I’ve been using this management checklist for my WordPress clients for more than three years, with various additions, changes and improvements.
In no particular order, here’s what you must do for your WordPress site:
1. Make a backup strategy
This is a very important step which should be taken seriously since the first moment of the inception of your site. You have four options and I will list them in my preferred order:
1.1. Use a WordPress service (I use VaultPress)
1.2. Use a WordPress plugin (Backup Buddy, Snapshot, UpdraftPlus, BackUpWordPress, BackWPup)
1.3. Use a CRON job (note that file backup using a PHP script may bring down your server – check with your host before doing anything)
1.4. Use a server module (cPanel/Plesk – it is an option, although it would take a lot of time to do it manually and regularly)
Note that backups should be kept in a safe place and I recommend storing them in the cloud. The most popular services are Dropbox, Google Drive, Amazon and OneDrive. Many of the backup plugins out there have integrated support for these cloud services.
Decide for a frequency that suits both your site and your host. Generate daily backups, weekly backups or monthly backups depending on your site’s activity.
2. Implement Google Analytics
That’s all you need for the start. With a bit of tweaking, you can get everything you need, from users’ age and interests to the site flow. You don’t need user analysis, heatmaps, social interactions and so on. Not while your site is still young.
3. Implement Google Webmaster Tools
You need Google verification and validation and you’re all set. I could add you also need a Google+ page or business listing, but that enters the optimization area and it’s part of a future article.
5. Automated/manual updates routine
I used to use WPRemote (and I still use it for some clients), but I have since moved to Jetpack and it’s management feature. I use Jetpack anyway, so why use a diferrent plugin? There are more services that provide the same services such as ManageWP, InfiniteWP or WPDASH.
If you’re not familiar with WordPress, you should allow all automated core updates. There are three types of core updates – major, minor and security. Security updates are, most of the time, automated. Minor updates are automated and allowed by default. Major updates are manual only.
If you’re familiar with how WordPress works, you should update it manually and wait for a couple of days after each update announcement. Sometimes, another update will follow pretty soon to patch things up or to revert certain changes.
6. Uptime monitor
If you doubt your host or if you don’t visit your site on a daily basis, then you might need to know when the server is down. Because when your site is down, you lose visibility, credibility and maybe money. I recommend Jetpack Monitor or Pingdom.
7. Enable server/access logs
You never know when they might come in handy. Just enable them. You’ll thank me later. In a year. Or two.
8. Update server to latest PHP version
Check with your host and make sure you update to the latest version of PHP. It’s not usually possible, but try to ask for the highest version possible. Most hosts are usually two minor versions behind (in my case 5.5, but I have four clients using an educational hosting network using 5.3).
9. Secure your site
9.1. Get an SSL certificate – Cloudflare has a free shared (flexible) one and it does the job. You should get a full one as soon as possible, though.
9.2. Secure your site using the Sucuri Security plugin, Wordfence Security plugin and the GOTMLS plugin.
9.3. Get notified when plugin vulnerabilities are found.
There’s more about security, but having an SSL certificate and the plugins above in place, you should be safe.
Once a week or so we send an email with our best content. We never bug you, we just send you our latest piece of content.
If you found any value in this post, agree, disagree, or have anything to add - please do. I use comments as my #1 signal for what to write about. Read our comment policy before commenting! Comments such as "Thank you!", "Awesome!", "You're the man!" are either marked as spam or stripped from URL.