What this guide covers
A launch checklist that keeps your WordPress site safer and easier to support
1. Start with a secure build environment
Keep production and staging separate. Use local or staging environments for plugin updates, theme
changes, and client reviews. Never install a new plugin directly on production unless it has already
been tested.
- Use a dedicated staging site with the same PHP and database setup.
- Keep backups of both staging and production before any major changes.
- Use query monitor and WP_DEBUG only on staging.
2. Lock down the config and file permissions
Hardening the WordPress configuration prevents entry points that attackers and misconfigured plugins
can exploit.
- Move
wp-config.php one level above webroot when possible.
- Disable file editing:
define('DISALLOW_FILE_EDIT', true);
- Enable
FORCE_SSL_ADMIN and secure cookies for admin sessions.
- Set permissions to 644 for files and 755 for folders unless your host requires stricter rules.
3. Choose the right update strategy
Not all updates are equal. Separate safe maintenance updates from risky plugin/theme upgrades, and
make the decision visible to the client.
- Apply core minor updates automatically when trusted, but review major version upgrades first.
- Test plugin updates on staging before deployment.
- Document whether a site is under a support contract or a one-time handoff.
4. Monitor, audit, and communicate
Security is a process, not a checkbox. Use monitoring and client communication to reduce surprises
after launch.
- Install a lightweight uptime monitor or site health plugin if the client agrees.
- Review access logs quarterly and disable dormant user accounts.
- Share a short support plan with the client: update cadence, backup schedule, and emergency
contact.
Key takeaway
Build a habit of staging-first changes, configuration hardening, and documented rollback options.
That combination is what keeps WordPress projects manageable and support calls low.