WordPress maintenance: what it is and what it should cover in 2026

Your WordPress site isn’t a single product. It’s a stack — WordPress core, a theme, a handful (or a fistful) of plugins, a PHP runtime, a database, and a server. Each layer has its own release cycle, its own vulnerability surface, and its own way of quietly breaking when neglected.

WordPress maintenance means keeping every layer current, monitored, and recoverable. That sounds straightforward. In practice, it covers more ground than most site owners expect — and the ground shifted significantly in 2025.

This guide breaks down what WordPress maintenance actually includes in 2026, why each part matters (with real numbers, not hand-waving), and what a UK small business should honestly expect from the people looking after their site.

So what actually is WordPress maintenance?

Think of it as twelve components grouped into four families.

Keep current

• Core updates — WordPress itself releases security patches (minor updates) and feature releases (major updates). Minor updates should be applied quickly; major updates need testing.
• Theme updates — Your theme receives patches for security, compatibility, and design changes.
• Plugin updates — The biggest maintenance surface. Plugins extend WordPress’s functionality — and account for the overwhelming majority of WordPress security vulnerabilities.

Keep safe

• Security hardening — A web application firewall (WAF), multi-factor authentication on every admin account, and file integrity monitoring form the baseline.
• WordPress backups — Automated, offsite, and restore-tested. The three-copy rule applies: three copies, two media types, one offsite.
• SSL certificate management — Let’s Encrypt certificates renew every 90 days. If renewal fails silently, visitors see a browser warning and leave.
• Vulnerability scanning — Cross-referencing your installed plugins and themes against a live database of known vulnerabilities. Patchstack is a CVE Numbering Authority (CNA) for WordPress ecosystem vulnerabilities.

Keep fast

• Performance optimisation — Page caching, object caching, CDN configuration, modern image formats, and deferred JavaScript. Core Web Vitals (LCP, INP, CLS) are explicit Google ranking signals.
• Database cleanup — Post revisions, expired transients, and bloated autoload data in wp_options cause slow queries and 502 errors under load.
• Uptime monitoring — Independent pings every one to five minutes so you hear about outages before your customers do.

Keep findable and usable

• Broken link and 404 monitoring — Protects user trust, preserves crawl budget, and catches silent content regressions.
• Accessibility checks — Automated scanners catch roughly 30% of issues; keyboard and screen-reader testing covers the rest. WCAG 2.2 AA is the working bar.
• SEO health checks — Technical crawlability, indexation, schema markup, and internal linking, audited periodically to catch regressions that don’t announce themselves.

None of these twelve is optional. The question is who does each, how often, and how well.

Why each component matters, in plain numbers

Skipping WordPress maintenance isn’t a theoretical risk. The numbers are specific and current.

The vulnerability surface is growing fast. Patchstack logged 7,966 new WordPress ecosystem vulnerabilities in 2024, a 34% increase year on year — with 96% sitting in plugins. By 2025, the count reached 11,334 new vulnerabilities, a further 42% rise, with plugins still accounting for 91%.

Exploitation is measured in hours, not weeks. When a critical authentication bypass was disclosed in the OttoKit/SureTriggers plugin (CVE-2025-3102, affecting over 100,000 sites), attackers exploited it within four hours. When a privilege escalation flaw hit LiteSpeed Cache (roughly six million sites), Wordfence blocked 58,952 exploit attempts in the first 24 hours.

The attack volume is industrial. Wordfence’s network blocked over 54 billion malicious requests in 2024, including 1.1 billion SQL injection attempts and 55 billion brute-force password attacks. These aren’t targeted — they’re automated scans probing every site they can find.

Compromised sites are common. Sucuri’s scanners detected 681,182 infected sites across 53.2 million scans in the first half of 2024 alone. The Balada Injector malware campaign appeared on 100,470 WordPress sites in the same period.

Speed affects revenue. Rakuten 24 reported a 61% increase in conversion rate and a 26% rise in revenue per visitor for users experiencing good Largest Contentful Paint times. The Economic Times saw a 43% reduction in bounce rate after improving LCP from 4.5 seconds to 2.5 seconds.

UK businesses are exposed. The DSIT Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cyber breach or attack in the previous twelve months — roughly 612,000 businesses. Ransomware incidents roughly doubled year on year.

It’s worth noting where the real weakness sits. Sucuri’s 2023 data found a malicious admin user in 55.2% of infected databases. The problem isn’t WordPress core — it’s plugins, credentials, and neglect.

What ‘good’ WordPress maintenance looks like in 2026 (and where even the experts disagree)

The industry broadly agrees on a maintenance cadence:

Where things get interesting is how WordPress updates should be applied. Two camps, both defensible.

Auto-update everything

Matt Mullenweg has argued that automatic security updates for plugins and themes should become the standard: “I hope security and auto-upgrades not just for core but for plugins and themes becomes the next standard”. The logic is sound — if exploitation happens within hours, a weekly manual check leaves a wide window.

Staged updates with regression testing

Enterprise agencies take a different view. 10up’s SiteWatch platform puts “every update through version control, peer review, and structured QA” before it touches production. The logic here is also sound — a broken checkout page costs money too.

The emerging middle ground is visual regression testing (VRT). Tools like Kinsta Automatic Updates and WP Engine’s Smart Plugin Manager apply updates automatically, take pixel-level screenshots before and after, and roll back if something breaks. For most SME sites, this reconciles both positions well.

Does managed hosting replace a maintenance plan?

