Article

WordPress Maintenance: What Happens If You Ignore It?

Hackers don’t sit down and attack your site personally; they run automated scanners, around the clock, probing millions of sites for one thing . . . a known hole in the WordPress core or, far more often, in an old, not updated WordPress plugin. The moment a vulnerability is published, bots begin hunting every site that hasn’t patched it.

I’m not speculating. I’ve been building and maintaining WordPress sites since before it was fashionable, and I’ve cleaned up enough hacked sites to have very strong opinions about website upkeep. Hackers make me angry. I charge for hosting and WordPress maintenance. Just one hack can undo months of website upkeep.

Here’s the pattern behind almost every hacked WordPress site I’ve ever repaired: a plugin that hadn’t been updated in months, sometimes years, with a publicly documented vulnerability. The site owner didn’t do anything wrong, exactly. They just did nothing. And on the modern web, nothing is a decision.

Plugins are the double-edged sword of WordPress. They’re why you can add a booking system or a gallery in an afternoon, and they’re also thousands of lines of third-party code, each one a potential door. Some plugins are abandoned by their developers and never patched again. Part of proper site care is not just clicking “update” but noticing when a plugin has quietly died and replacing it before it becomes the way in.

Getting hacked is bad. What most people don’t know is that the visible damage; the spam pages, the pharmaceutical links, the defaced homepage – is rarely the whole infection.

Competent attackers install a backdoor: a small, innocuous-looking file tucked deep in your site’s folders, or a few lines slipped into a legitimate file, that lets them back in whenever they like. You can delete the spam, restore the homepage, change every password, and feel like you’ve fixed it – then two weeks later it’s all back, because the door you didn’t find was never closed.

This is why “my nephew cleaned it up” hacks recur, and why a proper post-hack cleanup means comparing every core file against known-good copies, auditing the database for injected users and code, and checking file modification dates like a crime scene. It’s forensic work, and it’s tedious – which is exactly why the cheaper option is never needing it.

If your site is on cheaper, shared hosting, your security is partly hostage to every other site on that server. One compromised neighbour can degrade, infect, or take down sites that did nothing wrong. Shared IP blacklisting alone can hurt your email deliverability and search standing while you wonder what you did to deserve it.

The lesson isn’t “never use shared hosting” – it’s that hosting quality, server isolation, and independent off-site backups are part of maintenance, not separate concerns.

A backup stored on the same server as the site it’s backing up is a photocopy kept in the same burning building.

Hacks are dramatic. Most maintenance failures are silent, and silence is worse, because you don’t know to act.

A plugin update subtly breaks your contact form, and it stops delivering emails. No error, no warning.

Enquiries simply vanish. The quiet feels exactly like “no customers.” I tell every client the same thing: after any update, test your contact points. Submit your own form. Click your own email link. Ring your own number from the site on your phone. Ten minutes, and it’s the highest-value ten minutes in website care.

The same slow rot applies elsewhere: SSL certificates lapse and browsers start warning visitors away; databases bloat with post revisions and expired data until pages crawl; broken links accumulate as content moves.

None of it announces itself.

All of it costs you enquiries.

Site health isn’t only about not being hacked. It’s about staying fast, findable and usable. All three will decay without attention.

Images are the usual offender. A site accumulates photos uploaded straight off a phone – one 4MB monster doing the job of a 50KB file. Converting images to modern formats like WebP typically cuts their weight by a quarter to a third with no visible quality loss – it’s one of the first things I do for SEO – because page speed is both a ranking factor and a patience factor: every extra second of load time bleeds visitors, especially on mobile.

I now label your images properly. Every image should have meaningful alt text (the short written description of what it shows). This is one of those rare jobs that pays three ways at once: screen reader users can actually use your site (accessibility is both the right thing to do and increasingly an expectation), Google understands your content better, and your photos become findable in image search. “IMG_4032.jpg” with empty alt text achieves none of that. It’s good to actually name images by what they are.

Descriptive file names, compressed and converted images, heading structure that makes sense, links that say where they go. Unglamorous, ongoing work. Which is precisely why it gets skipped, and precisely why doing it is an advantage.

A realistic maintenance routine looks something like this:

  • • core, theme and plugin updates applied promptly (and tested, not just clicked)
  • • regular off-site backups you’ve actually test-restored
  • • security scanning and login hardening
  • • SSL and domain renewals watched
  • • database cleanup
  • • image optimisation as content is added
  • • broken link checks
  • • and a hands-on test of every form and contact point after changes.

None of it is difficult. All of it is relentless. That’s the real reason sites decay . . . not ignorance, but the fact that nobody in a small business owns the job.

That’s also why I build website maintenance it into hosting rather than selling it as an extra: every site I host includes ongoing maintenance as standard, because in my experience an unmaintained WordPress site isn’t a stable asset – it’s a liability on a timer. I’d rather do the boring work monthly than the forensic work at 2am.

WordPress is not set-and-forget.

The base code and old plugins are probed by automated attacks every single day, and neglect doesn’t hold your site steady – it moves it, slowly and invisibly, toward the day something breaks, leaks or disappears.

If your site hasn’t been updated in months, don’t wait for the countdown to finish.

Use this form to send me your web address and I’ll give you a plain-English site health check, tell you what’s outdated, what’s exposed, and what it would take to make it solid. Straight answer, no scare tactics, reply within 24 hours.

Call Now — 0417 0417 43 Tap to call Geoffrey Websites