WordPress Checklist – 150+ Things To Do Before Launch
WordPress Checklist – 150+ Things To Do Before Launch
October 24, 2017
Ok, here is a WordPress checklist for you to go through before launching a brand new website. I started with a Website Checklist which was more general. This checklist is obviously a bit more focused. Like the Website Checklist, the WordPress Checklist will evolve over time as well.
There aren’t any specific WordPress plugins mentioned except in a couple places. There are lots of others who do a fantastic job reviewing plugins, so do some Googling.
Of course this checklist doesn’t cover everything related to creating a WordPress site, because then I’d have to write a book. I didn’t go in-depth into topics like design and SEO because they deserve their own checklists.
The most recent version is on GitHub.
Setup
Best Practices
- Web Server Configuration – Point to root WordPress folder. URL should not contain ‘WordPress’ anywhere.
- Database Table Prefix – Change from wp_.
- Database Connection – Change to connect to dev database.
- Plugins – Remove unused plugins.
- Themes – Remove unused themes.
- Version – Remove generator meta in header.
- Admin Account – Rename from admin.
- Security Keys & Salts – Change from default.
- Admin URL – Change from default.
- Default Content – Remove default posts, comments, and pages.
- Default Date / Time – Set in Settings > General.
- Default Blog Category – Change from uncategorized.
- Media Settings – Set to month and year or appropriate file path.
- Permalinks – Set to post name or appropriate URL structure.
- Site Title – Set to proper website title.
- Site Tag – Set to proper website tagline.
- Admin Email – Update to someone on web development team. This is not the same as admin user account.
- Memory Limit – Set memory limit to maximum allowed by server or web host.
- Auto Save – Set number of seconds between auto-saves.
- Multisite – Enable if needed.
- Debug Flag– Enable during development.
- Cache – Disable during development.
- Search Engine Visibility – Disable development environment from being crawled by seach engines.
- Sample Config File – Remove wp-config-sample.php.
- Version Control – Set up repository to store and track files and changes.
Theme Design
Best Practices
- Login Page – Update with site brand.
- Underlined Links – Underline to help with usability and accessibility.
- Visited vs Unvisited Link Colors – Use different colors for usability.
- Hover / Focus / Active Links – Visually distingush when in hover, focus, or active states.
- Color Contrast – Contrast ratio should be minimum 4.5:1 for WCAG 2.0 AA compliance.
- Form Placeholder Text – Set placeholder attribute in input elements.
- Descriptive Buttons – Use pattern Verb Noun, like Upload File, instead of Ok or Submit.
Coding
Best Practices
- Core Files – Never modify any WordPress core files.
- Database Queries – Don’t use
mysqli_query()
, instead use$wpdb
object orWP_Query
. - ‘DISTINCT’, ‘GROUPBY’ – Avoid cross-table queries and any other operations which create temporary tables.
- Query Result Limits – Add maximum number of results returned to prevent killing database.
- Indexes – Verify indexes are used in queries by running
EXPLAIN
statement. - Address Bar – Only show encrypted session values in address bar.
Plugins
- Mail – Use
wp_mail()
instead of PHPmail()
function. - Clean Inputs / Outputs – Sanitize/escape all inputs and outputs to prevent Cross-Site Scripting (XSS) problems.
- Nonces – Protect against Cross-Site Request Forgery (CSRF) when expecting user submitted data.
- Data Validation – Use JavaScript, built-in PHP functions, core WordPress functions, and/or custom functions to validate inputs before processing.
- Cache DOM Queries – Cache jQuery selectors for re-use on page.
- Event Delegation – Reduce individual element event handling by using event delegation instead.
- Deactivate / Uninstall Hooks – Implement to cleanup data.
- Prefix – Add plugin name abbreviation as prefix to variables, functions, and classes.
- Folder Structure – Separate into includes, admin, and public folders.
- Roles and Rights – Verify authentication and authorization of user when plugin called.
- Settings / Options API – Use to build admin pages.
Themes
- Child Themes – Create child theme if modifiying existing theme allows for child themes and changes are not extensive.
- File Structure – Separate into include, asset, and template parts folders.
- Template Tags – Instead of hardcoding, use template tags and conditional tags as much as possible.
- Enqueue Stylesheets – Use
wp_enqueue_style
and template tags for directory paths instead of hardcoding links to CSS files. - Enqueue JavaScript – Use
wp_enqueue_scripts
and template tags for directory paths instead of hardcoding links to JavaScript files. - File Naming – Use standard WordPress naming hierarchy.
- Theme Unit Test – Use WordPress Theme Unit Test to visually inspect and test theme and test using Theme Check plugin even though theme will not be submitted to WordPress theme directory.
