You hired someone to “look after the site.” Maybe a freelancer. Maybe the cousin of a guy you know. Maybe the developer who built it three years ago and still sends a short invoice every month with something vague like “website maintenance.”

Cool. But is anything actually being maintained?

Because a lot of small business owners are paying for peace of mind, not real work. And those are not the same thing. I’ve seen sites sitting on old plugins, broken backups, dead contact forms, and PHP versions from another era – while the owner fully believed somebody was “handling it.”

So let’s make this simple. Here’s how to tell if your WordPress guy is really doing the job, or just quietly existing near your website.


You should be seeing evidence, not vague reassurance

If the only update you ever get is “everything looks good,” that’s a red flag.

Real maintenance leaves a trail. There should be reports, notes, alerts, backup confirmations, update logs, something. Anything. Not a novel. You don’t need 14 pages of technical waffle. But you should be able to see what was done, when it was done, and whether anything needs your attention.

A decent maintenance routine usually includes:

  • WordPress core updates
  • Plugin and theme updates
  • Backups that are actually tested
  • Security checks
  • Uptime monitoring
  • Spam or malware review
  • Quick checks for broken forms or obvious site errors

If none of that is ever mentioned, ask directly. “What exactly did you do on my site this month?” Not in a rude way. Just plainly. A person doing the work should be able to answer in two minutes.


Ask where the backups are

This one sorts people fast.

Lots of so-called maintainers say backups are running. Fine. Where are they stored? How often? How long are they kept? Has anyone tested restoring one?

That’s the part people skip. A backup that can’t be restored is basically a hopeful little file sitting in the dark.

If your WordPress guy gets weirdly hand-wavey here, that’s not great. If the backups are stored only on the same hosting account as the website, also not great. If they’ve never tested a restore, honestly, I’d count that as “probably no backup strategy.” Harsh, but fair.

A proper maintenance setup usually includes offsite backups and at least occasional restore testing. Otherwise you’re just praying with extra steps.


Updates should happen regularly – but not recklessly

Some site owners think maintenance means smashing the “update all” button once every six months. Nope.

Good maintenance is boring, steady work. Updates should happen often enough that you’re not left exposed, but carefully enough that your site doesn’t explode on a Tuesday afternoon. If your site has ecommerce, bookings, memberships, or custom code, even more so.

Ask these questions:

  1. How often do you check for plugin, theme, and core updates?
  2. Do you test major updates before pushing them live?
  3. What do you do if an update breaks something?

If they can’t answer that clearly, you have a problem. And if your site has broken after updates more than once and the response was basically “yeah, WordPress does that,” I’d be annoyed. There are ways to reduce that risk. For a practical look, this guide on how to safely update WordPress, plugins and themes is worth reading.


Security maintenance is more than installing one plugin and forgetting it

This is a big one. People love saying “your site is secure” because they installed a security plugin in 2022.

That’s not maintenance. That’s a one-time setup.

Real security work means checking for plugin vulnerabilities, reviewing login attempts, keeping software patched, monitoring file changes, and watching for obvious signs of compromise. If your site sells products, stores customer messages, or has multiple admin users, I’d say this matters even more than design tweaks or SEO fiddling.

You should also know whether basic protections are in place. Stuff like login protection, malware scanning, and hardening settings. If nobody has ever mentioned these things, that’s a clue. A good example is using a vulnerability scanner to catch known issues in plugins before they turn into a real mess.

And yes, your login page matters. A lot. If you want a simple breakdown, this article on how to secure the WordPress login page covers the basics without getting too nerdy.


Your site should feel alive, not abandoned

Here’s a weird but useful test: log in and look around.

Do you see outdated plugin notices everywhere? Is WordPress asking to update from a version released ages ago? Are there 19 comments full of casino spam? Is there a plugin installed called something like “Backup_Final_v2” that’s been inactive since 2021? These little signs tell a story.

So does the front end. Click your contact form. Test it. Try the mobile menu. Load a few pages. Add something to cart if you run WooCommerce. A site under active maintenance tends to feel looked after. A neglected one feels… dusty. You know it when you see it.

And if something obvious has been broken for weeks, your maintainer either isn’t checking or isn’t telling you. Neither is ideal.


Monthly invoices should match monthly work

Paying every month? Then ask what happens every month.

That sounds obvious, but people avoid this because they don’t want to seem difficult. You are not being difficult. You’re checking whether a paid service exists in reality.

A real maintenance plan usually has a scope. Maybe small content edits are included. Maybe they’re not. Maybe uptime monitoring is included. Maybe emergency fixes are billed separately. Fine. But it should all be clear. If it’s muddy, it gets abused.

If you’re comparing what “your guy” does versus an actual maintenance provider, take a look at WordPress maintenance services and compare the checklist. Not because every site needs the biggest package. Most don’t. But because seeing the work spelled out makes it way easier to spot fluff.


Watch for these warning signs

Some red flags are subtle. Some are basically wearing a clown suit.

  • They never send reports or summaries
  • They don’t respond clearly when you ask what’s been done
  • Your site is visibly out of date
  • Backups are “set up” but nobody can show you where
  • They only react when something breaks
  • Your hosting, domain, and admin access are all under their control and you can’t access them
  • They discourage questions with jargon

That last one annoys me the most. If someone uses technical language to make you back off, that’s not expertise. That’s theater.


What to do if you’re not sure they’re doing the work

Start small. Don’t jump straight into a dramatic breakup email.

Ask for a summary of the last 60 days: updates applied, backups completed, security issues found, downtime incidents, and any recommendations. See what comes back. A good maintainer won’t be offended. Honestly, they might be relieved you’re paying attention.

If the answer is fuzzy, ask for access. You should have admin access to WordPress, access to hosting, and access to your domain account. Always. Even if someone else manages them day to day. If you don’t, fix that first.

And if your site has already been hacked, keeps breaking, or just feels neglected, don’t wait around hoping it magically improves. At that point you may need cleanup, a proper handover, or a fresh setup from someone who actually does the boring work consistently. That’s where a service like site cleaning can help if things have already gone sideways.


The simple test

Here it is.

If you ask, “What exactly are you maintaining on my website?” and the answer is clear, specific, and backed by evidence, you’re probably fine.

If the answer is vague, defensive, or weirdly mystical, you probably aren’t.

WordPress maintenance isn’t magic. It’s routine work done properly, over and over. Updates. Backups. Monitoring. Security checks. Fixing little problems before they turn into expensive ones. Kind of boring, really. That’s how you know it’s real.

And boring is good. Boring means your website keeps working while you run your business. That’s the whole point.