Launch-day checklist

Launch day is exciting, and during that excitement it's very easy to forget things and make mistakes. This checklist will help you cover all aspects of your self-hosted WordPress site, as well as provide a glimpse of what to expect in the coming lessons.

Server & infrastructure

• All important configs are committed and pushed
• Server time and hostname are correct
• OS and packages are up to date
• Unattended security updates are working
• DNS resolution and internet access work
• SSH is locked down, root account is secured
• Firewall is up and running
• Disk, memory and swap levels are under control
• System logs are being rotated
• Brute-force attempts are being blocked (SSH, WP and other exposed services)
• WAF, rate-limiting/throttling, managed challenges are enabled
• Email delivery is via third-party SMTP
• DNS records for email are in place and accurate

Nginx, PHP, and MySQL/MariaDB

• Nginx and PHP configurations are valid
• PHP worker count and backlog limit are sensible
• Versions are up to date
• Memory and max execution time limits are sensible
• Opcache is enabled and large enough
• Large uploads work as expected
• Cache headers and compression work as expected
• Nginx and PHP logs are being written and rotated
• SSL/TLS is accurate and valid all the way through
• HTTPS is forced at CDN/proxy, port 80 is locked
• MySQL/MariaDB is up and running, resource allocation is sensible
• Max connections exceeds maximum PHP workers

WordPress

• Site/Home URL are accurate
• Authentication and nonce salts are unique
• Pretty permalinks work as expected
• Security settings/snippets are enforced
• Unique username for the admin account, strong password, and 2FA
• Robots.txt and X-Robots-Tag are ready for production
• Object caching is working, Redis usage/limits are under control
• Page caching is working, known JS cookies are ignored
• Core, themes and plugins are up to date
• Unused themes/plugins are removed
• PHP errors are written to the PHP error log, not wp-content/debug.log
• WordPress cron is running on time
• No backups, logs, or other sensitive files are publicly accessible
• Working brute-force/DoS protection for wp-login.php, REST API, xmlrpc.php
• File permissions are sensible, 777 is not your lucky number
• Email leaves WordPress/PHP via system services
• Site can survive a baseline load test

Monitoring

• Monitoring is in place and working
• Alerts are working and deliverable
• Services can survive a service crash, system crash, manual reboot
• Disk space, CPU usage and memory are monitored
• SSL/TLS certificate expiry is monitored
• Access/error logs are monitored
• Database is monitored (including Redis)
• Backups are monitored
• HTTPS access (home page or health page) is monitored
• Third-party off-site monitoring is in place

Backups & disaster recovery

• Scheduled backups are working for application data, media and database
• On-demand backups are easily done and accessible
• On-site backups are stored in a secure location
• Backups are being shipped off-site to another provider
• Backups are downloadable and verifiable
• Retention policy is sensible and working, both on-site and off-site
• Perform a dry-run recovery with no access to the server

Don't worry if this seems a bit overwhelming at first. We'll cover everything on this list step by step in the coming lessons, and things will start falling into place.

This checklist would be good to commit to your README.md or a separate file in your config repository, and adapt it to your specific needs later. Chances are you'll use the repo as a starting or reference point for future self-hosted projects.