Website Maintenance: What It Is, What It Covers, and How to Do It

Most websites break slowly. A dependency goes unmaintained. An SSL certificate expires. A database index degrades. A third-party script starts returning 404s. Each issue is individually small, but they compound over months until something fails loudly enough for someone to notice.

Website maintenance is the work that prevents that. It's not glamorous, and it rarely makes it into project timelines. But skipping it has a cost - measured in downtime, security incidents, slow pages, and SEO rankings that drop without explanation.

This guide covers what website maintenance actually includes, how to structure it across daily, weekly, monthly, and annual cadences, and how to monitor for the issues that emerge between maintenance windows.

What Website Maintenance Covers

Maintenance spans six areas. Most people think about software updates. That's one of six.

Area	What it includes	Risk if neglected
Security	Software updates, dependency patches, SSL/TLS configuration	Vulnerabilities, breaches, certificate expiry outages
Performance	Page speed, database optimization, caching, CDN configuration	Slow pages, poor Core Web Vitals, lost SEO
Availability	Uptime monitoring, health checks, DNS verification	Undetected downtime, degraded user experience
Content	Broken links, outdated information, dead pages	Poor UX, SEO penalties from broken links
Backups	Database backups, file backups, recovery testing	Unrecoverable data loss after failure
Infrastructure	Domain renewal, hosting renewal, dependency updates	Sudden outages from expired services

Security Maintenance

Security maintenance is the highest-stakes area. A neglected security update can mean a breach that's orders of magnitude more costly than the hour it would have taken to apply the patch.

Software and dependency updates

Every CMS, framework, plugin, and package you run has a vulnerability lifecycle. A researcher discovers a flaw, reports it, the vendor patches it, and attackers reverse-engineer the patch to exploit unpatched sites. The window between patch release and active exploitation has compressed to days in many cases.

What to update:

CMS core (WordPress, Drupal, Ghost, etc.)
Plugins, themes, and extensions
Web server software (nginx, Apache)
Runtime dependencies (npm packages, Python packages, Ruby gems)
Server operating system packages

How to structure it:

Security patches: apply within 24-48 hours of release
Minor updates: apply within 1-2 weeks
Major version upgrades: plan as a project with testing

For dependency management, tools like Dependabot (GitHub), Renovate, or npm audit automate the detection side. You still need a process for reviewing and applying the updates.

SSL/TLS certificate maintenance

An expired SSL certificate takes your site offline for every visitor - browsers block access by default. Let's Encrypt certificates expire every 90 days. Commercial certificates typically last one or two years.

What to maintain:

Certificate renewal (automated via Certbot or your hosting provider, but verify it's working)
Certificate chain validity (intermediate certificates need updating separately)
Cipher suite configuration (remove deprecated TLS 1.0 and 1.1)
HSTS configuration

How to monitor it: Set up SSL monitoring that alerts you 30 days before expiry. Don't rely on remembering - auto-renewal processes fail silently more often than people expect. A misconfigured Certbot cron job can mean months of apparent auto-renewal that silently fails until the certificate actually expires.

Access and credential hygiene

Former employees who still have access, API keys that haven't rotated in two years, admin passwords reused from another service that got breached - these are maintenance items, not one-time setup tasks.

Quarterly actions:

Audit admin and editor user accounts, remove stale access
Rotate API keys for third-party services
Review OAuth application permissions
Verify MFA is enabled on all admin accounts

Performance Maintenance

A site that loaded in 1.2 seconds last year might load in 3.1 seconds today. JavaScript bundles grow. Images accumulate. Database queries that were fast on 10,000 rows are slow on 500,000. Performance decays without maintenance.

Core Web Vitals monitoring

Google uses Core Web Vitals as ranking signals. They measure three things:

Metric	Measures	Good threshold
LCP (Largest Contentful Paint)	How fast the main content loads	Under 2.5 seconds
INP (Interaction to Next Paint)	How responsive the page feels to input	Under 200ms
CLS (Cumulative Layout Shift)	How much content jumps around as it loads	Under 0.1

Check Core Web Vitals monthly using Google Search Console's Core Web Vitals report (real user data) and PageSpeed Insights (synthetic test). A drop in LCP often traces to an image that lost its CDN caching, a new third-party script, or a database query that started running slower.

