Taking over a WordPress site can be a daunting prospect. Whether you bought the site or inherited it, it’s unlikely that you will find everything as it would be if you had installed and configured it yourself.
Have you ever driven someone else’s car and had to spend five minutes adjusting the seats, the mirrors, the steering wheel position, and the air conditioning just to make the experience bearable? People tweak their environment to make it more comfortable, and that’s as true of a WordPress site as it is for a car.
But before you get down to moulding your recently acquired WordPress site to suit your preferences, there are a few more important tasks to take care of.
A WordPress site has a lot of moving parts and you need to understand how the site is hosted and how you can get access to the relevant accounts.
First, gather together usernames and passwords. You will need:
- The hosting account’s portal credentials.
- SSH and FTP passwords, if there are any.
- Credentials for the domain registrar.
- Access to any email addresses associated with the site.
- Access to the DNS hosting account if it isn’t hosted by us.
Visit each of these accounts to check that the supplied credentials work. You don’t want to find out that you can’t access the domain registrar, for instance, just before the domain is due for renewal.
This information is essential to running the site, so if any important credentials are missing, get in touch with the site’s previous owner.
When you talk to the site’s previous owner, ask about any custom code or plugins that the site is running. Custom code may be fragile or incompatible with new versions of WordPress, so it’s a good idea to know where to look if something goes wrong.
Change logins and delete old users
It’s time to assert your control over the site: the only people who should be able to access it are those you have given explicit permission to. Change the admin passwords and delete any admin users you don’t want to have access.
You can add and delete accounts in the Users section of the admin menu. When you are deleting users, be careful not to delete all the content associated with that user: there’s an option to associate their content with a different user in the “Delete User” dialogue.
Update the site and its plugins
An out-of-date site is a vulnerable site, so one of your priorities should be to check that WordPress is up-to-date. I would also recommend turning on automatic updates if they have been deactivated.
Carry out the same process for plugins and themes. Make sure plugins are updated and also that they don’t have any known vulnerabilities: occasionally a plugin is removed from the repository and without investigating you might not know that it’s vulnerable. Google is your friend here.
If a plugin has not been updated for many months, it may have been abandoned by its developer: it is advisable to find alternatives to abandoned plugins because any security vulnerabilities are unlikely to be fixed.
Run malware scans
If the site’s previous owner was not diligent about updating and other security best practices, it may already have been compromised. The WordFence and Sucuri plugins include malware scanning and many other useful security features.
If the site already has a backup system in place, test it. Carry out a full site restore on a local installation of WordPress to make sure that the backups are working and up-to-date.
If there is no backup system, creating one should be a priority. We have covered several excellent WordPress backup solutions on this blog.
Now that you have complete access to the site, it is secure and malware free, and the backup system is humming away in the background, you can start to publish content and focus on attracting more visitors.