WordPress Maintenance: 5 Practical Hacks That Actually Work

What "WordPress maintenance" actually means

Most maintenance advice assumes you have all day to babysit a website. You don't. Founders and marketing teams need fixes that take 20 minutes, run themselves afterwards, and keep the site fast and safe without constant attention.

I've spent 18 years cleaning up WordPress sites. The same five things keep coming up — database bloat, slow images, weak logins, missing backups, and plugin sprawl. Fix those and you've solved 80% of what most "maintenance plans" charge a monthly fee to do.

WordPress now powers 43.4% of all websites globally (source: W3Techs, 2025). The average install runs 20 to 25 plugins, and around half of all sites still run an outdated core version. The fixes below don't require code, take minutes per week, and stop the most common failures before they happen.

1. Clean your database before it strangles your site

The WordPress database fills up with junk over time — old post revisions, expired transients, spam comments that auto-delete plugins missed, orphaned metadata from uninstalled plugins. A 5-year-old WordPress install can easily carry 200MB of dead data.

The result: slower admin pages, longer backup times, and bloated query times that nothing in your caching plugin can fix.

The plugin to install: WP-Optimize

WP-Optimize does three things that matter:

• Removes post revisions, auto-drafts, trashed comments
• Cleans expired transients (temporary cached data)
• Optimises MySQL tables to reclaim space

How to set it up

1. Install WP-Optimize from the plugins directory
2. Go to WP-Optimize → Database, review what it'll remove
3. Run "Run all selected optimizations" once manually
4. Under Settings, schedule it weekly or fortnightly

One client of ours had a database that had grown to 1.8GB. After running WP-Optimize and limiting future revisions to 5 per post (define('WP_POST_REVISIONS', 5); in wp-config.php), it dropped to 280MB. Backups now take 4 minutes instead of 35.

2. Lazy-load every image and video

If your homepage has 30 images, the browser tries to download all 30 before showing the page. Lazy loading defers everything below the fold — images only load when the visitor scrolls near them.

WordPress 5.5+ added native lazy loading via the loading="lazy" HTML attribute. It works automatically on most modern themes. Check your image tags in browser DevTools to confirm it's firing.

When you need a plugin

If your theme doesn't add the attribute (or you have older content from before WP 5.5), a3 Lazy Load adds it everywhere — images, iframes, videos, even background images set via inline CSS.

Quick wins beyond lazy loading

• Convert images to WebP. The Imagify or ShortPixel plugins do this automatically on upload.
• Set explicit width and height attributes on images. This stops layout shift and improves your Core Web Vitals score.
• Compress hero images to under 200KB. Anything bigger is rarely worth the quality difference at typical viewport sizes.

Test before and after at PageSpeed Insights. A WordPress site doing 4 seconds to LCP can usually get to 1.5 seconds with image optimisation alone.

3. Turn on two-factor authentication for every admin

Brute-force login attacks are the cheapest hack in the book. Bots try admin, wp_admin, and your business name with leaked password lists. If a single admin account uses a password from any past breach, your site is one bot away from compromise.

Two-factor authentication (2FA) makes that attack stop working overnight. Even with your password, an attacker can't log in without the second code from your phone.

The plugin to install

WP 2FA by Melapress is what I use. It's free for the basics, supports authenticator apps (Google Authenticator, Authy, 1Password), and lets you enforce 2FA for specific user roles.

Setup takes 5 minutes:

1. Install and activate WP 2FA
2. Go to WP 2FA → Settings → Wizards
3. Choose "Enforce 2FA for all administrators and editors"
4. Each user is prompted to set up 2FA on their next login

Pair it with a password manager

2FA matters less if you reuse the same password across 30 sites. Get every team member on 1Password or Bitwarden (the free version works well). Generate unique 20-character passwords for every WordPress site. Stop using "WelcomeBack2024!" for everything.

For more on locking down your site, see our 7 strategies to strengthen WordPress security.

4. Automate backups to a place that's not your server

The number of "we lost everything" calls I take that trace back to no off-site backup is depressing. Hosting provider backups are not enough. If your hosting account gets compromised or the provider has an outage, those backups are gone with the rest.

Off-site means a separate cloud — Google Drive, Dropbox, Amazon S3, Backblaze B2. Anywhere that's not the same server hosting your site.