Database maintenance

MySQL/PostgreSQL:

Run ANALYZE and VACUUM to keep query planner statistics current (PostgreSQL auto-vacuums, but verify it's running)
Review slow query logs monthly - queries that took 50ms last year take 500ms this year as data grows
Rebuild fragmented indexes after heavy write periods
Archive or delete rows that no longer need to be in the main tables

Practical cadence: Review slow query logs monthly. Run database health checks quarterly. Archive old data annually.

Image and asset optimization

Images uploaded directly to a CMS are rarely optimized automatically. Over months, a content team can add hundreds of uncompressed images. A single hero image at 6MB is more than enough to tank your LCP.

What to maintain:

Audit image sizes quarterly (tools like GTmetrix or Lighthouse flag oversized images)
Ensure new uploads go through an optimization pipeline (WebP conversion, resize on upload)
Verify CDN caching headers are correct for static assets

Availability Maintenance

Your site might be down right now. Without monitoring, you find out when a customer tweets about it or a team member tries to visit it.

Uptime monitoring

Set up automated uptime monitoring that checks your site every minute from multiple geographic regions and alerts you immediately when it goes down. Checking from one location creates false positives; multi-region consensus verification confirms the outage is real before paging anyone.

What to monitor:

Root domain and primary entry points
API health endpoints (/health, /api/status)
Critical user flows (checkout, login, signup)
Subdomains that serve distinct functions (docs, support, app)

Detection time matters: A 5-minute check interval means up to 5 minutes of undetected downtime before you get the first alert. A 1-minute interval cuts that to 60 seconds. For e-commerce or SaaS applications, the revenue cost of that difference is real.

DNS monitoring

DNS changes are invisible to most teams. An attacker who modifies your DNS records, a botched DNS migration, or an accidental record deletion - none of these trigger application-level alerts. By the time users report issues, hours may have passed.

Configure DNS monitoring to alert on any change to your A records, CNAME records, MX records, and nameservers. An unexpected change is either a security incident or a misconfiguration that needs immediate investigation.

Health check endpoints

Don't monitor your homepage - monitor a health endpoint that checks your critical dependencies. A /health endpoint that verifies database connectivity, cache availability, and core service dependencies gives you accurate availability signal.

A homepage returning 200 while your database is down isn't monitoring - it's measuring whether your CDN is functioning.

Content Maintenance

Broken link auditing

Every link to an external resource is a liability that decays over time. Pages move, sites close, URLs change. A 404 from an outbound link is a minor UX issue. A 404 from an internal link means you're sending users to dead pages on your own site.

How to audit: Run Screaming Frog or a free crawler (Broken Link Checker, Dead Link Checker) monthly. Fix internal 404s immediately. For external 404s, update the link or remove it.

SEO impact: Pages with many broken links see gradual ranking declines. Google treats broken internal links as a signal that content is poorly maintained.

Content accuracy audits

Pricing pages that show outdated pricing. Product pages for features you deprecated. Blog posts that reference tools or integrations you no longer support. Every outdated page is a potential customer support issue or trust problem.

Quarterly actions:

Review pricing pages for accuracy
Check product/feature pages against what the product currently does
Update or redirect posts that reference deprecated features

Redirect maintenance

Every time a URL changes - a blog post gets renamed, a product page moves - you need a redirect from the old URL to the new one. Without redirects, any link pointing to the old URL sends users to a 404 page and loses its SEO equity.

Audit your redirects quarterly:

Check for redirect chains longer than 2 hops (301 → 301 → 200)
Verify redirect destinations still exist
Check for redirect loops (URL A redirects to URL B, which redirects back to URL A)

Backup Maintenance

Backups that have never been tested haven't been verified. Backup files that sit on the same server as the site they're backing up get deleted in the same incident that corrupts the site.

