Skip to main content
Krystal
Krystal Blog

Protect your business-critical information: a WordPress publication checklist

Kate B

4 Dec 20256 min read • Tips & Tricks, WordPress

As the Office for Budget Responsibility (and the British public) learned last week, just because you're using WordPress, that doesn't mean everything is working exactly as you think it is.

While they thought that the PDF of the November forecasts was uploaded to a draft section inaccessible to the public, as WordPress's core software does, they hadn't configured Download Monitor to match, making the November forecasts publicly available before the Chancellor's Budget statement. One faulty plugin configuration on a single WordPress site, and we're looking at investigations and resignations.

And as we discovered in the full investigation report from the OBR — this all happened because of assumptions. Rather than checking that everything was working as it should be, they just assumed it would all go according to plan. Which is perfectly fine...until it isn't.

It's true that WordPress does make a great many things easier — from creating new pages to adding photos to linking uploaded files — but it's not a miracle worker. It needs you to tell it what it should do and what it shouldn't do.

Much like how pilots and surgeons have detailed checklists to go through, you should have a checklist for your WordPress site. Go through it before you post anything important, and you can rest assured no one will be calling for an inquiry.

Strengthen Your Core

It's not just for your body, it's for your WordPress site as well.

Take a fresh backup

While you should already have regular backups of your site (and you get daily backups with our Managed WordPress), you should take a fresh backup before you start uploading anything important. After all, if you have to very quickly take something off, it's easier to roll it back to a previous version than it is to go through every single page, link, and button.

Ensure everything is updated

This is always the first step in any WordPress checklist, and with good reason. By making sure your WordPress installation, themes, and plugins are up to their latest version, you can be sure that any known critical security issues have been patched.

Obviously, if you have Managed WordPress with us, you're already getting your installation updated to the latest version, and Intelligent Protection powered by Patchstack is there to protect you against any newly found vulnerabilities, but it doesn't hurt to check for yourself first.

Review your file permissions

Go through your WordPress admin and check any place that mentions file permissions. This might be hiding in a few different screens, especially when it comes to plugins, so have a good look before you assume everything is set up correctly. If you find that something's been changed from the default, double-check that it's exactly as you want it.

Become a bouncer

Who are you letting into your club?

Clear out your inactive users

Are there people who have access to your WordPress backend that no longer need it? Maybe it was a social media intern who wrote a few posts. Maybe it was that WordPress agency you brought in to fix a theme. It doesn't matter who they were — if they're a user, they have access.

If they're listed as an author on your site and you want to keep them, you can set their access to "None", choosing the blank field in the drop-down. This means they'll still be listed on your site, and can theoretically log in, but they don't have permissions to make any changes. If they're not listed as an author, just delete their accounts. Don't even give them the chance to log in.

Audit all your existing users

You set up the site, you get a load of people in, and you think "they're all administrators, why not? What's the worst that can happen?"

How about a £400,000 fine? Hackers were able to jump from a single WordPress admin account into even larger systems and accessed a huge pile of Carphone Warehouse's customer data.

Giving your users the least amount of power needed to do their role is an easy way to strengthen your WordPress defences. The three roles you should focus on are:

  • Administrator — this should only be for extremely trusted site owners and developers. This gives people access to all aspects of your WordPress installation, and should be handed out only sparingly.
  • Editor — anyone you need to manage content on the site. Since they have the ability to edit, delete, and schedule posts, you need to trust them, since your content is your website, but they also don't have the rights to add in sketchy plugins or break all your settings.
  • Contributor — most of the people you create accounts for should have this level of access. They can write posts, they can edit their own posts, but they can't publish them.

Check their credentials

Make sure your users are following the standard security protocols for all websites as well — that they have strong passwords and use a password manager if they can't remember them.

You can also add Two-Factor Authentication to your WordPress backend for that extra defence right when you need it. Several security plugins include this feature for you right out of the box.

Don't be complacent

You know what happens when you assume something...

Never put anything automatically live

WordPress makes it incredibly easy to publish stuff onto the Internet — that's part of its appeal. A bit of typing, a few clicks, and you're right there on the web for everyone to see.

But this is also where it can all go wrong. It is right there on the web, for everyone, including the Internet Archive and search engines to see. And it doesn't matter if you take it down or revise it or whatever — it's out there.

One of the easiest ways to stop anything from going live before it's supposed to is to have a staging site. This is a version of your website, accessible only to you, where you can upload and try out things before you push it to live. It's great for testing out new themes and plugins, but it's also ideal for embargoed content, like a new product, a press release, or, well, a budget forecast.

Our Managed WordPress comes with staging sites, and they're easy to set up, and even easier to push to your live site.

Have a publication process with defined steps

Along with your overall giant checklist, you can set up a pre-publication checklist for each article, helping you make sure all your ducks are in a row.

There are even plugins like PublishPress Checklists, which let you create a pre-publication checklist in WordPress, and won't let you post until you've completed all the steps. You can even make your checks as detailed as "There are no <h1>s in the body of the content" or "There is a price, a sale price, and a recommended retail price".

However your process works, it should include these checks:

  • The content is the final version and approved by all parties
  • The scheduled release time is correct
  • All files are set to private before release time
  • All links are correct

Keep an audit trail

Having a good audit trail isn't just for your accounts — it helps make your site more secure, letting you know who did what and when.

Along with a regular check for user roles, plugin permissions, and security settings, you should also consider installing an activity log plugin, which will track every action taken in your WordPress backend, from user logins to file uploads. Many security plugins include logging, but you can also look at Simple History, WP Activity Log, or WP Admin Audit.

With these logs, you can see what's been happening, and make changes as needed. For example, if you're receiving a lot of failed logins from an IP address range, you can block that range and help protect your site just a little more.

Check once, check twice, check again

So now that you have all the details, here's a basic checklist for you:

  • Have I taken a backup?
  • Is everything up to date?
  • Have any permissions changed?
  • Are all users set correctly?
  • Does everyone know the correct password procedures?
  • Have you set your site to not post automatically?
  • Did you run through your pre-publication list?
  • Are you keeping an audit trail?

Keep these procedures in place, never assume that things will work fine, and your WordPress site will save you from public disgrace.

Share this article

About the author

Kate B

I'm Kate, and I'm one of the Senior Marketing Managers here at Krystal. I'm a transplanted Southern Californian who likes bad pop culture, the Internet, and talking everyone's ears off about web hosting. Howdy!