December 9, 2025 · 4 min read
End-of-year checklist for your website: security, backups, speed
December is when websites get left on their own: everyone is thinking about year-end closings, deliveries and holidays, and January arrives with the surprises that piled up during the year. A couple of hours of checks now cost far less than a compromised or unreachable site in January. This is the end-of-year checklist we apply to our clients' sites: security, backups and speed, plus a few checks almost nobody does.
Updates and security: close the open doors
Most compromises come through outdated components, not sophisticated attacks. The end-of-year check starts here:
- Core, themes and plugins (or modules, if you use PrestaShop): bring everything to the latest stable version, after taking a backup. If a plugin hasn't received updates in a long time, consider replacing it: an abandoned component is a door someone will eventually open.
- PHP version: check with your hosting provider that the site runs on a version that is still supported. End-of-life versions no longer receive security fixes.
- User accounts: go through the list of administrator users. Departed collaborators, agencies you no longer work with, forgotten test accounts: anything not needed gets removed. For the accounts that stay, strong passwords and two-factor authentication.
- SSL certificate: check the expiry date and that automatic renewal works. A certificate that expires on New Year's Eve means a security warning in visitors' faces until someone notices.
- Scan: an anti-malware scan of the site's files closes the loop. If you find modified files you don't recognize, stop and ask for help before touching anything else.
Backups: having them isn't enough, they must be tested
Almost everyone has a backup. Very few have ever tried to restore one, and an untested backup is a hope, not a protection. The end-of-year test works like this: take the latest full backup, restore it in a separate environment (a staging subdomain or a local environment) and check that the site starts, the data is there and the images load.
While you're at it, review the strategy as a whole:
- are the backups automatic, or do they depend on someone's goodwill?
- are they also stored off the site's server? If the server dies, a backup stored only there dies with it;
- is the frequency adequate? For an eCommerce store receiving orders every day, a weekly backup means accepting the loss of up to a week of orders;
- how long are copies kept? Some problems surface weeks later, and you need to be able to go back far enough.
Speed: the check that also pays off with Google
Over the year, sites slow down by accumulation: plugins added, images uploaded at full weight, a growing database. Run a round of tests with performance measurement tools (PageSpeed Insights is the natural starting point) on the main pages, mobile before desktop, and compare the results with last year's if you saved them.
The interventions that usually pay off most: compressing and converting images to modern formats, checking that caching works on all the pages that should have it, deactivating plugins you no longer use, and cleaning the database of revisions, expired sessions and abandoned carts months old. If the site is still slow after the cleanup, the problem may sit lower down, in the hosting: an undersized server isn't fixed with a caching plugin.
The cleanup nobody ever does
Last block, ten minutes that pay off all year:
- broken links: deleted pages, moved PDFs, links to external sites that no longer exist;
- expired content: promotions for past events, banners with old dates, the year in the footer;
- forms: send a test message from every contact form and check that it arrives. Forms that stop delivering emails are a silent classic: the site looks fine while enquiries get lost;
- connected mailboxes: check that order and contact notifications go to inboxes someone actually reads;
- upcoming renewals: domain, hosting, certificates, plugin and module licenses. Put next year's deadlines in the calendar, with payment cards up to date.
If you'd rather we handle it
These checks are the yearly minimum; on the projects we manage directly we do them continuously, with monitoring, tested backups and scheduled updates through our servers and infrastructure service. If you want to close the year with your site in order, or find out what shape it's in before someone else does, book a free call: we'll take stock together and tell you where to intervene.