- Screenshot – Create screenshot with look and feel of theme.
- Jetpack Infinite Scroll – Support if needed.
- ’$content_width’ – Set.
Theme HTML
Best Practices
- HTML5 Semantic Elements – Use HTML5 semantic elements appropriately.
- Error pages – Create 404 page and 5xx error pages. 5xx error pages can be handled by web server.
- AMP / Instant Articles – Generate stripped down HTML for Google and Facebook.
- Labels / Inputs – Connect labels to inputs using
for
attribute in labels.
Head
- Doctype – Set Doctype to HTML5 and put at the top of header.
- Charset – Set to UTF-8.
- X-UA-Compatible – Set for backwards IE compatibility.
- Viewport – Set viewport.
- Favicons – Set favicon file location.
- Apple Touch & Android Icons – Set Apple touch & Android icons.
- Canonical – Set
rel=“canonical”
. - Language tag – Set language tag.
- Conditional comments – Set conditional comments for IE.
- RSS feed – Set RSS URL or remove.
- Smart App Banner – Set app-id and app-argument if app available from app store.
- Facebook Open Graph – Set and link to images.
- Twitter Card – Set and link to images.
HTML Testing
- W3C Compliance – Run pages through W3C validation tools.
- Desktop Browsers – Test pages on current (and back one version) of current desktop browsers.
- Mobile Browsers – Test pages on current (and back on version) current mobile browsers.
- Link Checker – Run pages through broken link checkers.
- Adblockers Test – Verify adblockers do not break pages.
Theme Fonts
Best Practices
- Webfont Formats – Convert fonts to WOFF, WOFF2 and TTF file formats.
- Fall-back Typefaces – List 2 or more in case desired fonts not available.
- Service Configuration – Set live domain and development IPs to be white-listed with hosted font services.
Theme CSS
Best Practices
- Preprocessors – Remove links to intermediary preprocessor files.
- Breakpoints – Check content, flow, and UX work as intended at different breakpoints.
- CSS Print – Set print stylesheet for each page.
- Unique ID – Use unique IDs per page.
- Reset CSS – Use CSS reset stylesheet.
- JavaScript Prefix – Name classes or IDs with js- when modified by JavaScript and not by CSS files.
- Inline / Embedded CSS – Remove or minimize embedded or inline CSS.
- Vendor Prefixes – Use CSS vendor prefixes depending on required browser support compatibility.
- Stylesheet Layout – Order of properties display > positioning > box model > colors and typography > other.
- Media Queries – Place at bottom of stylesheet.
- Magic Numbers – Avoid.
- Main Stylesheet Header – Include theme name, author, description, version, license, license URI, and text domain.
- Sticky Posts – Set to be visually distinguishable.
Performance
- Concatenation – Concatenate CSS files.
- Minification – Minify CSS files.
- Non-blocking – Verify CSS files are non-blocking in theme template.
- Unused CSS – Cleanup CSS.
CSS Testing
- CSS Validator – Run stylesheets through CSS validators.
Theme Images / Videos
Best Practices
- Placeholder Images – Replace with real images.
- Stock Images – Replace stock watermarked images replaced with licensed versions.
- Optimization – Optimize for needed browsers and devices.
- Retina – Use x2 or 3x images to support retina display.
- Width and Height – Set
<img>
to have height and width, handle with CSS and media queries, or serve appropriate sizes for respective browsers and devices. - Alternative text – All
<img>
have an alternative text which describe the image visually. - Lazy loading – Load images on scroll or as needed.
- Social Thumbnails: Generate Facebook/Twitter/LinkedIn thumbnails for all pages.
- Responsive Video Players – Videos resize appropriately on different browsers and devices.
- Video Controls – Show playblack, pause, and mute controls.
- Logo – Set logo link to return visitor to homepage.
Theme JavaScript
Best Practices
- jQuery Version– Do not add newer jQuery libraries if available.
- ’$’ Shortcut – Use IIFE to create.
- JavaScript Inline – Remove or minimize inline JavaScript.
- Concatenation – Concatenate Javascript files.
- Minification – Minify JavaScript files.
- Non-blocking – Load JavaScript files asynchronously.
- Modernizr – Use Modernizr or similar tool to test for specific browser features.
- Footer Load – Place scripts in footer of page.
- eval() – Never, ever use.
JavaScript testing
- ESLint – Verify JavaScript with ESLint or similar tool.
Copy
Best Practices
- Text – Replace all Lorem Ipsum with real copy.
Security
Best Practices
- HTTPS – Use HTTPS.
- HSTS – Set HTTP Strict Transport Security parameter on web server.
- Password Reset – Set password rules and flow on all authentication pages like Registration, forgot password, change password.
