WordPress Maintenance: What Happens If You Ignore It?
There’s a comforting idea that a website is like a shed: you build it once, and it just stands there working. WordPress is not a shed. No website is a shed. Your website is closer to a car in design. Both are an assembly of moving parts from different manufacturers, driven daily on a public road, one where some of the other drivers are actively trying to run you off it.
Roughly 40% of the web runs on WordPress, which makes it the single biggest target on the internet.
Hackers don’t sit down and attack your site personally; they run automated scanners, around the clock, probing millions of sites for one thing . . . a known hole in the WordPress core or, far more often, in an old, not updated WordPress plugin. The moment a vulnerability is published, bots begin hunting every site that hasn’t patched it.
Not updating isn’t neutral. It’s a countdown.
I’m not speculating. I’ve been building and maintaining WordPress sites since before it was fashionable, and I’ve cleaned up enough hacked sites to have very strong opinions about website upkeep. Hackers make me angry. I charge for hosting and WordPress maintenance. Just one hack can undo months of website upkeep.
A few years ago, I got a very brief email from a potential client. It said something like “I want a website”. I replied, asking for more info, and didn’t get a further reply for a few days. The client suggested a phone call, so I complied. When I heard that the person was “a lady of the night”, I politely declined the work. She was quite upset, but Google has a “reputation score” and building a site like that would have put me on the same level as pornography and other untoward industries. My “no” resulted in 12 website4s going down on my shared server. I was about to go on holidays (to the UK) but I stayed home. For the next 4 weeks, I got up at 6am and went to bed exhaussted before 9pm. The whole time I should have been on holiday in Europe, I spent resurrecting websites.
The stale WP plugin problem
Here’s the pattern behind almost every hacked WordPress site I’ve ever repaired: a plugin that hadn’t been updated in months, sometimes years, with a publicly documented vulnerability. The site owner didn’t do anything wrong, exactly. They just did nothing. And on the modern web, nothing is a decision.
Plugins are the double-edged sword of WordPress. They’re why you can add a booking system or a gallery in an afternoon, and they’re also thousands of lines of third-party code, each one a potential door. Some plugins are abandoned by their developers and never patched again. Part of proper site care is not just clicking “update” but noticing when a plugin has quietly died and replacing it before it becomes the way in.
More recently: I found a site which presents a lot of (downloadable) premium plugins for a one-off, lifetime fee. The site said that, legally, they can trade copies of these plugins under the WordPress free to use license. So I bought access (to the WorldpressIT website) for under $100 and I saved a few thousand dollars on premium plugins. Everything seemed to work fine. For a year or two. Recently, one of the plugins was hacked and I had a site go down. Luckily just the one site this time. A couple of hours later I had it back up again and deleted the plugin. It turns out I wasn’t even using the plugin. It turns out that having an outdated (and unspported) WordPress plugin sitting on a server – not even activated – is enough for greebies to infiltrate. Needless to say, I now use security plugins which check for and email me any foreseeable issues.
The part nobody warns you about: the backdoor
Getting hacked is bad. What most people don’t know is that the visible damage; the spam pages, the pharmaceutical links, the defaced homepage – is rarely the whole infection.
Competent attackers install a backdoor: a small, innocuous-looking file tucked deep in your site’s folders, or a few lines slipped into a legitimate file, that lets them back in whenever they like. You can delete the spam, restore the homepage, change every password, and feel like you’ve fixed it – then two weeks later it’s all back, because the door you didn’t find was never closed.
This is why “my nephew cleaned it up” hacks recur, and why a proper post-hack cleanup means comparing every core file against known-good copies, auditing the database for injected users and code, and checking file modification dates like a crime scene. It’s forensic work, and it’s tedious – which is exactly why the cheaper option is never needing it.
Consistent WordPress maintenance is the difference between patching a hole and hunting a ghost.
