Not only for WordPress sites!
- linux user account for website
- application source code
- SQL database
- deploy script
- CLI tools (application management, OPcache, DNS)
- SSL certificate
- PHP-FPM pool
- webserver virtual host
- DNS records
- CDN
- email sending
- set up application
- cron jobs
- check log files
- register in webmaster tools
- A, CNAME (for CDN)
- MX
- TXT records for SPF, DKIM, DMARC
- PTR records
- Proper TTL values
- For safety (personal data)
- For security (less attacks)
- For trust (green lock in browsers)
- For better SEO ranking since 2014
- For speed (enables HTTP/2)
- For receiving referrer information (up to April 2012)
- Very cheap
Authorities: Let's Encrypt, RapidSSL (by DigiCert), DigiCert and other SSL certificate authorities
- See WordPress website lifecycle
- Set up database connection
- Define constants, generate salts
- Edit
wp-cli.yml - Use child theme for purchased themes
- Keep custom plugins and themes in git repositories
- Document plugin licenses, access to support 🐌
- Allow accents in URL-s?
mu-latin-accent-urls
/robots.txt🐌/favicon.ico🐌/apple-touch-icon.png🐌/browserconfig.xml- other files in the document root
- Static all-inline HTML page
ErrorDocument 503 nice-page.html+RewriteRule "^" - [R=503,L]+ Retry-After header
- Use a CDN with multiple A records
host -t A cdn.example.com🐌 - Revving filenames
- Combine and minify CSS and JavaScript files
- HTML caching or
no-cache? - Disallow HTML pages on CDN (robots-cdn.txt)
- https://aws.amazon.com/console/
- https://dash.cloudflare.com/login see also /webserver/CloudFlare.md
wp plugin install --activate wp-mailfrom-ii smtp-uri
wp eval 'wp_mail("admin@szepe.net","first outgoing",site_url());'- Obfuscate email addresses
antispambot( 'e@ma.il' ) - JavaScript href fallback: https://www.google.com/recaptcha/admin#mailhide
- Authenticated delivery for monitoring emails
- Shortest route of delivery
- Add server as
RELAYCLIENTon the smarthost - Email
From:name and address - Subject line
- Easy identification for email notifications (filtering to mail folders)
- SPF for
MAIL FROM:, SPF forHELO, DKIM, DMARC
Use transactional email service through HTTP API or with a queueing MTA. 🐌
- Mailgun API: https://wordpress.org/plugins/mailgun/
- Amazon SES: https://github.com/humanmade/aws-ses-wp-mail
- Mandrill API: https://github.com/danielbachhuber/mandrill-wp-mail
- SparkPost API: https://wordpress.org/plugins/sparkpost/
- WAF
waf4wordpress🐌 - For shared hosting: Sucuri Scanner plugin
- Ninja Firewall Pro
- PHP extension: ionCube24
ic24.enable = on(PHP file modification time protection) - File change notification
- Subresource Integrity (SRI)
integrity="sha256-$(cat resource.js|openssl dgst -sha256 -binary|openssl enc -base64)" crossorigin="anonymous" - Google Search Console ("This site may harm your computer" notification on SERP)
- Virustotal (HTTP API)
- Maximum security: convert website into static HTML +
Cognito Forms
or doorbell
or formspree
or FormKeep
simply-static,static-html-output-plugin
- Remove left-over WP-Cron events
wp cron event list; wp cron schedule list - Use real cron jobs
wp-cron-cli.sh🐌
- General Settings
- Writing Settings
- Reading Settings
- Media Settings (fewer generated image sizes) 🐌
- Permalink Settings
- WP Mail From 🐌
- 1 administrator 🐌
- Personal accounts for editors and authors 🐌
- Correct post and page authors
- Enable/disable author sitemaps
@TODO
- Number of posts
- Full content
- Images
- Comment feeds
<!-- Infrastructure, source code management and consulting: Viktor Szépe <viktor@szepe.net> -->- Google Search Console 🐌
- Bing Webmaster
- Yandex Webmaster
Replace constants in wp-config.php
wp search-replace --precise --recurse-objects --all-tables-with-prefix ${OLD} ${NEW}
http://DOMAIN.TLD/wp-includes->https://NEW-DOMAIN.TLD/SITE/wp-includes(no trailing slash)//DOMAIN.TLD/wp-includes->//NEW-DOMAIN.TLD/SITE/wp-includes(no trailing slash)http://DOMAIN.TLD/wp-content->https://NEW-DOMAIN.TLD/static(no trailing slash)//DOMAIN.TLD/wp-content->//NEW-DOMAIN.TLD/static(no trailing slash)http://DOMAIN.TLD(no trailing slash)//DOMAIN.TLD(no trailing slash)/home/PATH/TO/SITE(no trailing slash)EMAIL@ADDRESS.ES(all addresses)DOMAIN.TLD(now without protocol)
Check home and siteurl
wp option get home
wp option get siteurlwp media regenerate --skip-delete --only-missingRemove missing (base) images.
