WordPress Checklist – 150+ Things To Do Before Launch

Ok, here is a WordPress checklist for you to go through before launching a brand new website. I started with a Website Checklist which was more general. This checklist is obviously a bit more focused. Like the Website Checklist, the WordPress Checklist will evolve over time as well.

There aren’t any specific WordPress plugins mentioned except in a couple places. There are lots of others who do a fantastic job reviewing plugins, so do some Googling.

Of course this checklist doesn’t cover everything related to creating a WordPress site, because then I’d have to write a book. I didn’t go in-depth into topics like design and SEO because they deserve their own checklists.

The most recent version is on GitHub.

Setup

Best Practices

• Web Server Configuration – Point to root WordPress folder. URL should not contain ‘WordPress’ anywhere.
• Database Table Prefix – Change from wp_.
• Database Connection – Change to connect to dev database.
• Plugins – Remove unused plugins.
• Themes – Remove unused themes.
• Version – Remove generator meta in header.
• Admin Account – Rename from admin.
• Security Keys & Salts – Change from default.
• Admin URL – Change from default.
• Default Content – Remove default posts, comments, and pages.
• Default Date / Time – Set in Settings > General.
• Default Blog Category – Change from uncategorized.
• Media Settings – Set to month and year or appropriate file path.
• Permalinks – Set to post name or appropriate URL structure.
• Site Title – Set to proper website title.
• Site Tag – Set to proper website tagline.
• Admin Email – Update to someone on web development team. This is not the same as admin user account.
• Memory Limit – Set memory limit to maximum allowed by server or web host.
• Auto Save – Set number of seconds between auto-saves.
• Multisite – Enable if needed.
• Debug Flag– Enable during development.
• Cache – Disable during development.
• Search Engine Visibility – Disable development environment from being crawled by seach engines.
• Sample Config File – Remove wp-config-sample.php.
• Version Control – Set up repository to store and track files and changes.

Theme Design

Best Practices

• Login Page – Update with site brand.
• Underlined Links – Underline to help with usability and accessibility.
• Visited vs Unvisited Link Colors – Use different colors for usability.
• Hover / Focus / Active Links – Visually distingush when in hover, focus, or active states.
• Color Contrast – Contrast ratio should be minimum 4.5:1 for WCAG 2.0 AA compliance.
• Form Placeholder Text – Set placeholder attribute in input elements.
• Descriptive Buttons – Use pattern Verb Noun, like Upload File, instead of Ok or Submit.

Coding

Best Practices

• Core Files – Never modify any WordPress core files.
• Database Queries – Don’t use mysqli_query(), instead use $wpdb object or WP_Query.
• ‘DISTINCT’, ‘GROUPBY’ – Avoid cross-table queries and any other operations which create temporary tables.
• Query Result Limits – Add maximum number of results returned to prevent killing database.
• Indexes – Verify indexes are used in queries by running EXPLAIN statement.
• Address Bar – Only show encrypted session values in address bar.

Plugins

• Mail – Use wp_mail() instead of PHP mail() function.
• Clean Inputs / Outputs – Sanitize/escape all inputs and outputs to prevent Cross-Site Scripting (XSS) problems.
• Nonces – Protect against Cross-Site Request Forgery (CSRF) when expecting user submitted data.
• Data Validation – Use JavaScript, built-in PHP functions, core WordPress functions, and/or custom functions to validate inputs before processing.
• Cache DOM Queries – Cache jQuery selectors for re-use on page.
• Event Delegation – Reduce individual element event handling by using event delegation instead.
• Deactivate / Uninstall Hooks – Implement to cleanup data.
• Prefix – Add plugin name abbreviation as prefix to variables, functions, and classes.
• Folder Structure – Separate into includes, admin, and public folders.
• Roles and Rights – Verify authentication and authorization of user when plugin called.
• Settings / Options API – Use to build admin pages.

Themes

• Child Themes – Create child theme if modifiying existing theme allows for child themes and changes are not extensive.
• File Structure – Separate into include, asset, and template parts folders.
• Template Tags – Instead of hardcoding, use template tags and conditional tags as much as possible.
• Enqueue Stylesheets – Use wp_enqueue_style and template tags for directory paths instead of hardcoding links to CSS files.
• Enqueue JavaScript – Use wp_enqueue_scripts and template tags for directory paths instead of hardcoding links to JavaScript files.
• File Naming – Use standard WordPress naming hierarchy.
• Theme Unit Test – Use WordPress Theme Unit Test to visually inspect and test theme and test using Theme Check plugin even though theme will not be submitted to WordPress theme directory.
• Screenshot – Create screenshot with look and feel of theme.
• Jetpack Infinite Scroll – Support if needed.
• ’$content_width’ – Set.

