner for the domain, hosting and every licence, keep credentials in a password manager, and never let auto-renew lapse on the domain your business depends on.

Making it actually happen

Checklists fail when they belong to everyone. Give this calendar a single named owner, put the monthly routine in their diary as a recurring appointment, and store every credential in a shared password manager rather than a spreadsheet. And if nobody in the business wants the job, that is a legitimate answer too: our team runs exactly this calendar as a monthly maintenance service, so the checklist gets done whether or not your Tuesday is free.

Work With Us

Need Help With Your Digital Strategy?

Our team of experts is ready to help. Get a free consultation and tailored proposal.