I’ve been using this management checklist for my WordPress clients for more than 10 years, with various additions, changes, and improvements.
In no particular order, here’s what you must do for your WordPress site:
1. Make a backup strategy
This is a very important step which should be taken seriously since the moment you set your site live. You have four options, and I will list them in my preferred order:
1.1. Use a WordPress service (I like VaultPress)
1.2. Use a WordPress plugin (UpdraftPlus, BackUpWordPress, BackWPup)
1.3. Use a CRON job (note that file backup using a PHP script may bring down your server — check with your host before doing anything)
1.4. Use a server module (cPanel/Plesk — it is an option, although it would take a lot of time to do it manually and regularly)
Note that backups should be kept in a safe place, and I recommend storing them in the cloud. The most popular services are Dropbox, Google Drive, Amazon S3 or OneDrive. Many of the backup plugins out there have integrated support for these cloud services.
Decide for a frequency that suits both your site and your host. Generate daily backups, weekly backups or monthly backups depending on your site’s activity.
2. Implement Google Analytics
That’s all you need for the start. With a bit of tweaking, you can get everything you require, from users’ age and interests to the site flow. You don’t need user analysis, heatmaps, social interactions and so on. Not while your site is still young. You should also consider Google Tag Manager.
3. Implement Google Search Console
You need Google verification and validation, and you’re all set. I could add you also need a Google business profile, but that enters the marketing area, and it’s part of a future article.
5. Automated/manual updates routine
I used to use WPRemote (a great and fast tool), but I have since moved to Jetpack and its management feature. If you use Jetpack, why use a different plugin? There are more services that provide the same services, such as ManageWP or InfiniteWP.
With the recent WordPress changes (auto-update in 5.4), we might not need these management tools. I am now using a custom solution I’ve coded to get the current snapshot of a site and trigger an update.
If you’re not familiar with WordPress, you should allow all automated core updates. There are three types of core updates — major, minor, and security. Security updates are, most of the time, automated. Minor updates are automated and allowed by default. Major updates are manual only.
If you’re familiar with how WordPress works, you should update it manually and wait for a couple of days after each update announcement. Sometimes, another update will follow pretty soon to patch things up or to revert certain changes.
6. Uptime monitor
If you doubt your host or if you don’t visit your site on a daily basis, then you might need to know when the server is down. Because when your site is down, you lose visibility, credibility and maybe money. I recommend Jetpack Monitor, Pingdom or Uptime Robot.
7. Enable server/access logs, but protect them from public access
You never know when they might come in handy. Just enable them. You’ll thank me later. In a year. Or two.
8. Update server to latest PHP version
Check with your host and make sure you update to the latest version of PHP. It’s not always possible, but try to ask for the highest version possible. Most hosts are usually two minor versions behind. Why?
9. Secure your site
9.1. Get an SSL certificate — Cloudflare has a free shared (flexible) one, and it does the job. You should get a full one as soon as possible, though. Use Let’s Encrypt. It should be enabled by default on most hosts.
9.2. Secure your site.