Monthly Website Maintenance Checklist for Marketing Agencies: What to Check and When

Most agencies handle website maintenance reactively. Something breaks, they fix it, they invoice for the time, and the client wonders why problems keep appearing. A structured monthly maintenance review changes the dynamic: it converts reactive firefighting into a scheduled, billable, documentable service.

The difference matters for the agency in three ways. It reduces the number of unplanned incidents. It creates a defensible deliverable for the retainer. And it positions the agency as the authority on the client's digital infrastructure, rather than the person who picks up the phone when something is broken.

What follows is a practical checklist — what to review monthly, quarterly, and annually, and how to make the process work at portfolio scale.

The Monthly Maintenance Scope

These are the checks that should run on every client site, every month without exception.

1. SSL certificate status and days until expiry. Check the certificate expiry date for every domain and subdomain serving HTTPS traffic. Flag anything under 30 days for immediate attention; anything under 60 days should be on a watch list. If the client uses Let's Encrypt via auto-renewal, verify that auto-renewal is actually working — not just that it is configured.

2. DNS record integrity. Compare current DNS records against the last verified baseline. Unexpected changes to A records, MX records, CNAME records, or NS records indicate either a misconfiguration, an unauthorised change, or a security event. DNS drift is common after hosting migrations, CMS updates, and platform integrations — checking it monthly catches problems before they cause visible failures.

3. Domain registration expiry date and renewal status. Review the expiry date for every client domain under management. Confirm auto-renewal status and verify that the attached payment method is active. Domain expiry is one of the few infrastructure failures that is entirely predictable and entirely preventable with a functioning review process.

4. Core uptime history for the month. Pull the uptime report for the period. Note any downtime events, their duration, their cause (if known), and whether an alert fired. If downtime occurred without an alert, investigate the monitoring configuration. If the alert fired but no action was taken, investigate the escalation path.

5. Security: pending CMS updates. For WordPress sites, check for outstanding updates to core, themes, and plugins. Log what is pending, apply updates in a staging environment if one exists, then push to production. For sites on other CMS platforms, apply the equivalent check. Outdated plugins are the most common entry point for WordPress compromises.

6. Performance baseline — page load time versus last month. Record the current page load time for the homepage and one key conversion page. Compare against last month. A significant degradation often precedes or coincides with a CMS or plugin change. Catching it monthly means catching it before it affects SEO rankings or conversion rates.

7. Vendor status incidents during the period. If the client's site depends on third-party services — Cloudflare, Stripe, Shopify, Mailchimp, any SaaS integration — review whether any of those vendors experienced publicly reported incidents during the month. Document the relevant incidents in the monthly report, even if the client site was unaffected. It demonstrates that you are tracking the full dependency chain.

8. New subdomains added this month. Check whether any new subdomains were created since the last review. Subdomains that are created outside the agency's direct involvement — by the client's internal team, a new vendor integration, a developer — may not have SSL certificates provisioned, or may have DNS records that conflict with existing configuration.

Quarterly Additions

These checks are too infrequent to need monthly attention but important enough to schedule explicitly rather than rely on memory.

Certificate chain validation. Verify the full certificate chain for every HTTPS site, not just the end-entity certificate expiry date. An incomplete chain causes connection errors in some browsers and environments, even when the certificate itself is valid. Tools like SSL Labs provide a full chain report.

Full subdomain audit using crt.sh. Query the Certificate Transparency logs for every domain to discover all subdomains that have ever had a certificate issued. This surfaces forgotten subdomains, staging environments left publicly accessible, and assets that are no longer in active use but still resolve.

Review of all domain registrar contacts and payment methods. Confirm that the contact email addresses on every registrar account are active and monitored. Confirm that payment methods are not expired. These are the details that cause auto-renewals to fail silently.

301 redirect audit. Verify that all redirect rules are functioning as expected. Redirects break during platform migrations, CMS upgrades, and server configuration changes. A broken redirect loses link equity and can create a confusing user experience.

Form functionality test on all lead capture forms. Submit test entries on every contact form, lead generation form, and enquiry form. Verify that submissions are received and that confirmation emails send correctly. Form breakage is common after plugin updates and is rarely noticed until a client asks why enquiries have dropped.

Annual Additions

Full brand asset audit against client brand guidelines. Review all publicly accessible brand assets — logos, imagery, documents — for compliance with the current brand guidelines. Superseded logos, incorrect colour variants, and outdated materials accumulate on client sites over time, particularly when multiple people have CMS access.

Vendor stack review. Identify all third-party services actively integrated with the client site. Confirm each is still in active use, still correctly configured, and still appropriate for the current site architecture. Vendor sprawl — integrations left active from previous campaigns or projects — adds unnecessary risk and performance overhead.

Retainer scope review. Confirm that all client assets are captured in the monitoring system and that the retainer scope reflects the current state of the client relationship. Sites are added and removed, domains are acquired, subdomains proliferate. An annual scope review prevents gaps.

How to Make This Billable

Monthly maintenance is a retainer service, not a free add-on. The checklist above represents several hours of work per client per month. The question is not whether to charge for it — it is how to frame it so clients understand what they are paying for.

The deliverable is the monthly monitoring report: a structured document showing what was checked, what was found, what action was taken, and the current status of each item. Clients who receive a report retain at higher rates than clients who receive nothing. A report converts invisible work into visible value.

The pitch is simple: "Every month you receive a report showing the SSL status, DNS health, domain renewal schedule, uptime history, and security posture for your site. If anything is outside acceptable parameters, we address it before it becomes an incident."

Agencies that provide this service charge between £150 and £500 per month depending on site complexity and the scope of the checks included. The cost of one missed domain expiry — recovery fees, emergency support hours, client relationship damage — typically exceeds a year of the retainer.

Tools for the Monthly Check

The monthly maintenance review requires data from several sources: SSL certificate status, DNS records, domain expiry dates, uptime history, and CMS update queues. Running these checks manually across a portfolio of 20+ clients is time-consuming and error-prone.

A monitoring dashboard that aggregates SSL status, DNS change detection, domain expiry dates, and uptime history into a single view significantly reduces the time required for each monthly review. It also ensures consistency — no client is accidentally skipped, and the data is available without logging into multiple control panels.

Merlonix provides the SSL, DNS, domain expiry, and uptime monitoring layer for the maintenance checklist, with per-client reporting suitable for delivery to clients directly or incorporation into a broader monthly report.

→ Platform guide: Monitoring for Squarespace Agencies