Check database collation and table storage engines.
See alter-table.sql
Delete transients and object cache contents.
wp plugin install --activate wp-sweep
wp transient delete-all
wp db query "DELETE FROM $(wp db prefix)options WHERE option_name LIKE '%_transient_%'"
wp cache flushFlush full page caches.
wp w3-total-cache flush
ls -l /home/USER/website/code/static/cache/
ls -l /home/USER/website/pagespeed/; touch /home/USER/website/pagespeed/cache.flushCheck spam and trash comments.
wp comment list --status=spam --format=count
wp comment list --status=trash --format=countOptimize database tables.
wp db optimize- Sample / Demo content 🐌
- Code editor configuration file
.editorconfig - Files:
find -iname "*example*" -or -iname "*sample*" -or -iname "*demo*" - PHP-FPM pool configuration:
env[WP_ENV] = production
Put custom theme and plugins under git version control. 🐌
Keep git directory above document root.
wp plugin install --activate safe-redirect-manager
https://www.google.com/search?q=site:DOMAIN
Also redirect popular images.
http://google-public-dns.appspot.com/cache 🐌
- External monitoring - wait for Pingdom -
maintenance5.sh - Requests from the Internet - Apache -
service apache stop - Cron jobs (maintenance mode) -
service cron stop - Monitoring - Monit -
monit quit - Incoming emails piped into programs - Courier - disable alias
What people remember on your website 🐌
- Home made product photos
- One-person video team, Intro video, Silent room
- Google Street View virtual tour
- External URL-s should open in new window 🐌
- Use emojis (meta description, titles)
- Abandoned cart 🐌
- Newsletter subscribe
- Offer free download
- Exit modal or Hijack box: coupon, free download, blog notification, newsletter etc.
- Whole page background
- Sharing: https://www.addthis.com/ https://www.po.st/ http://www.sharethis.com/ 🐌
- Content to share: https://paper.li/
- A/B testing: Google Optimize, Optimonk
- UTF-8 encoding (no BOM)
- Line ends
- Indentation
- Trailing spaces
sed -i -e 's|\s\+$||' file.ext
- Theme meta and version in
style.css query-monitorerrors and warningstheme-checkand https://themecheck.info/vip-scanner- Frontend Debugger with
?remove-scripts p3-profiler- https://validator.w3.org/ 🐌
- https://validator.nu/
- Mobile views (responsive design), Mobile-friendliness, Accelerated Mobile Pages (AMP)
- Zooming in desktop browsers
- Dynamic page parts (e.g. rotating quotes by PHP)
- Dynamically generated resources
style.css.php(fix:grep -E "(register|enqueue).*\.php") - New WordPress entry point (fix:
grep -E "\b(require|include).*wp-") - Missing theme meta tags in
style.css - Missing resource version in
grep -E "wp_(register|enqueue)_.*\("calls - Script/style printing (instead of using
wp_localize_script(); wp_add_inline_script(); wp_add_inline_style(); - Always requiring admin code (fix:
whats-running) - Lack of
grep -E "\\\$_(GET|POST)"sanitization - Missing nonce on input
- PHP short opentags (fix:
grep -F "<?=") - PHP errors, deprecated WP code (fix:
define( 'WP_DEBUG', true );) - Lack of permissions for WP editors
- Non-200 HTTP responses
- Extra server-side requests: HTTP, DNS, file access
- Independent e-mail sending (fix:
grep -E "\b(wp_)?mail\(") - Proprietary install/update (fix: disable TGM-Plugin-Activation)