Backup configuration

Database backups:

Frequency: Daily for production databases. Hourly if data changes frequently.
Retention: 7 daily backups, 4 weekly backups, 3 monthly backups (3-2-1 rule)
Storage: Off-site or in a different cloud account. Same-server backups don't help in a server failure.

File backups:

Uploaded files (images, documents, user uploads)
Custom application code not in version control
Configuration files (nginx config, .htaccess, environment files)

Backup testing

Test your restore process quarterly. A backup you've never restored from is a backup you don't know works. Common failure modes:

Database dump was created with wrong encoding, fails to import
Backup file is incomplete due to a disk space issue during backup
Restore process assumes a server configuration that's changed
Credentials in the backup are outdated

The test: Take your most recent backup, spin up a clean environment, and verify you can restore a fully functional site from it. If you can't, your backup isn't a backup.

Infrastructure Maintenance

Domain renewal

Domain expiry is the maintenance failure with the most dramatic consequences. When a domain expires, your entire site - and any email running on that domain - goes offline. Domain squatters monitor expiring domains and register them within seconds of availability.

What to do:

Enable auto-renewal on every domain you own
Keep payment methods current with your registrar
Set calendar reminders 60 days before expiry as a secondary check
Audit all domains you own annually - legacy domains from old projects accumulate

Set up domain expiry monitoring that alerts 60 days and 30 days before expiry. By the time you see the 7-day warning in your registrar's email, it may have gone to spam.

Hosting and service renewals

The same expiry problem applies to:

Hosting provider subscription
Email service provider
CDN subscription
Third-party API subscriptions your site depends on

Build a services inventory spreadsheet with renewal dates and set reminders. The cost of an unexpected outage from an expired subscription is always higher than the five minutes it takes to add a calendar reminder.

Maintenance Schedule

Translating the above into a practical cadence:

Daily (automated)

Uptime monitoring with immediate alerting
DNS record change detection
SSL certificate validity checks
Backup completion verification

Weekly (manual check, 30 min)

Review uptime and performance dashboards
Check for pending security updates (CMS, plugins)
Review error logs for new error patterns

Monthly (manual review, 2-3 hrs)

Apply non-critical software updates
Run broken link audit
Review Core Web Vitals in Google Search Console
Check slow query logs
Review access logs for unusual patterns

Quarterly (planned work, half day)

Audit user accounts and access permissions
Test backup restore process
Performance audit (PageSpeed Insights, GTmetrix)
Review content accuracy
Rotate API keys and credentials

Annually (planned project)

Major dependency version upgrades
Security configuration review (cipher suites, headers, DNSSEC)
Domain and services renewal audit
Architecture review for outdated components

What Breaks Without Maintenance

Teams that skip maintenance consistently encounter these failure modes:

Failure	Typical cause	Time to notice without monitoring
Site offline	Expired SSL certificate	Hours to days
Email offline	Expired domain or changed MX records	Hours
Site breached	Unpatched CMS vulnerability	Weeks (often never without audit)
Slow pages	Unoptimized images, slow queries	Months (gradual)
Lost rankings	Broken internal links, slow performance	Months (gradual)
Data loss	Untested backups that don't restore	Discovered at worst possible time

The pattern is consistent: gradual degradation that's invisible without monitoring, followed by a sudden visible failure at the worst possible moment.

Monitoring vs. Maintenance

Monitoring doesn't replace maintenance - it tells you when maintenance has failed.

An SSL monitor alerts when a certificate expires. The maintenance task was to ensure auto-renewal was configured correctly. The monitor catches the failure when maintenance didn't.

An uptime monitor fires when a site goes down. The maintenance task was to apply the security patch before the vulnerability was exploited. The monitor reports the consequence.

Set up monitoring first - it gives you the signal to know when something needs immediate attention. Then build the maintenance cadence to prevent those signals from firing.