Launching a New WordPress Site — What to Check

Launching a new WordPress site without a thorough pre-launch review is like opening a store without checking if the doors lock or the lights work. Many issues that surface after launch, from security vulnerabilities to SEO misconfigurations, are significantly harder and more embarrassing to fix once real visitors and search engines have already arrived. This checklist covers everything you need to verify before flipping the switch, organized by category. A single InspectWP scan can check most of these items automatically.

Pre-Launch WordPress Security Checklist

Security gaps at launch are particularly problematic because automated bots scan for new WordPress installations and can exploit default configurations within hours.

• SSL certificate installed and verified: Open your site in the browser and confirm the padlock icon appears. Click it to verify the certificate is valid, not expired, and issued for the correct domain. Test both https://example.com and https://www.example.com (whichever you use).
• HTTP-to-HTTPS redirect working: Manually type http://yourdomain.com in the browser and confirm it redirects to the HTTPS version with a 301 (permanent) redirect, not a 302 (temporary). Test with both www and non-www variants.
• Security headers configured: Verify the following headers are present in your server responses: HSTS (Strict-Transport-Security), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. A Content-Security-Policy is optional at launch but should be on your roadmap. InspectWP checks all of these automatically.
• WordPress core, all plugins, and all themes fully updated: Even if you just installed everything a week ago, check for updates. WordPress and plugin developers release security patches frequently. Go to Dashboard > Updates and make sure everything is current.
• Default "admin" username changed: If you created the initial user account with the username "admin," create a new administrator account with a different username, reassign all content, and delete the old "admin" account. Attackers try this username first in brute-force attacks.
• Strong, unique passwords on all accounts: Every user account should have a password that is at least 16 characters long, randomly generated, and not reused from any other site. Use a password manager. Enable two-factor authentication (2FA) for all administrator accounts.
• XML-RPC disabled if not required: Unless you use Jetpack or the WordPress mobile app, disable XML-RPC entirely. It is a common target for brute-force amplification attacks. Block it at the server level or with a security plugin.
• REST API user endpoint restricted: Test by visiting yourdomain.com/wp-json/wp/v2/users in your browser. If it returns a list of usernames, you need to restrict this endpoint to authenticated users only.
• File editing in admin disabled: Add define('DISALLOW_FILE_EDIT', true); to your wp-config.php. This prevents anyone (including attackers who gain admin access) from editing theme or plugin files through the WordPress dashboard.
• debug.log not publicly accessible: Navigate to yourdomain.com/wp-content/debug.log in your browser. If you see log output, either delete the file or block access to it via your server configuration. On production, set WP_DEBUG to false and WP_DEBUG_LOG to false in your wp-config.php.
• Unnecessary default content removed: Delete the "Hello World" sample post, the sample page, and the sample comment. Remove unused themes (keep only your active theme and one default theme as fallback). Remove any plugins you installed for testing but do not need in production.
• Backup solution configured and tested: Set up automated backups before launch, not after. Configure a plugin like UpdraftPlus to back up to an off-site location (Amazon S3, Google Drive, Dropbox). Run a test backup and verify you can restore from it.

Pre-Launch WordPress SEO Configuration

SEO misconfigurations at launch can have lasting consequences. If search engines index your site incorrectly in the first weeks, it can take months to recover.