- Home call, external URL-s (fix: search for URL-s, use Snitch plugin and
tcpdump) - Form field for file upload
<input type="file" /> - Insufficient or excessive font character sets (fix:
&subset=latin,latin-ext) @font-faceformats: eof, woff2, woff, ttf, svg; position: top of first CSS- BOM (fix:
sed -ne '1s/\xEF\xBB\xBF/BOM!!!/p') - Characters before
<!DOCTYPE html> - JavaScript code parsable - by dummy crawlers - as HTML (
<a><iframe><script>) - Page loading overlay, display content by JavaScript causing FOUC
- Unnecessary Firefox caret
- Confusion in colors: normal text color, link and call2action color, accent color
- Email header and content check https://www.mail-tester.com/
- www -> non-www redirection
- Custom subdomain with same content
- Development domains
- Early access domain by the hosting company:
cpanel.server.com/~user,somename.hosting.com/ - Access by IP address:
http://1.2.3.4/
- Post and image removal policy (for bots, for humans, redirect to another post)
- Informative
- Reassuring the user we know about the problem 🐌
- How to go on? 🐌
- Attractive 404 pages on AWWWARDS
- Cooperative
- Search form
- Error reporting email address
- Out of stock message
get_page_by_path( untrailingslashit( $_SERVER['REQUEST_URI'] ) . '__trashed', OBJECT, $post_type ) - Automatic suggestions (specific category archive)
- Promotions
- Google's fixurl.js
- Support: Intercom Bot on repeated attempts or a simple (3rd-party) feedback form 🐌
- Adaptive Content Type for 404-s
- Redirect with delay
<meta http-equiv="refresh" content="8; URL=/"> - Other error pages (500, 503)
- File names with special UNICODE characters
LC_ALL=C grep -P '[\x80-\xFF]'🐌 - Image format
convert PNG --quality 100 JPEG - Image name
mv DSC-0005.jpeg prefix-descriptive-name.jpg - Image optimization
jpeg-recompress JPEG OPTI_JPEG🐌 - Self-host Google Fonts
- CSS statistics
- JavaScript, CSS concatenation, minification
cat small_1.css small_2.css >large.css - instant.page
- Conditional, lazy or late loading (slider, map, facebook content, image gallery)
- Use async and defer for JavaScripts
- Light loading,
&controls=2for YouTube - HTTP/2 server push
- DNS Prefetch, Preconnect, Prefetch, Prerender
- YouTube custom video thumbnail (Full HD)
- HTTP methods
GET POST HEADandOPTIONS PUT DELETE TRACEetc. - https://redbot.org/
- Loading in IFRAME (Google Translate, Facebook app)
- https://securityheaders.io/ and see Twitter's list
- https://report-uri.io/home/tools CSP, HKPK, SRI etc.
- https://www.webpagetest.org/
- https://speedcurve.com/
- Silktide
- Does the website have a public API? (WP REST API, WooCommerce API)
- Test (REST) API with Postman
wp-config.php: define('WP_DEBUG', !false);
tail -f /var/log/apache2/SITE_USER-error.log | sed -e 's|\\n|\n●|g'blog_publicand robots.txt 🐌- XML sitemaps linked from robots.txt 🐌
- Excluded pages:
noindex, nofollow🐌 - Page title (blue in SERP) 🐌
- Permalink structure and slug optimization (green in SERP) 🐌
- Page meta description (grey in SERP) 🐌
- Keyword planning: https://answerthepublic.com/ Google suggested searches, Google related searches, Google Trends
- Breadcrumbs
- Headings: H1, H2 / H3-H6
- Images:
alt,title - Content keyword density
- noarchive?
