WordPress Checklist - 150 things to do before Launch

Ok, here is a WordPress checklist for you to go through before launching a brand new website. I started with a Website Checklist which was more general. This checklist is obviously a bit more focused. Like the Website Checklist, the WordPress Checklist will evolve over time as well.

There aren’t any specific WordPress plugins mentioned except in a couple places. There are lots of others who do a fantastic job reviewing plugins, so do some Googling.

Of course this checklist doesn’t cover everything related to creating a WordPress site, because then I’d have to write a book. I didn’t go in-depth into topics like design and SEO because they deserve their own checklists.

The most recent version is on GitHub.


Setup

Best Practices

  • Web Server Configuration – Point to root WordPress folder. URL should not contain 'WordPress' anywhere.
  • Database Table Prefix – Change from wp_.
  • Database Connection – Change to connect to dev database.
  • Plugins – Remove unused plugins.
  • Themes – Remove unused themes.
  • Version – Remove generator meta in header.
  • Admin Account – Rename from admin.
  • Security Keys & Salts – Change from default.
  • Admin URL – Change from default.
  • Default Content – Remove default posts, comments, and pages.
  • Default Date / Time – Set in Settings > General.
  • Default Blog Category – Change from uncategorized.
  • Media Settings – Set to month and year or appropriate file path.
  • Permalinks – Set to post name or appropriate URL structure.
  • Site Title – Set to proper website title.
  • Site Tag – Set to proper website tagline.
  • Admin Email – Update to someone on web development team. This is not the same as admin user account.
  • Memory Limit – Set memory limit to maximum allowed by server or web host.
  • Auto Save – Set number of seconds between auto-saves.
  • Multisite – Enable if needed.
  • Debug Flag– Enable during development.
  • Cache – Disable during development.
  • Search Engine Visibility – Disable development environment from being crawled by seach engines.
  • Sample Config File – Remove wp-config-sample.php.
  • Version Control – Set up repository to store and track files and changes.

Theme Design

Best Practices

  • Login Page – Update with site brand.
  • Underlined Links – Underline to help with usability and accessibility.
  • Visited vs Unvisited Link Colors – Use different colors for usability.
  • Hover / Focus / Active Links – Visually distingush when in hover, focus, or active states.
  • Color Contrast – Contrast ratio should be minimum 4.5:1 for WCAG 2.0 AA compliance.
  • Form Placeholder Text – Set placeholder attribute in input elements.
  • Descriptive Buttons – Use pattern Verb Noun, like Upload File, instead of Ok or Submit.

Coding

Best Practices

  • Core Files – Never modify any WordPress core files.
  • Database Queries – Don't use mysqli_query(), instead use $wpdb object or WP_Query.
  • 'DISTINCT', 'GROUPBY' – Avoid cross-table queries and any other operations which create temporary tables.
  • Query Result Limits – Add maximum number of results returned to prevent killing database.
  • Indexes – Verify indexes are used in queries by running EXPLAIN statement.
  • Address Bar – Only show encrypted session values in address bar.

Plugins

  • Mail – Use wp_mail() instead of PHP mail() function.
  • Clean Inputs / Outputs – Sanitize/escape all inputs and outputs to prevent Cross-Site Scripting (XSS) problems.
  • Nonces – Protect against Cross-Site Request Forgery (CSRF) when expecting user submitted data.
  • Data Validation – Use JavaScript, built-in PHP functions, core WordPress functions, and/or custom functions to validate inputs before processing.
  • Cache DOM Queries – Cache jQuery selectors for re-use on page.
  • Event Delegation – Reduce individual element event handling by using event delegation instead.
  • Deactivate / Uninstall Hooks – Implement to cleanup data.
  • Prefix – Add plugin name abbreviation as prefix to variables, functions, and classes.
  • Folder Structure – Separate into includes, admin, and public folders.
  • Roles and Rights – Verify authentication and authorization of user when plugin called.
  • Settings / Options API – Use to build admin pages.

Themes

  • Child Themes – Create child theme if modifiying existing theme allows for child themes and changes are not extensive.
  • File Structure – Separate into include, asset, and template parts folders.
  • Template Tags – Instead of hardcoding, use template tags and conditional tags as much as possible.
  • Enqueue Stylesheets – Use wp_enqueue_style and template tags for directory paths instead of hardcoding links to CSS files.
  • Enqueue JavaScript – Use wp_enqueue_scripts and template tags for directory paths instead of hardcoding links to JavaScript files.
  • File Naming – Use standard WordPress naming hierarchy.
  • Theme Unit Test – Use WordPress Theme Unit Test to visually inspect and test theme and test using Theme Check plugin even though theme will not be submitted to WordPress theme directory.
  • Screenshot – Create screenshot with look and feel of theme.
  • Jetpack Infinite Scroll – Support if needed.
  • '$content_width' – Set.

