I’ve been using this management checklist for my WordPress clients for more than five years, with various additions, changes and improvements.
In no particular order, here’s what you must do for your WordPress site:
1. Make a backup strategy
This is a very important step which should be taken seriously since the first moment of the inception of your site. You have four options and I will list them in my preferred order:
1.1. Use a WordPress service (I used VaultPress and now I use BackWPup)
1.2. Use a WordPress plugin (Backup Buddy, UpdraftPlus, BackUpWordPress, BackWPup)
1.3. Use a CRON job (note that file backup using a PHP script may bring down your server – check with your host before doing anything)
1.4. Use a server module (cPanel/Plesk – it is an option, although it would take a lot of time to do it manually and regularly)
Note that backups should be kept in a safe place and I recommend storing them in the cloud. The most popular services are Dropbox, Google Drive, Amazon S3 and OneDrive. Many of the backup plugins out there have integrated support for these cloud services.
Decide for a frequency that suits both your site and your host. Generate daily backups, weekly backups or monthly backups depending on your site’s activity.
2. Implement Google Analytics
That’s all you need for the start. With a bit of tweaking, you can get everything you need, from users’ age and interests to the site flow. You don’t need user analysis, heatmaps, social interactions and so on. Not while your site is still young.
3. Implement Google Search Console
You need Google verification and validation and you’re all set. I could add you also need a business listing, but that enters the search engine optimization area and it’s part of a future article.
5. Automated/manual updates routine
I used to use WPRemote, but I have since moved to Jetpack and it’s management feature. I use Jetpack anyway, so why use a different plugin? There are more services that provide the same services such as ManageWP or InfiniteWP.
If you’re not familiar with WordPress, you should allow all automated core updates. There are three types of core updates – major, minor and security. Security updates are, most of the time, automated. Minor updates are automated and allowed by default. Major updates are manual only.
If you’re familiar with how WordPress works, you should update it manually and wait for a couple of days after each update announcement. Sometimes, another update will follow pretty soon to patch things up or to revert certain changes.
6. Uptime monitor
If you doubt your host or if you don’t visit your site on a daily basis, then you might need to know when the server is down. Because when your site is down, you lose visibility, credibility and maybe money. I recommend Jetpack Monitor, UptimeRobot or Pingdom.
7. Enable server/access logs
You never know when they might come in handy. Just enable them. You’ll thank me later. In a year. Or two.
8. Update server to latest PHP version
Check with your host and make sure you update to the latest version of PHP. It’s not usually possible, but try to ask for the highest version possible. Most hosts are usually two minor versions behind (in my case 7.0, but I have four clients using an educational hosting network still using 5.4).
9. Secure your site
9.1. Get an SSL certificate – Cloudflare has a free shared (flexible) one and it does the job. You should get a full one as soon as possible, though. Use Let’s Encrypt. It should be enabled by default on most hosts.
9.2. Secure your site using the Sucuri Security plugin, Wordfence Security plugin and the GOTMLS plugin.
9.3. Use common sense. Keep your themes and plugins updated, don’t use similar plugins for same tasks.
There’s more about security, but having an SSL certificate and the plugins above in place, you should be safe.