- Multilingual site (
hreflangattribute) - Structured data https://schema.org/ http://microformats.org/
- Google My Business 🐌
- Google Location Changer
- AdWords Ad Preview
- http://backlinko.com/google-ranking-factors
- AdWords campaign as a SEO factor
- ContentKing SEO monitoring
- SEO for startups ⏯️
Google's Search Quality Evaluator Guidelines
- On privacy
- Privacy Policy 🐌
- Cookie Consent Kit + opt out, cookie notice template, Cookie Consent wizard by Osano, EDAA Glossary
- Terms & Conditions
- Operated by, Hosted at
/.well-known/dnt-policy.txt- See https://termsfeed.com/
- Adatkezelési tájékoztató (cégen belül Adatvédelmi szabályzat)
EU általános adatvédelmi rendelet
(GDPR, 2018. május 25-től érvényes) 🐌
- HTML és PDF formátumban (PDF title)
- A tájékoztató címében a honlap domain-ja
- Fogalom értelmezés
- Adatkezelő adatai, elérhetősége
- Adatvédelmi felelős adatai
- Adatfeldolgozók listája és tevékenységük és az adatok: látogató mérés, közösségi doboz, tárhely szolgáltató
- Cookie-k kezelése
- Offline adatok: ügyfélkapcsolat (email, telefon), könyvelés, kamera rendszer, papíron tárolt adatok
- Az érintettek jogai, adatvédelmi incidens
- Jogorvoslat, bíróság
- Bírósági jogérvényesítés
- Kártérítés és sérelemdíj
- Törvényekre § való hivatkozás
- Kelt és érvényesség kezdete
- Impresszum (csak űrlaphoz kell)
- ÁSZF (vásárláshoz)
- Ingyenes NAIH Tájékoztatás az adatvédelmi nyilvántartás megszűnéséről
- JavaScript disabled
- OpenGraph for Facebook (Sharing Debugger) and Twitter (Card validator) 🐌
- Google Translate (
notranslatemeta), Facebook app (running in an IFRAME), Google Search "Cached" 🐌 - GoogleImageProxy (Gmail, Google Images)
- Ad blockers and filter lists: uBlock Origin, Adblock Plus, Disconnect (Firefox ETP), Ghostery
- Microsoft Office, Libre Office (copy-and-paste content or open URL in office application)
- Text selection: color+background-color, disable selection, display share options on select (see Feedly)
- Keyboard-only navigation (tabbing, skip navigation) 🐌
- Emojis and UNICODE (entering, storing, displaying)
- Toolbar color of Chrome for Android (
theme-colormeta) 🐌 - Windows 8 and 10 tiles
- <head> cheatsheet
- Phone numbers (clickable, tracked)
- Skype IE Add-on
<meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE"> - Printer, Gutenberg framework
- Accessibility, attributes for screen readers, guidelines
- Reader mode (from Firefox
chrome://global/skin/aboutReaderContent.css)
Document in hosting.yml and check functionality.
- Certificate Authority (OCSP servers for obtaining SSL certificate revocation status)
- A/B testing
- External search
- External resources (fonts)
- Video (Wistia)
- Maps (HERE)
- Social media (Twitter card)
- Widgets (TripAdvisor Widgets)
- Tracking codes (make UA-number
"UN" + "parse" + "able"or"UA-" + (17*28711).toString() + "-1") - Advertisement
- Live chat
- Newsletter subscription
- Payment gateway
- CDN
Gain access, set up and test.
- Heap Analytics
- Google Analytics (revenue tracking), Google Tag Manager 🐌
- Facebook Pixel
- Segment
- Clicktale
- Smartlook
- Hotjar
- URL shortening: Link tracking, Download tracking
Verifying and debugging trackers.
- Wappalyzer
- Tag Assistant
- Google Analytics Debugger
- Facebook Pixel Helper
- Google Ads phone call tracking
sessionStorage.setItem('_goog_wcc_debug', 'y'); - Hotjar: add
hjdebug:trueto_hjSettingsobject
- Basic site functionality 🐌
- Registration 🐌
- Purchase 🐌
- Contact forms 🐌
Uptime (pingdom.com, hetrixtools.com, selectel.com) 🐌
List of all errors in Apache httpd
Track application and JavaScript errors with Sentry
Set up status page with Cachet
- Database
- Files
- Settings (connected 3rd party services)
- Authentication data
- External resources (S3 bucket)
- Issues (Trello, GitLab)
- Code repositories (GitLab, GitHub)
- Archive for long term
- Monitoring
- Backups
- DNS records
- PHP-FPM pool
- DB, DB user
- Webserver vhost, add placeholder page
- Revoke SSL certificates
- Fail2ban
logpath - Webserver logs
- Files
- Linux user
- Email accounts
- External resources (3rd party services)
- Google Search Console
- Delete accounts at service providers
Have me on board: viktor@szepe.net