Theme HTML

Best Practices

  • HTML5 Semantic Elements – Use HTML5 semantic elements appropriately.
  • Error pages – Create 404 page and 5xx error pages. 5xx error pages can be handled by web server.
  • AMP / Instant Articles – Generate stripped down HTML for Google and Facebook.
  • Labels / Inputs – Connect labels to inputs using for attribute in labels.

Head

  • Doctype – Set Doctype to HTML5 and put at the top of header.
  • Charset – Set to UTF-8.
  • X-UA-Compatible – Set for backwards IE compatibility.
  • Viewport – Set viewport.
  • Favicons – Set favicon file location.
  • Apple Touch & Android Icons – Set Apple touch & Android icons.
  • Canonical – Set rel=“canonical”.
  • Language tag – Set language tag.
  • Conditional comments – Set conditional comments for IE.
  • RSS feed – Set RSS URL or remove.
  • Smart App Banner – Set app-id and app-argument if app available from app store.
  • Facebook Open Graph – Set and link to images.
  • Twitter Card – Set and link to images.

HTML Testing

  • W3C Compliance – Run pages through W3C validation tools.
  • Desktop Browsers – Test pages on current (and back one version) of current desktop browsers.
  • Mobile Browsers – Test pages on current (and back on version) current mobile browsers.
  • Link Checker – Run pages through broken link checkers.
  • Adblockers Test – Verify adblockers do not break pages.

Theme Fonts

Best Practices

  • Webfont Formats – Convert fonts to WOFF, WOFF2 and TTF file formats.
  • Fall-back Typefaces – List 2 or more in case desired fonts not available.
  • Service Configuration – Set live domain and development IPs to be white-listed with hosted font services.

Theme CSS

Best Practices

  • Preprocessors – Remove links to intermediary preprocessor files.
  • Breakpoints – Check content, flow, and UX work as intended at different breakpoints.
  • CSS Print – Set print stylesheet for each page.
  • Unique ID – Use unique IDs per page.
  • Reset CSS – Use CSS reset stylesheet.
  • JavaScript Prefix – Name classes or IDs with js- when modified by JavaScript and not by CSS files.
  • Inline / Embedded CSS – Remove or minimize embedded or inline CSS.
  • Vendor Prefixes – Use CSS vendor prefixes depending on required browser support compatibility.
  • Stylesheet Layout – Order of properties display > positioning > box model > colors and typography > other.
  • Media Queries – Place at bottom of stylesheet.
  • Magic Numbers – Avoid.
  • Main Stylesheet Header – Include theme name, author, description, version, license, license URI, and text domain.
  • Sticky Posts – Set to be visually distinguishable.

Performance

  • Concatenation – Concatenate CSS files.
  • Minification – Minify CSS files.
  • Non-blocking – Verify CSS files are non-blocking in theme template.
  • Unused CSS – Cleanup CSS.

CSS Testing

  • CSS Validator – Run stylesheets through CSS validators.

Theme Images / Videos

Best Practices

  • Placeholder Images – Replace with real images.
  • Stock Images – Replace stock watermarked images replaced with licensed versions.
  • Optimization – Optimize for needed browsers and devices.
  • Retina – Use x2 or 3x images to support retina display.
  • Width and Height – Set <img> to have height and width, handle with CSS and media queries, or serve appropriate sizes for respective browsers and devices.
  • Alternative text – All <img> have an alternative text which describe the image visually.
  • Lazy loading – Load images on scroll or as needed.
  • Social Thumbnails: Generate Facebook/Twitter/LinkedIn thumbnails for all pages.
  • Responsive Video Players – Videos resize appropriately on different browsers and devices.
  • Video Controls – Show playblack, pause, and mute controls.
  • Logo – Set logo link to return visitor to homepage.

Theme JavaScript

Best Practices

  • jQuery Version– Do not add newer jQuery libraries if available.
  • '$' Shortcut – Use IIFE to create.
  • JavaScript Inline – Remove or minimize inline JavaScript.
  • Concatenation – Concatenate Javascript files.
  • Minification – Minify JavaScript files.
  • Non-blocking – Load JavaScript files asynchronously.
  • Modernizr – Use Modernizr or similar tool to test for specific browser features.
  • Footer Load – Place scripts in footer of page.
  • eval() – Never, ever use.

JavaScript testing

  • ESLint – Verify JavaScript with ESLint or similar tool.

Copy

Best Practices

  • Text – Replace all Lorem Ipsum with real copy.

Security

Best Practices

  • HTTPS – Use HTTPS.
  • HSTS – Set HTTP Strict Transport Security parameter on web server.
  • Password Reset – Set password rules and flow on all authentication pages like Registration, forgot password, change password.
  • Login Limits – Require ‘human’ verification after a defined number of failed tries.
  • System Information – Verify application, server, or database version or connection information not publicly viewable.
  • SSL – Verify certificate not expiring.
  • Exploit Scanner – Run plugin on site.

