Recently, a few friends came to me with questions regarding WordPress. The expertise we developed at GreenIvory came to mind, so instead of answering emails by email by texts by messengers, I just put all of that together. This article is a bit of an exception in the current flow I am working on.
I voluntarily exclude non-engineering & non-ops questions like content (and content strategy), ADA compliance, or any rights & legal aspects (like required pages, copyright, and more).
In no particular order, I have focused on backup, infrastructure, domain, email, access, WordPress and its plug-ins and themes, analytics, and, of course, security. Coverage of security remains very basic.
What is your backup strategy? What plug-in are you using? What is the frequency of backup? Is the MySQL instance backed up? How? Where are the files stored? What is the secondary site for external backup? How do I access it? Has the backup been tested on another site? What is the recovery process? Is it documented in a run book?
Detail the infrastructure you are using. Where is the web server (the PHP and images) running? How can I access them? Where is the MySQL instance running? How can I access it? Is it documented in the run book?
Is your SSL certificate automatically renewed? Is it documented in the run book? (note that I did not even ask if you had an SSL certificate).
Do you have a secondary site ready to take over if you have a problem? You may not need a fully automated high-availability (HA) system, but it could be as simple as a “we are still in business after our MySQL instance crashed” page. Are this strategy and secondary site documented in the run book?
Do you use a CDN? If so, is it documented in the run book?
Is all the infrastructure cost on auto-renew? Are they linked to a credit card with a long enough expiration date or, even better, a PayPal account? Linking to a PayPal account will allow you to centralize how to pay, and you only have to set up one credit card for all your suppliers. Are those details documented in the run book?
Who owns the domain? Is it on auto-renew? Do you have a credit card with a long enough expiration date or a PayPal account (preferred)? Is it documented in the run book?
Is your website sending emails (most do)? If so, how? Is it documented in the run book?
How did you secure your WordPress admin access? Have you listed all the admin accounts? Do you have any other users? If so, are they isolated in a group with less access? Are the admins and groups documented in the run book?
WordPress, its plug-ins, and its theme
Is there any modification in the core WordPress files themselves? It is a bad practice, but sometimes you need to do that. If so, is it documented in the run book?
Most WordPress sites use plug-ins. It isn’t required to document them all, but if there are odd ones, or if they do not auto-update, are they listed in the run book?
Are you using custom-developed plug-ins or third-party plug-ins that are heavily modified? If so, is the source code in GitHub? In the case of heavily modified third-party plug-ins, did you break any update mechanism with the original author? Is it documented in the run book?
Are your configuration (or all) files automatically synced to GitHub? Is it documented in the run book?
Did you use a custom theme? If so, is the source code in GitHub? Is it documented in the run book?
Are you using a heavily-modified theme? If so, is the source code in GitHub? Did you break any update mechanism with the original author? Is it documented in the run book?
Is your site connected to an analytics system? If so, which one? Are the solution, access, and keys documented in your run book?
Security is a tricky topic, and these few questions are in no way an exhaustive list.
What is your security strategy? Do you allow comments? If so, do you have Akismet configured? Did you remove the things you do not use, like plug-ins and extra themes? Do you have index.php or empty index.html pages redirecting to the website’s root on folders where people could scroll through your files? Do you have auto-update enabled everywhere? Do you have some security plug-ins at the WordPress level? Does your server (at the operating system level) have a firewall that will catch problems before WordPress does? Is it documented in the run book?
Finally, where is the run book?
Now, it’s your turn
Do I do all that for this website? No, I don’t, and I know that I may pay the price someday, but as with any business decision, it’s a risk vs. cost balance: I don’t drive revenue (not even ads) from my blog. I could have presented the list as a checklist, but I am hoping that turning it into a list of questions, will trigger more questions for you. There are also many reasons why I am not in this business anymore…
Take this list, and adapt it to your needs. Please add what I missed or interesting links in the comments.
Feature photo by Pavel Danilyuk.