- Login Limits – Require ‘human’ verification after a defined number of failed tries.
- System Information – Verify application, server, or database version or connection information not publicly viewable.
- SSL – Verify certificate not expiring.
- Exploit Scanner – Run plugin on site.
Performance
Best practices
- Minified – Minimize HTML and enable gzip type compression on web server.
- Lazy loading – Load images, scripts, and CSS files as needed, not on load.
- Cookie size – Minimize size of cookies.
- Content Delivery Network – Push CSS, JavaScript, fonts, and generated HTML to CDN.
- HTTP Cache Headers – Set approriate parameters.
- DNS Prefetching – Enable
preload
and/ordns-prefetch
. - Mixed Content – Retrieve all files and assets via HTTPS.
- Logging – Enabled tools and verify data passing to monitoring platforms.
SEO
Best Practices
- Tag Manager – Set up and verify data passing to tools.
- Analytics & Conversion – Google Analytics and similar tools installed,correctly configured, and registering data.
- Exclude IPs – Remove office or home IPs from analytics and conversion tools.
- Ad Pixels – Verify all ad pixels installed and registering.
- Heatmaps: Verify installation, configuration, and data flow to third party tools.
- A/B Tests: Verify installation, configuration, and data flow to third party tools.
- Chat – Verify installation, configuration, and data flow to third party tool.
- Sitemap XML – Install plugin to auto-generate and submit of site, image, and video XMLs to Google Webmaster Tools and similar tools
- Google Webmaster Tools – Verify no errors noted by WMT or similar tools.
- robots.txt – Verify robots.txt not blocking any pages.
- Structured Data or Rich Snippets – Generate error-free structured data as needed.
- Title – Use unique title tag used on each page.
- Description – Set unique meta description on each page.
- 301 Redirects – Return 301 for moved content
- Redirections – Use Rewrite Rules Inspector plugin and check redirections.
- Title Attribute – Set
title
attribute for all links. - Social Widgets – Connect social accounts and set up to show buttons / links in right places.
Legal
Best Practices
- Privacy Policy – Create page and put link in footer.
- Terms of Service – Create page and put link in footer.
- GDPR Compliance – Show consent notice visible.
- Copyright – Show in footer.
Pre-Launch
Best Practices
- .htaccess – Set with appropriate settings.
- Backups – Check backup and restore systems functional. Fully backup old site if one exists.
- Versioning – Branch or tag production code in version control system.
- Contact Forms – Set CAPTCHA functionality, required fields, validation, and verify information emailed or routed to CRM.
- Newsletter Forms Check signup forms functionality and verify user information pushed to third-party tool.
- Comments – Set moderation notices be sent to appropriate email addresses.
- Search – Verify WordPress search or Google custom search traversing only necessary data, and returning correct results.
- API Configuration – Set live domain to be witelisted with third party intergrations or SaaS tools.
- Dev Domains – Verify database and assets not referencing dev, staging, or QA environments.
- DNS – Verify proper set up.
- Conversions & Funnels – Set analytics tools to collect visitor clickstream.
- Payment System – Turn off test mode off and transactions work.
- www / non-www – Set non-canonical to redirect to canonical and preserving URL.
- Debug Mode – Disable in wp_config.php.
- WordPress Address (URL) – Update to production URL in wp-config.php or Settings > General
- Site Address (URL) – Update to production URL in wp-config.php or Settings > General
- Plugin / Theme Auto-Updates – Update usernames, passwords, and API keys.
- Gravatars – Set up user accounts with Gravatars if necessary.
- Pagination – Verify ’next’ and ‘previous’ display right content in respective categories.
- Folder and File Permissions – Verify folder contents are not viewable and individual PHP files cannot be downloaded.
- Upload Permissions – Verify images and attachments can be uploaded via backend and downloaded by non-logged in users.
- Spam Protection – Enable Akismet plugin and delete old spam comments.
- Post Revisions – Limit number of post revisions saved and delete post revisions generated during development.
- Trash – Set number of days when deleted content can be removed from database.
- Cache – Enable default WordPress caching or a third-party plugin.
- Admin Email – Set to individual responsible for website post-launch.
- Search Engine Visibility – Enable search engines to index site.
Post-Launch
Best Practices
- Update Files – Set auto-update for core, themes, and plugins or create monthly or quarterly plan to test and roll out updates, especially if custom functionality was built for the website.
- Documentation – Compile website, webhost, S/FTP, and social logins, along with expiration dates on third-party services, SSL, stock photography, etc, and share with appropriate individuals.
- Error Logs – Check web server logs for PHP errors on a regularly scheduled basis.
- Version Control – Transfer ownership of repository to client if necessary.