Performance

Best practices

  • Minified – Minimize HTML and enable gzip type compression on web server.
  • Lazy loading – Load images, scripts, and CSS files as needed, not on load.
  • Cookie size – Minimize size of cookies.
  • Content Delivery Network – Push CSS, JavaScript, fonts, and generated HTML to CDN.
  • HTTP Cache Headers – Set approriate parameters.
  • DNS Prefetching – Enable preload and/or dns-prefetch.
  • Mixed Content – Retrieve all files and assets via HTTPS.
  • Logging – Enabled tools and verify data passing to monitoring platforms.

SEO

Best Practices

  • Tag Manager – Set up and verify data passing to tools.
  • Analytics & Conversion – Google Analytics and similar tools installed,correctly configured, and registering data.
  • Exclude IPs – Remove office or home IPs from analytics and conversion tools.
  • Ad Pixels – Verify all ad pixels installed and registering.
  • Heatmaps: Verify installation, configuration, and data flow to third party tools.
  • A/B Tests: Verify installation, configuration, and data flow to third party tools.
  • Chat – Verify installation, configuration, and data flow to third party tool.
  • Sitemap XML – Install plugin to auto-generate and submit of site, image, and video XMLs to Google Webmaster Tools and similar tools
  • Google Webmaster Tools – Verify no errors noted by WMT or similar tools.
  • robots.txt – Verify robots.txt not blocking any pages.
  • Structured Data or Rich Snippets – Generate error-free structured data as needed.
  • Title – Use unique title tag used on each page.
  • Description – Set unique meta description on each page.
  • 301 Redirects – Return 301 for moved content
  • Redirections – Use Rewrite Rules Inspector plugin and check redirections.
  • Title Attribute – Set title attribute for all links.
  • Social Widgets – Connect social accounts and set up to show buttons / links in right places.

Legal

Best Practices

  • Privacy Policy – Create page and put link in footer.
  • Terms of Service – Create page and put link in footer.
  • GDPR Compliance – Show consent notice visible.
  • Copyright – Show in footer.

Pre-Launch

Best Practices

  • .htaccess – Set with appropriate settings.
  • Backups – Check backup and restore systems functional. Fully backup old site if one exists.
  • Versioning – Branch or tag production code in version control system.
  • Contact Forms – Set CAPTCHA functionality, required fields, validation, and verify information emailed or routed to CRM.
  • Newsletter Forms Check signup forms functionality and verify user information pushed to third-party tool.
  • Comments – Set moderation notices be sent to appropriate email addresses.
  • Search – Verify WordPress search or Google custom search traversing only necessary data, and returning correct results.
  • API Configuration – Set live domain to be witelisted with third party intergrations or SaaS tools.
  • Dev Domains – Verify database and assets not referencing dev, staging, or QA environments.
  • DNS – Verify proper set up.
  • Conversions & Funnels – Set analytics tools to collect visitor clickstream.
  • Payment System – Turn off test mode off and transactions work.
  • www / non-www – Set non-canonical to redirect to canonical and preserving URL.
  • Debug Mode – Disable in wp_config.php.
  • WordPress Address (URL) – Update to production URL in wp-config.php or Settings > General
  • Site Address (URL) – Update to production URL in wp-config.php or Settings > General
  • Plugin / Theme Auto-Updates – Update usernames, passwords, and API keys.
  • Gravatars – Set up user accounts with Gravatars if necessary.
  • Pagination – Verify 'next' and 'previous' display right content in respective categories.
  • Folder and File Permissions – Verify folder contents are not viewable and individual PHP files cannot be downloaded.
  • Upload Permissions – Verify images and attachments can be uploaded via backend and downloaded by non-logged in users.
  • Spam Protection – Enable Akismet plugin and delete old spam comments.
  • Post Revisions – Limit number of post revisions saved and delete post revisions generated during development.
  • Trash – Set number of days when deleted content can be removed from database.
  • Cache – Enable default WordPress caching or a third-party plugin.
  • Admin Email – Set to individual responsible for website post-launch.
  • Search Engine Visibility – Enable search engines to index site.

Post-Launch

Best Practices

  • Update Files – Set auto-update for core, themes, and plugins or create monthly or quarterly plan to test and roll out updates, especially if custom functionality was built for the website.
  • Documentation – Compile website, webhost, S/FTP, and social logins, along with expiration dates on third-party services, SSL, stock photography, etc, and share with appropriate individuals.
  • Error Logs – Check web server logs for PHP errors on a regularly scheduled basis.
  • Version Control – Transfer ownership of repository to client if necessary.

Make Haste Slowly

Are you tired of all the bullshit business, marketing and technology news out there? Do you have a bad case of FOMO? The signal to noise ratio is entirely out of whack nowadays. All the incentives are misaligned. If you want an unbiased view on on the intersection of technology, marketing, products/services and the impacts on consumers, businesses, and society in general, sign up below.

You have Successfully Subscribed!