The most common WordPress launch mistakes aren't technical disasters. They're small things: the site goes live still set to noindex, the contact form sends to an inbox nobody checks, images are 3MB uncompressed, the SSL certificate isn't properly configured. Small things that add up to a poor first impression and lost ranking potential.
This checklist covers 25 things to verify before you hit publish. Print it, work through it in order, and your launch day will be boring — which is exactly what you want.
Section 1: Hosting and domain (do this first)
These are the foundation. Everything else depends on them being right.
1. SSL certificate is active and working
Visit https://yourdomain.com in your browser. You should see a padlock. Click it and verify the certificate is for your domain and hasn't expired.
Also check:
bashcurl -I https://yourdomain.com
Look for HTTP/2 200 in the response. If you see a certificate error or redirect to HTTP, fix this first.
2. Primary domain is correctly mapped
Is the site live at example.com? Or www.example.com? Both should work and redirect to the same canonical version. Pick one (usually non-www) and stick with it.
Check in WordPress: Settings → General → WordPress Address and Site Address. Both should use the same canonical URL.
3. www/non-www redirect is configured
Whichever version you're not using should redirect to the one you are. Verify:
bashcurl -I http://www.yourdomain.com
Should return a 301 redirect to your canonical URL.
4. Backup schedule is enabled and tested
"We have backups" isn't enough. Test the restore. Take a backup now, delete a test post, restore the backup, confirm the test post is back. If you can't restore in under 10 minutes, your backup isn't really a backup.
5. Server is close to your primary audience
If 80% of your visitors are in the UK and your server is in the US, every visitor pays a latency tax on every request. Check your hosting server location.
Section 2: Performance checks
6. Caching is enabled
Install a caching plugin (WP Rocket, LiteSpeed Cache, or W3 Total Cache) and verify it's active. Test with:
bashcurl -I https://yourdomain.com
Look for X-Cache: HIT or CF-Cache-Status: HIT in headers. If you see MISS every time, caching isn't working.
7. Images are compressed and sized correctly
Run your homepage through GTmetrix or PageSpeed Insights. If images are flagged as "oversized" or "not in WebP format," fix them before launch. Unoptimized images are the single most common reason for failed Core Web Vitals on new sites.
8. TTFB is under 600ms
Test at web.dev/measure or with:
bashcurl -o /dev/null -s -w "TTFB: %{time_starttransfer}s\n" https://yourdomain.com
Above 600ms means your hosting layer needs attention before launch.
9. Unused plugins are removed
Count your active plugins. Every inactive plugin is an attack surface. Every active plugin adds PHP execution time. Be ruthless: if you're not using it, delete it — not just deactivate.
10. Mobile speed is tested
Run your homepage through PageSpeed Insights specifically on mobile. Mobile scores are what Google primarily uses. A desktop score of 90 with a mobile score of 40 is a problem.
Section 3: SEO checks — don't skip these
11. noindex is removed
This is the most common launch catastrophe. During development, WordPress sets "Discourage search engines from indexing this site." It's under Settings → Reading. Verify the checkbox is unchecked before launch.
Check it with:
bashcurl -s https://yourdomain.com | grep -i "noindex"
Any noindex in the response is a problem.
12. XML sitemap is accessible
Visit https://yourdomain.com/sitemap.xml — it should load a list of your pages and posts. If it returns a 404, your SEO plugin (Yoast, Rank Math) isn't configured correctly.
13. Robots.txt is valid
Visit https://yourdomain.com/robots.txt. It should not block important pages. A fresh WordPress install has a default robots.txt that's fine for most sites.
14. Each page has a unique title and meta description
Check in Yoast or Rank Math that no two pages share the same title or meta description. Duplicate titles confuse search engines about which page to rank.
15. Internal links are not broken
Use a free tool like Screaming Frog (crawl limit 500 URLs on free) to scan for broken internal links before launch.
16. Open Graph image is set
When someone shares your homepage on LinkedIn or Facebook, what image shows? Set an OG image in your SEO plugin. Without it, social shares look unprofessional.
Section 4: Conversion and trust checks
17. Every contact form is tested
Submit every form on the site. Confirm the submission lands in the right inbox. Check spam folder if you're not sure. A contact form that silently fails is worse than no contact form.
18. CTA buttons work and lead somewhere
Click every "Get a Quote," "Book a Call," "Buy Now" button. Verify the destination is correct and the journey completes. Broken CTA flows are direct conversion loss.
19. 404 page is branded
When a visitor hits a broken link, they should see your branded 404 page with navigation options — not a generic WordPress error. Customize it under Appearance → Theme Editor or via a plugin.
20. Privacy policy and terms pages exist
Required for GDPR compliance (EU visitors), Google Ads, and many payment processors. If you don't have them, use a generator and publish before launch.
21. Cookie consent is configured (if needed)
If you're running Google Analytics, Facebook Pixel, or any tracking, and you have EU visitors, you need a cookie consent mechanism. GDPR is not optional.
Section 5: Security checks
22. Admin username is not "admin"
The username admin is the first thing brute-force bots try. If your admin account uses admin as the username, create a new admin account with a different username and delete the old one.
23. Strong admin password is set
Use a password manager-generated password of 20+ characters. WordPress's built-in password strength meter is a reasonable guide.
24. Login protection is active
Install Limit Login Attempts Reloaded or use Cloudflare's bot protection to rate-limit login attempts. Without this, your login page will receive hundreds of brute-force attempts per day.
25. All themes and plugins are updated
Launch day with outdated plugins is a known-vulnerability situation. Update everything the day before launch.
Terminal verification (2 minutes, worth it)
bash# Check HTTPS and response code curl -I https://yourdomain.com # Check sitemap exists curl -s https://yourdomain.com/sitemap.xml | head -5 # Check noindex isn't in homepage HTML curl -s https://yourdomain.com | grep -i "noindex" # Check TTFB curl -o /dev/null -s -w "TTFB: %{time_starttransfer}s\n" https://yourdomain.com
The noindex check alone is worth the 30 seconds it takes.
First 14 days after launch
Launch isn't the end of the checklist — it's the start of a new one:
- Day 1: Submit sitemap in Google Search Console. Request indexing for homepage and key service pages.
- Day 3: Check Search Console for crawl errors.
- Day 7: Check PageSpeed Insights again with real traffic in the mix.
- Day 14: Review Google Analytics for bounce rate on landing pages. High bounce on important pages means something's wrong — content mismatch, slow load, or broken form.
Small fixes in the first two weeks have disproportionate impact on how quickly Google starts trusting and ranking your site.
HostAccent WordPress hosting gives you the reliable foundation this checklist assumes — SSL included, daily backups, and support that's available when launch day brings surprises.
Discussion
Have a question or tip about this topic? Share it below — your comment will appear after review.