• XML sitemap created and submitted: Install an SEO plugin (Yoast SEO, Rank Math, or SEOPress) and confirm it generates a sitemap. Submit the sitemap URL to Google Search Console. If your site is not yet in Search Console, add it now and verify ownership.
• robots.txt reviewed: Visit yourdomain.com/robots.txt and verify it is not blocking any important content. A common mistake is leaving staging-environment rules in place that block all crawling. Your robots.txt should include a reference to your sitemap.
• "Discourage search engines" is UNCHECKED: Go to Settings > Reading in your WordPress admin. Make sure "Discourage search engines from indexing this site" is not checked. This checkbox is frequently enabled during development and forgotten at launch. When enabled, WordPress adds a noindex meta tag to all pages and blocks search engines via robots.txt.
• Meta descriptions set for all key pages: At minimum, write unique meta descriptions for your homepage, about page, service/product pages, and any other high-priority pages. These are the snippets that appear in search results and directly influence click-through rates.
• One H1 tag per page with correct heading hierarchy: Check your homepage and all major pages. Make sure each page has exactly one H1 (typically the page title) and that headings follow the correct hierarchy (H1 > H2 > H3, no skipping). Some themes and page builders create heading issues that are not obvious in the visual editor.
• Canonical tags present on all pages: Verify that each page includes a <link rel="canonical"> tag pointing to its own URL. Most SEO plugins handle this automatically, but check a few pages to confirm. Incorrect canonical tags can cause search engines to ignore your pages entirely.
• JSON-LD structured data added: At minimum, add Organization schema (for your business or brand) and Article schema (for blog posts). Breadcrumb schema is also valuable for navigation-heavy sites. Test your structured data using Google's Rich Results Test tool.
• Open Graph and Twitter Card tags configured: Share a link to your site on Facebook and Twitter (X) and verify the preview looks correct: proper title, description, and featured image. Use Facebook's Sharing Debugger and Twitter's Card Validator to test and clear caches if needed.
• Permalinks set to SEO-friendly structure: Go to Settings > Permalinks and select "Post name" (the /%postname%/ structure). Avoid date-based or numeric structures. If you change this setting after content is published, set up 301 redirects from the old URLs to the new ones.
• No accidental noindex tags: Check the HTML source of your key pages for <meta name="robots" content="noindex">. Some SEO plugins allow setting noindex on individual pages, and this is sometimes applied accidentally during content creation.

Pre-Launch WordPress Performance Optimization

First impressions matter. If visitors arrive at a slow site at launch, they will leave and may not return.

• Caching plugin installed and configured: Page caching is the single most impactful performance optimization. Install WP Rocket, LiteSpeed Cache, or WP Super Cache and verify it is working by checking the response headers or page source for cache indicators. See the performance guide (KB-58) for detailed setup instructions.
• Gzip or Brotli compression enabled: Check your response headers for Content-Encoding: gzip or Content-Encoding: br. Most caching plugins enable compression automatically. If not, configure it at the server level.
• Images optimized before launch: Run all uploaded images through an optimization plugin (ShortPixel, Imagify, Smush). Convert to WebP format where possible. Enable lazy loading for images below the fold. Verify that no oversized images are being served by checking image dimensions in the browser developer tools.
• HTTP/2 enabled: This is usually automatic when HTTPS is active. Verify by checking the protocol column in your browser's network tab or by running an InspectWP scan. If you are still on HTTP/1.1, contact your hosting provider.
• No unnecessary plugins installed: Review your plugin list one final time. Remove any plugins that were installed for development, testing, or evaluation purposes. Each unnecessary plugin adds load time, increases your attack surface, and creates maintenance overhead.
• Core Web Vitals passing: Test your key pages with Google PageSpeed Insights. Target Largest Contentful Paint (LCP) under 2.5 seconds, Interaction to Next Paint (INP) under 200ms, and Cumulative Layout Shift (CLS) under 0.1. Fix any major issues before launch.
• CSS and JavaScript minified: Enable minification in your caching plugin and verify your site still functions correctly. Test forms, sliders, accordions, and any interactive elements to make sure minification has not broken JavaScript functionality.

Pre-Launch GDPR and Privacy Compliance

Getting privacy right from day one is critical. Retroactive fixes after a complaint or fine are far more expensive and stressful than setting things up correctly from the start.

