Ultimate WordPress Launch Checklist (2025): 60+ Essentials Before Going Live

1) Hosting & Foundation

• PHP version (8.1+), OPcache enabled, adequate memory_limit (256MB+).
• Database server tuned; persistent connections and proper collation/charset (utf8mb4).
• Staging site in place; confirm search engine visibility is disabled on staging.
• Enforce HTTPS: valid SSL cert; update WordPress Address & Site Address to https://.
• Correct file permissions (755 dirs, 644 files) and ownership.
• wp-config.php: salts/keys, table prefix, DISALLOW_FILE_EDIT=true, WP_DEBUG=false.
• Server-level caching (e.g., FastCGI/Redis) planned and compatible with your WP cache plugin.
• Cron strategy: real cron vs wp-cron.php; disable default if using server cron.
• Backups: daily files + database; offsite storage; test a full restore.

2) Security & Hardening

• Enforce strong admin passwords and least-privilege user roles.
• 2FA for admin/editor accounts.
• Limit login attempts; enable CAPTCHA on critical forms.
• Disable XML-RPC if not required; protect wp-login.php (rate-limit/IP allowlist).
• Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy).
• WAF/CDN rules in place (e.g., Cloudflare) and origin IP locked where possible.
• Remove unused themes/plugins; keep core, themes, plugins updated.
• Disable directory listing; protect wp-admin via HTTPS only.
• Uptime + malware monitoring configured; incident response plan documented.

3) Performance & Caching

• Page cache + object cache (Redis/Memcached) configured; preload critical pages.
• Minify + combine where safe; defer non-critical JS; CSS critical path for above-the-fold.
• Image optimization (WebP/AVIF), lazy-loading, correct dimension attributes.
• CDN for static assets and media; proper cache-control headers.
• Test Core Web Vitals (LCP, CLS, INP) on real devices + Lighthouse lab tests.
• Remove render-blocking assets; audit unused CSS/JS (especially page builders).
• Database optimization (autoloaded options, transients, postmeta bloat).

4) SEO & Indexing

• Disable “Discourage search engines” on production.
• Finalize permalinks; set redirects for legacy URLs; add 410 for intentionally removed content.
• Submit XML sitemap to Google Search Console & Bing Webmaster Tools.
• Robots.txt rules verified; no accidental disallow on production.
• Title/meta descriptions written for key pages; Open Graph & Twitter Cards in place.
• Canonicals set; pagination/archives configured; index/noindex rules audited.
• Structured data (Organization, Breadcrumb, WebPage, Article, Product/LocalBusiness as needed).
• 404 page helpful and branded; search on 404 enabled.
• Internal linking and anchor text updated; orphan pages handled.

5) Analytics, Tagging & Monitoring

• GA4 installed via Google Tag Manager (server-side if applicable).
• Conversion events set (leads, purchases, downloads, form submits).
• Search Console & Bing verified; HTML sitemap (optional) created.
• Heatmaps/session replay (e.g., Hotjar) if allowed by policy.
• Uptime monitoring + performance alerts; error logging (PHP, JS) and alerting.

6) Content Quality, UX & Accessibility

7) Forms, Email Deliverability & SMTP

• All forms submit, validate, and store entries (spam protection enabled).
• Transactional emails routed via SMTP/API (SPF, DKIM, DMARC set at DNS).
• Test notifications to multiple recipients; reply-to and from-name configured.
• Email logs enabled for troubleshooting.

Tip: For reliable deliverability, try Comfort Email SMTP, Logger & Email API (by Codeboxr). It’s a lightweight alternative to bulky SMTP plugins.

8) WooCommerce / Payments (if applicable)

• Currency, taxes, shipping zones/methods, and store address set.
• Payment gateway in Live mode (e.g., Stripe keys); webhooks configured & tested.
• Test orders end-to-end (cart → checkout → email receipts → fulfillment).
• Inventory, product schema, and structured data validated.
• Transactional email templates branded and accurate.
• Terms/Privacy/Refund policy linked in checkout.

9) Legal, Privacy & Compliance

• Privacy Policy, Terms, Cookie Policy, Refund/Shipping (if store) pages published.
• Consent banner aligned with your data collection (GA4, pixels, heatmaps, etc.).
• DPA with processors if required; contact form disclaimers where needed.
• Accessibility statement (if in scope); language switcher tested for multilingual sites.

10) Go-Live Operations & Post-Launch

• DNS cutover planned with low TTL; verify A/AAAA/CNAME, MX, SPF/DKIM/DMARC.
• Switch off maintenance mode; purge all caches (server, plugin, CDN).
• Remove staging references, test absolute URLs, update internal links.
• Verify 301 redirects and track 404s; import any disavow file if applicable.
• Take a fresh full backup post-launch and archive a “v1.0” snapshot.
• Create an editor’s manual: how to add posts, media, menus, and updates safely.
• Set monthly maintenance (updates, backups, optimization, monitoring).
• Announce the launch (social, newsletter); set up feedback collection.