Your neighbours can burn your house down
If your site is on cheaper, shared hosting, your security is partly hostage to every other site on that server. One compromised neighbour can degrade, infect, or take down sites that did nothing wrong. Shared IP blacklisting alone can hurt your email deliverability and search standing while you wonder what you did to deserve it.
I’ll never know for certain whether it was connected, but one client called up, complaining that the password to access his site was too long and he couldn’t remember it. Hi name was “Paul”. I told him “As a general rule – if you can remember it, it’s not a good enough password.” This fell on deaf ears, so I aquiesced and ganve him access to the server – so he could work with another developer on email records etc. Within 24 hours, several sites on the shared server went down. I couldn’t figure out where the hack was. In my notes, teh last thing I did was give paul access. I called him to see if he’d noticed anything strange. Turns out he had changed both the master username and password to “Paul”.
The lesson isn’t “never use shared hosting” – it’s that hosting quality, server isolation, and independent off-site backups are part of maintenance, not separate concerns.
A backup stored on the same server as the site it’s backing up is a photocopy kept in the same burning building.
The quiet failures: when nothing looks broken
Hacks are dramatic. Most maintenance failures are silent, and silence is worse, because you don’t know to act.
A plugin update subtly breaks your contact form, and it stops delivering emails. No error, no warning.
Enquiries simply vanish. The quiet feels exactly like “no customers.” I tell every client the same thing: after any update, test your contact points. Submit your own form. Click your own email link. Ring your own number from the site on your phone. Ten minutes, and it’s the highest-value ten minutes in website care.
The same slow rot applies elsewhere: SSL certificates lapse and browsers start warning visitors away; databases bloat with post revisions and expired data until pages crawl; broken links accumulate as content moves.
None of it announces itself.
All of it costs you enquiries.
Performance and accessibility are maintenance too
Site health isn’t only about not being hacked. It’s about staying fast, findable and usable. All three will decay without attention.
Images are the usual offender. A site accumulates photos uploaded straight off a phone – one 4MB monster doing the job of a 50KB file. Converting images to modern formats like WebP typically cuts their weight by a quarter to a third with no visible quality loss – it’s one of the first things I do for SEO – because page speed is both a ranking factor and a patience factor: every extra second of load time bleeds visitors, especially on mobile.
I now label your images properly. Every image should have meaningful alt text (the short written description of what it shows). This is one of those rare jobs that pays three ways at once: screen reader users can actually use your site (accessibility is both the right thing to do and increasingly an expectation), Google understands your content better, and your photos become findable in image search. “IMG_4032.jpg” with empty alt text achieves none of that. It’s good to actually name images by what they are.
Descriptive file names, compressed and converted images, heading structure that makes sense, links that say where they go. Unglamorous, ongoing work. Which is precisely why it gets skipped, and precisely why doing it is an advantage.
What proper WordPress upkeep actually involves
A realistic maintenance routine looks something like this:
- • core, theme and plugin updates applied promptly (and tested, not just clicked)
- • regular off-site backups you’ve actually test-restored
- • security scanning and login hardening
- • SSL and domain renewals watched
- • database cleanup
- • image optimisation as content is added
- • broken link checks
- • and a hands-on test of every form and contact point after changes.
None of it is difficult. All of it is relentless. That’s the real reason sites decay . . . not ignorance, but the fact that nobody in a small business owns the job.
That’s also why I build website maintenance it into hosting rather than selling it as an extra: every site I host includes ongoing maintenance as standard, because in my experience an unmaintained WordPress site isn’t a stable asset – it’s a liability on a timer. I’d rather do the boring work monthly than the forensic work at 2am.
The bottom line
WordPress is not set-and-forget.
The base code and old plugins are probed by automated attacks every single day, and neglect doesn’t hold your site steady – it moves it, slowly and invisibly, toward the day something breaks, leaks or disappears.
If your site hasn’t been updated in months, don’t wait for the countdown to finish.
Use this form to send me your web address and I’ll give you a plain-English site health check, tell you what’s outdated, what’s exposed, and what it would take to make it solid. Straight answer, no scare tactics, reply within 24 hours.