• Cookie consent banner installed and properly configured: Install a consent management plugin (Complianz, Real Cookie Banner, or Cookiebot). Verify that non-essential cookies and scripts are actually blocked before consent is given. Test by opening your site in an incognito window, declining all cookies, and checking the browser's network tab for third-party requests.
• Google Fonts hosted locally: Open your browser's network tab and search for requests to fonts.googleapis.com or fonts.gstatic.com. If any appear, switch to locally hosted fonts. Plugins like OMGF or Local Google Fonts handle this automatically.
• Gravatar disabled or set to consent-based loading: Check Settings > Discussion. Either disable Gravatar entirely or use a plugin that shows a local placeholder and only loads Gravatar images after consent.
• Privacy policy page published and linked: Create a comprehensive privacy policy that covers all data processing on your site. Link it from the footer of every page and from any forms that collect personal data. Set it as the privacy policy page under Settings > Privacy.
• Imprint / Legal Notice page published (Germany/Austria): If your site targets German or Austrian visitors, you must have an Impressum page with your full legal name, postal address, email, and phone number. Make it accessible from every page via a footer or header link.
• No external resources loading without consent: Beyond Google Fonts and Gravatar, check for CDN-hosted jQuery, Font Awesome, Google Analytics, Google Maps, Facebook pixel, embedded YouTube videos, and any other external services. Each one needs either a consent mechanism or a local hosting alternative.
• Contact forms include privacy notices: Every form that collects personal data should include an unchecked checkbox with a link to your privacy policy. Configure your form plugin to include a data processing consent field.

Pre-Launch Functionality Testing

Technical perfection means nothing if basic features do not work for your visitors.

• All internal links working: Click through your site systematically or use a tool like Broken Link Checker to find 404 errors. Pay special attention to navigation menus, footer links, and in-content links. Fix or redirect any broken URLs.
• Contact forms sending emails correctly: Submit test entries through every form on your site. Check that confirmation emails reach the intended inbox (not the spam folder). Test with multiple email providers (Gmail, Outlook, corporate email). If form emails are not arriving, install WP Mail SMTP to route emails through a proper SMTP server instead of PHP mail.
• Mobile responsive design verified on actual devices: Do not rely solely on browser developer tools for mobile testing. Test on actual phones and tablets if possible. Check that text is readable without zooming, buttons are large enough to tap, and no horizontal scrolling occurs. Test both portrait and landscape orientations.
• Cross-browser testing completed: Test your site in Chrome, Firefox, Safari, and Edge at minimum. Pay attention to fonts, layout, forms, and JavaScript functionality. If your audience includes corporate users, consider testing older browser versions.
• Backup solution configured and first backup completed: Do not launch without a working backup. Configure automatic daily backups to an off-site location. Run the first backup manually and verify the backup file is complete and downloadable. Test restoring to a staging environment if possible.
• Analytics configured with proper consent: Set up Google Analytics, Matomo, or your preferred analytics tool behind your cookie consent mechanism. Verify that tracking only activates after the visitor gives consent. Check that pageviews are being recorded correctly by visiting your site and reviewing the real-time analytics dashboard.
• 404 error page customized: The default WordPress 404 page is generic and unhelpful. Create a custom 404 page that includes your site navigation, a search bar, and links to your most important content. This helps visitors find what they are looking for instead of leaving.
• Email notifications configured: Verify that WordPress admin email is correct (Settings > General). Test that you receive notifications for form submissions, user registrations, update alerts, and security plugin alerts. These notifications are your early warning system for issues.

Run an InspectWP Scan Before Going Live

Before flipping the switch, run a comprehensive InspectWP scan on your site. It checks SSL configuration, HTTP security headers, WordPress version and configuration, installed plugins, SEO meta tags and heading structure, performance metrics including compression and HTTP version, GDPR-relevant external resources, and much more. All in a single scan that takes less than a minute. This gives you a complete health check of your site before real visitors arrive, so you can fix any remaining issues while the stakes are still low. After launch, set up automatic scans to monitor your site continuously and receive alerts when something changes.