Embed this checklist
Want to use this checklist on your blog or magazine? Use the following code to embed it:

Template: WordPress Checklist

With this checklist, you can frequently check your WordPress installation if it is still working as expected. It also includes maintenance tasks like updating core and plugins and security-related checks.

As always: We're happy about suggestions. Contact us!

Notice: Your checks will not be saved. Please log in or sign up to permanently manage this checklist.
Is the WordPress core up to date?
Make sure that you are running the latest version of WordPress. Outdated releases often pose a security threat.
Are all plugins up to date?

Make sure that all plugins are up to date.

Updating plugins is even more important than updating the core, since security issues with plugins are much more frequent. (you should still update the core, though)

Is the theme up to date?

Themes can be updated as well. Make sure your's is current.

Updating themes can be more tricky, though. Before you download a new version, read carefully what is about to change. You don't want to be hit with a layout change unprepared.

Is the backup solution working?

Make sure that a backup solution is installed and that the backups are usable.

Read the WordPress Codex page about Backups for more information on how to set up backups.

Important: Don't just set the backups up, make sure that you can actually restore your installation from them.

Is the homepage displayed as expected?
Open the homepage of your website and make sure that it is displayed correctly.

Are articles displayed correctly?
Open a single post and make sure that it is displayed correctly.
Are pages displayed correctly?
Open a page and make sure that it is displayed correctly.
Is the permalink structure still as expected?

Make sure that the structure of your permalinks has not been changed accidentally.

Are there only familiar user accounts?

Go through all registered accounts. Check that all users are known and expected to have an account. Unknown accounts can be a sign for a compromised system.

You can find the list of users in the WordPress backend under 'Users' => 'All users':


Are there no malware warnings?

Check that your site does not generate malware warnings. This can happen if your site has been compromised. Rarely there can also be false alarms, which nevertheless have to be dealt with. There are several ways to check this:

  • If your site is registered in Google Webmaster Tools, you can find malware warnings there.
  • If not, you can search for your site and click on a result leading to your site. If Google suspects malware, it will show a warning.
  • If you have antivirus software installed, just surf around on your site and watch for alarms.
Is your site discoverable via search engines?

Try to search for your site and see if it turns up.

This is a simple way to test if something went horribly wrong with your robots.txt or similar. See also our template for a SEO checklist for more detailed checks of this kind.

Are there no anomalies in your statistics?
Take a look at your statistics software and look for anomalies. Sudden drops in traffic should be analyzed.
Is the contact form working?

If you have a contact form, test if it is still working as expected.

  1. Test if required fields are enforced and show helpful error messages if left blank.
  2. Test if a correctly filled and sent form shows a helpful confirmation message.
  3. Verify that the message actually arrives.
Is the RSS feed working?

Verify that your RSS feed is still reachable at the usual address and valid.

It is of utmost importance that the URL of the feed does not change. If it changes, all your subscribers will cease to receive updates. Setting up an automated check might be a good idea.

You can use the W3C Feed Validation Service to validate the feed.

Also verify that new posts do indeed show up in the feed.