Theme HTML

Best Practices

• HTML5 Semantic Elements – Use HTML5 semantic elements appropriately.
• Error pages – Create 404 page and 5xx error pages. 5xx error pages can be handled by web server.
• AMP / Instant Articles – Generate stripped down HTML for Google and Facebook.
• Labels / Inputs – Connect labels to inputs using for attribute in labels.

Head

• Doctype – Set Doctype to HTML5 and put at the top of header.
• Charset – Set to UTF-8.
• X-UA-Compatible – Set for backwards IE compatibility.
• Viewport – Set viewport.
• Favicons – Set favicon file location.
• Apple Touch & Android Icons – Set Apple touch & Android icons.
• Canonical – Set rel=“canonical”.
• Language tag – Set language tag.
• Conditional comments – Set conditional comments for IE.
• RSS feed – Set RSS URL or remove.
• Smart App Banner – Set app-id and app-argument if app available from app store.
• Facebook Open Graph – Set and link to images.
• Twitter Card – Set and link to images.

HTML Testing

• W3C Compliance – Run pages through W3C validation tools.
• Desktop Browsers – Test pages on current (and back one version) of current desktop browsers.
• Mobile Browsers – Test pages on current (and back on version) current mobile browsers.
• Link Checker – Run pages through broken link checkers.
• Adblockers Test – Verify adblockers do not break pages.

Theme Fonts

Best Practices

• Webfont Formats – Convert fonts to WOFF, WOFF2 and TTF file formats.
• Fall-back Typefaces – List 2 or more in case desired fonts not available.
• Service Configuration – Set live domain and development IPs to be white-listed with hosted font services.

Theme CSS

Best Practices

• Preprocessors – Remove links to intermediary preprocessor files.
• Breakpoints – Check content, flow, and UX work as intended at different breakpoints.
• CSS Print – Set print stylesheet for each page.
• Unique ID – Use unique IDs per page.
• Reset CSS – Use CSS reset stylesheet.
• JavaScript Prefix – Name classes or IDs with js- when modified by JavaScript and not by CSS files.
• Inline / Embedded CSS – Remove or minimize embedded or inline CSS.
• Vendor Prefixes – Use CSS vendor prefixes depending on required browser support compatibility.
• Stylesheet Layout – Order of properties display > positioning > box model > colors and typography > other.
• Media Queries – Place at bottom of stylesheet.
• Magic Numbers – Avoid.
• Main Stylesheet Header – Include theme name, author, description, version, license, license URI, and text domain.
• Sticky Posts – Set to be visually distinguishable.

Performance

• Concatenation – Concatenate CSS files.
• Minification – Minify CSS files.
• Non-blocking – Verify CSS files are non-blocking in theme template.
• Unused CSS – Cleanup CSS.

CSS Testing

• CSS Validator – Run stylesheets through CSS validators.

Theme Images / Videos

Best Practices

• Placeholder Images – Replace with real images.
• Stock Images – Replace stock watermarked images replaced with licensed versions.
• Optimization – Optimize for needed browsers and devices.
• Retina – Use x2 or 3x images to support retina display.
• Width and Height – Set <img> to have height and width, handle with CSS and media queries, or serve appropriate sizes for respective browsers and devices.
• Alternative text – All <img> have an alternative text which describe the image visually.
• Lazy loading – Load images on scroll or as needed.
• Social Thumbnails: Generate Facebook/Twitter/LinkedIn thumbnails for all pages.
• Responsive Video Players – Videos resize appropriately on different browsers and devices.
• Video Controls – Show playblack, pause, and mute controls.
• Logo – Set logo link to return visitor to homepage.

Theme JavaScript

Best Practices

• jQuery Version– Do not add newer jQuery libraries if available.
• ’$’ Shortcut – Use IIFE to create.
• JavaScript Inline – Remove or minimize inline JavaScript.
• Concatenation – Concatenate Javascript files.
• Minification – Minify JavaScript files.
• Non-blocking – Load JavaScript files asynchronously.
• Modernizr – Use Modernizr or similar tool to test for specific browser features.
• Footer Load – Place scripts in footer of page.
• eval() – Never, ever use.

JavaScript testing

• ESLint – Verify JavaScript with ESLint or similar tool.

Copy

Best Practices

• Text – Replace all Lorem Ipsum with real copy.

Security

Best Practices

• HTTPS – Use HTTPS.
• HSTS – Set HTTP Strict Transport Security parameter on web server.
• Password Reset – Set password rules and flow on all authentication pages like Registration, forgot password, change password.
• Login Limits – Require ‘human’ verification after a defined number of failed tries.
• System Information – Verify application, server, or database version or connection information not publicly viewable.
• SSL – Verify certificate not expiring.
• Exploit Scanner – Run plugin on site.

