I’ve been using this management checklist for my WordPress clients for more than five years, with various additions, changes and improvements.
In no particular order, here’s what you must do for your WordPress site:
1. Make a backup strategy
This is a very important step which should be taken seriously since the moment you set your site live. You have four options and I will list them in my preferred order:
1.1. Use a WordPress service (I use VaultPress)
1.2. Use a WordPress plugin (BackupBuddy, Snapshot, UpdraftPlus, BackUpWordPress, BackWPup)
1.3. Use a CRON job (note that file backup using a PHP script may bring down your server – check with your host before doing anything)
1.4. Use a server module (cPanel/Plesk – it is an option, although it would take a lot of time to do it manually and regularly)
Note that backups should be kept in a safe place and I recommend storing them in the cloud. The most popular services are Dropbox, Google Drive, Amazon S3 or OneDrive. Many of the backup plugins out there have integrated support for these cloud services.
Decide for a frequency that suits both your site and your host. Generate daily backups, weekly backups or monthly backups depending on your site’s activity.
2. Implement Google Analytics
That’s all you need for the start. With a bit of tweaking, you can get everything you need, from users’ age and interests to the site flow. You don’t need user analysis, heatmaps, social interactions and so on. Not while your site is still young. You should also consider Google Tag Manager.
3. Implement Google Search Console
You need Google verification and validation and you’re all set. I could add you also need a Google+ page or business listing, but that enters the marketing area and it’s part of a future article.
5. Automated/manual updates routine
I used to use WPRemote, but I have since moved to Jetpack and it’s management feature. I use Jetpack anyway, so why use a different plugin? There are more services that provide the same services such as ManageWP or InfiniteWP.
If you’re not familiar with WordPress, you should allow all automated core updates. There are three types of core updates – major, minor and security. Security updates are, most of the time, automated. Minor updates are automated and allowed by default. Major updates are manual only.
If you’re familiar with how WordPress works, you should update it manually and wait for a couple of days after each update announcement. Sometimes, another update will follow pretty soon to patch things up or to revert certain changes.
6. Uptime monitor
If you doubt your host or if you don’t visit your site on a daily basis, then you might need to know when the server is down. Because when your site is down, you lose visibility, credibility and maybe money. I recommend Jetpack Monitor, Pingdom or Uptime Robot.
7. Enable server/access logs
You never know when they might come in handy. Just enable them. You’ll thank me later. In a year. Or two.
8. Update server to latest PHP version
Check with your host and make sure you update to the latest version of PHP. It’s not usually possible, but try to ask for the highest version possible. Most hosts are usually two minor versions behind (in my case 5.6, but I had clients using an educational hosting network using 5.3).
9. Secure your site
9.1. Get an SSL certificate – Cloudflare has a free one and it does the job. You should get a full one as soon as possible, though. Let’s Encrypt is free and SSLS is pretty cheap (and one of my personal favourites).
9.2. Secure your site using the Sucuri Security plugin or Wordfence Security plugin.
9.3. Get notified when plugin vulnerabilities are found.
There’s more about security, but having an SSL certificate and the plugins above in place, you should be safe.