The plugin to install: UpdraftPlus

UpdraftPlus is the most-used backup plugin for a reason. It backs up files, databases, and uploads, schedules itself, and pushes copies to the cloud destination of your choice.

Setup that takes 10 minutes

1. Install and activate UpdraftPlus
2. Go to Settings → UpdraftPlus Backups → Settings
3. Set schedules: daily for database, weekly for files
4. Pick your remote storage (Google Drive is the easiest free option for sites under 15GB)
5. Authorise the connection, save settings
6. Click "Backup Now" once to confirm everything works

Test the restore, not just the backup

A backup you've never restored isn't really a backup. Once a quarter, restore your latest backup to a staging environment. That's the only way to know it actually works when you need it.

For sites pushing real revenue, the UpdraftPlus Premium incremental backup feature is worth the $70/year. It backs up only what changed, so daily backups go from 30 minutes to 2.

5. Strip out plugin and asset bloat

The average WordPress site loads CSS and JavaScript from 15+ plugins on every page — even pages that don't use those plugins. A contact form plugin that you only use on /contact is loading scripts on /about, /blog, and your homepage too.

That's bloat. It slows down every page load, raises your hosting costs, and gives attackers more code to probe for vulnerabilities.

The plugin to install: Asset CleanUp

Asset CleanUp lets you disable specific scripts and styles per page. Only load the contact form code on /contact. Only load the gallery script on pages with galleries. The rest of the site stays lean.

How to use it:

1. Install and activate Asset CleanUp
2. Open a page in the editor — you'll see a new "CSS/JS LOAD MANAGER" panel below the content
3. For each loaded asset, choose "Unload on this page" if it's not needed
4. Save, test the page in an incognito window, confirm nothing broke

The bigger habit: audit your plugins quarterly

Open your plugins page. For every plugin, ask: "What does this do, and would I notice if it were gone?"

If you can't answer either question, deactivate it for a week. If nothing breaks and nobody complains, delete it. Most WordPress sites can shed 5-10 plugins this way without losing any function.

We've covered the full plugin overload problem in are you overloading your WordPress with plugins.

Where this approach falls short

These five methods cover most small and mid-size WordPress sites. They won't fix:

• A bad theme that's poorly coded — you'll need to switch
• A hosting provider that's overselling shared servers — you'll need to migrate
• A site that's been hacked already — you'll need a clean restore from backup, not maintenance

Maintenance is preventative. If your site is already on fire, fix the fire first.

A 4-week setup checklist

Week 1: Install WP-Optimize, run cleanup, schedule weekly. Limit post revisions in wp-config.php.

Week 2: Confirm lazy loading is working. Install image optimisation. Test PageSpeed score.

Week 3: Roll out WP 2FA to all admins and editors. Get team on a password manager.

Week 4: Set up UpdraftPlus with off-site storage. Run Asset CleanUp on your top 5 pages by traffic. Audit plugin list, remove anything unjustified.

Total time: maybe 4 hours over a month. Time saved over the next year: more than that, every month.

FAQ

How often should I run WordPress maintenance tasks? Database cleanup weekly, plugin updates weekly (after testing on staging), backups daily for the database, and a quarterly review of plugins and security settings. Most of this can be automated.

Do I need all five plugins running at the same time? Yes, they do different jobs. WP-Optimize for the database, 2FA for security, UpdraftPlus for backups, Asset CleanUp for performance, and a lazy-load plugin only if your theme doesn't handle it natively.

Will these plugins slow down my site? WP-Optimize and UpdraftPlus only run when scheduled. WP 2FA only runs on login pages. Asset CleanUp actually speeds your site up by removing unnecessary code. The lazy-load plugin adds a tiny amount of JavaScript.

Is free UpdraftPlus enough or do I need premium? Free works for most sites under 5GB with one or two cloud destinations. Premium is worth it once you want incremental backups, multi-site management, or specific destinations like OneDrive.

Can I do all this without a developer? Yes. Every method here is plugin-based and clickable. The only command-line bit (editing wp-config.php) is one line you copy-paste with FTP or your host's file manager.

Want this set up for you?

We run WordPress maintenance for clients across India, the US, and the UK — the same five methods plus monthly health reports and on-call support. See our maintenance plans or send us a note describing your site. We'll tell you what's actually worth doing and what isn't.