Performance

Best practices

• Minified – Minimize HTML and enable gzip type compression on web server.
• Lazy loading – Load images, scripts, and CSS files as needed, not on load.
• Cookie size – Minimize size of cookies.
• Content Delivery Network – Push CSS, JavaScript, fonts, and generated HTML to CDN.
• HTTP Cache Headers – Set approriate parameters.
• DNS Prefetching – Enable preload and/or dns-prefetch.
• Mixed Content – Retrieve all files and assets via HTTPS.
• Logging – Enabled tools and verify data passing to monitoring platforms.

SEO

Best Practices

• Tag Manager – Set up and verify data passing to tools.
• Analytics & Conversion – Google Analytics and similar tools installed,correctly configured, and registering data.
• Exclude IPs – Remove office or home IPs from analytics and conversion tools.
• Ad Pixels – Verify all ad pixels installed and registering.
• Heatmaps: Verify installation, configuration, and data flow to third party tools.
• A/B Tests: Verify installation, configuration, and data flow to third party tools.
• Chat – Verify installation, configuration, and data flow to third party tool.
• Sitemap XML – Install plugin to auto-generate and submit of site, image, and video XMLs to Google Webmaster Tools and similar tools
• Google Webmaster Tools – Verify no errors noted by WMT or similar tools.
• robots.txt – Verify robots.txt not blocking any pages.
• Structured Data or Rich Snippets – Generate error-free structured data as needed.
• Title – Use unique title tag used on each page.
• Description – Set unique meta description on each page.
• 301 Redirects – Return 301 for moved content
• Redirections – Use Rewrite Rules Inspector plugin and check redirections.
• Title Attribute – Set title attribute for all links.
• Social Widgets – Connect social accounts and set up to show buttons / links in right places.

Legal

Best Practices

• Privacy Policy – Create page and put link in footer.
• Terms of Service – Create page and put link in footer.
• GDPR Compliance – Show consent notice visible.
• Copyright – Show in footer.

Pre-Launch

Best Practices

• .htaccess – Set with appropriate settings.
• Backups – Check backup and restore systems functional. Fully backup old site if one exists.
• Versioning – Branch or tag production code in version control system.
• Contact Forms – Set CAPTCHA functionality, required fields, validation, and verify information emailed or routed to CRM.
• Newsletter Forms Check signup forms functionality and verify user information pushed to third-party tool.
• Comments – Set moderation notices be sent to appropriate email addresses.
• Search – Verify WordPress search or Google custom search traversing only necessary data, and returning correct results.
• API Configuration – Set live domain to be witelisted with third party intergrations or SaaS tools.
• Dev Domains – Verify database and assets not referencing dev, staging, or QA environments.
• DNS – Verify proper set up.
• Conversions & Funnels – Set analytics tools to collect visitor clickstream.
• Payment System – Turn off test mode off and transactions work.
• www / non-www – Set non-canonical to redirect to canonical and preserving URL.
• Debug Mode – Disable in wp_config.php.
• WordPress Address (URL) – Update to production URL in wp-config.php or Settings > General
• Site Address (URL) – Update to production URL in wp-config.php or Settings > General
• Plugin / Theme Auto-Updates – Update usernames, passwords, and API keys.
• Gravatars – Set up user accounts with Gravatars if necessary.
• Pagination – Verify ’next’ and ‘previous’ display right content in respective categories.
• Folder and File Permissions – Verify folder contents are not viewable and individual PHP files cannot be downloaded.
• Upload Permissions – Verify images and attachments can be uploaded via backend and downloaded by non-logged in users.
• Spam Protection – Enable Akismet plugin and delete old spam comments.
• Post Revisions – Limit number of post revisions saved and delete post revisions generated during development.
• Trash – Set number of days when deleted content can be removed from database.
• Cache – Enable default WordPress caching or a third-party plugin.
• Admin Email – Set to individual responsible for website post-launch.
• Search Engine Visibility – Enable search engines to index site.

Post-Launch

Best Practices

• Update Files – Set auto-update for core, themes, and plugins or create monthly or quarterly plan to test and roll out updates, especially if custom functionality was built for the website.
• Documentation – Compile website, webhost, S/FTP, and social logins, along with expiration dates on third-party services, SSL, stock photography, etc, and share with appropriate individuals.
• Error Logs – Check web server logs for PHP errors on a regularly scheduled basis.
• Version Control – Transfer ownership of repository to client if necessary.