Short answer: no. Every major managed host covers infrastructure, SSL, backups, uptime, and some malware handling. None explicitly covers plugin regression testing for custom code, accessibility remediation, content updates, or SEO.

Kinsta’s scope of support explicitly excludes WordPress core updates and custom code. WP Engine’s terms of service disclaim liability for third-party services (including plugins). Pressable, Cloudways, and SiteGround draw similar lines. Managed hosting is part of the picture — but only part.

What clients routinely get wrong

Five misconceptions come up in nearly every conversation we have with new clients. Each one has evidence against it.

“My host backs up my site, so I’m covered”

Host backups are more limited than you’d expect. WP Engine’s terms of service require customers to “maintain a complete and accurate copy of Customer Content in an offline location independent of the Services”. Kinsta’s base retention is 14 days (up to 30 on higher tiers), with hourly backups as a paid add-on. If you discover a problem on day 15, those backups may already be gone.

“WordPress is inherently insecure”

It isn’t. Patchstack’s all-time database shows 92% of vulnerabilities in plugins, 8% in themes, and just 1% in WordPress core. WordPress core is mature, well-audited software. The risk sits in what you bolt onto it — and whether you keep those bolts tight.

“WordPress updates break things, so it’s safer not to update”

This is the genuinely dangerous misconception. OttoKit was exploited four hours after disclosure. Wordfence blocked 8.75 million exploit attempts against GutenKit and Hunk Companion vulnerabilities in October 2025 — a full year after disclosure, because unpatched sites were still being hammered. Not updating is not caution; it’s exposure. If breakage concerns you (and it should), the answer is staging and regression testing, not avoidance.

For a practical look at what managing updates involves, see our FAQ: Will I be able to update the site myself?

“Managed hosting is the same as a maintenance plan”

As covered above: managed hosts explicitly scope out plugin-code liability, custom development, accessibility, and SEO. Their support pages are clear about this even when their marketing isn’t.

“My site isn’t a target”

Wordfence data shows 55 billion password attacks blocked in 2024. Sucuri found 681,182 infected sites in just six months. These aren’t targeted strikes against high-profile targets — they’re automated bots probing every WordPress installation they can reach. If your site is on the internet, it’s already being scanned.

What changed in 2025–26 that a UK SME should know

Five developments reshaped WordPress maintenance practice over the past eighteen months.

The ACF fork and plugin trust

On 12 October 2024, WordPress.org unilaterally forked the Advanced Custom Fields plugin — maintained by WP Engine — into “Secure Custom Fields,” redirecting auto-updates away from WP Engine’s codebase. A December 2024 preliminary injunction ordered the listing restored, but the precedent was set: plugins installed via the WordPress.org directory sit on infrastructure that can be unilaterally reconfigured.

The practical takeaway for SMEs: “installed from WordPress.org” is no longer a sufficient trust signal on its own. For business-critical plugins, direct-vendor licensing and update channels are now a reasonable precaution.

PHP 7.2 and 7.3 deprecation

WordPress 7.0 will drop support for PHP 7.2 and 7.3. If your host still runs an older PHP version, you’ll need to upgrade before updating WordPress — or risk breaking your site. Check with your host now; PHP 8.3 is the recommended minimum.

ICO cookie enforcement

The ICO’s 2025 online tracking strategy found 134 of the top 200 UK websites non-compliant with cookie consent requirements. By December 2025, intervention had pushed 979 of the top 1,000 into compliance. The key requirement: “reject all” must be as easy as “accept all,” and nothing non-essential should fire before consent.

For WordPress sites, this means your cookie consent plugin is now a compliance tool, not a cosmetic one. It needs configuring properly and checking after every plugin or theme change.

The European Accessibility Act

The European Accessibility Act entered application on 28 June 2025. If your UK business sells B2C into the EU — whether through EUR pricing, EU delivery options, or EU-language pages — you’re within scope via each Member State’s transposition. Micro-enterprises (fewer than 10 staff and under €2 million turnover providing services) are exempt, but product sellers generally aren’t.

WCAG 2.2 AA is the working benchmark. Automated scanners catch roughly 30% of issues; the rest requires manual keyboard and screen-reader testing.

Virtual patching and visual regression testing

Two technologies matured from niche to practical in 2025. Patchstack shipped over 300 virtual-patch rules in Q4 2024 alone, providing same-day mitigations for critical vulnerabilities while plugin authors prepared proper fixes. Virtual patching buys time — hours to days — but it isn’t a substitute for updating.

Visual regression testing reached the mainstream through Kinsta Automatic Updates and WP Engine Smart Plugin Manager. Both apply updates, run pixel-level comparisons against your live pages, and auto-rollback on failure. This is genuinely useful for SME sites that can’t justify a full staging-and-QA workflow for every plugin patch.

What Lightly Salted does on your site each month

Our WordPress maintenance retainer maps directly to the twelve components above:

• Weekly: core, theme, and plugin updates on staging with visual regression testing; rollback if anything breaks.
• Daily: automated offsite backups with 90-day retention; real-time malware and vulnerability scanning; uptime monitoring every 60 seconds.
• Monthly: database optimisation; performance audit against Core Web Vitals; broken-link sweep; SEO health check.
• Quarterly: accessibility audit (automated + manual); backup restore test; full security review.
• Ongoing: WAF management; SSL monitoring; cookie consent compliance checks; incident response.

Every site is different. Not sure where yours stands? We’ll walk through the twelve components with you — plainly, in thirty minutes. No pitch, no pressure.

→ Learn more about our WordPress Hosting and Maintenance service