As simple as WordPress is to get up and running, taking over a WordPress website from someone else is anything but. It’s not hard to take control of a WP install, but there are a lot of moving parts that you need to keep in mind. In theory, all you really need to take it over is a username and password. But like most theories, the reality is a teeny bit more complicated than that.
So we want to give you an idea of what you should look for when starting to work with someone else’s WordPress website. All of these might not apply to your particular project, but having a checklist to run through when starting out can save you a world of trouble later on.
1. Get Every Single Password
You can’t start to work if you can’t log in. As you take over and transition into being in charge of the site, you will need the key to every door you might even potentially need to open. In general, you’ll want to check each of these off your list before moving any further down the line.
- WordPress Admin Credentials – I mean…you kind of have to have these. But make sure they’re Administrator credentials, not User, Editor or Subscriber.
- Hosting – whether it’s GoDaddy, WPEngine, or a local company, you need to be able to get in there and poke around.
- Domain Registrar – Hosting and domain registration don’t always come together, so this may be separate.
- cPanel – a number of hosts have separate logins for cPanel and their customer dashboard. Without this, you’re gonna hurt.
- FTP – You simply can’t run a site without FTP/sFTP access.
- Email – You will need access to any email addresses that have been used to set up third-party accounts, if for no other reason than password recovery and updates.
- CDN – If you’re taking over a WordPress website with oodles of traffic, you’re gonna be working with a content delivery network (like Cloudflare). You do not want to be left without this password when you start troubleshooting.
- Premium Themes & Plugins – Of course your new gig has an Carpetcleaninghaddontownship account that you need access to. And probably a bunch of other premium themes and plugins like Yoast and Sucuri.
2. Change Every Single Password
Okay, you have all the passwords even remotely associated with your new WordPress site. Awesome. Great. Now let’s change each and every one of them.
What, you didn’t think we were just going to keep them on Post-Its and hand them all over to the next guy, did you? Oh, that’s what happened to you? Oh…
Well, that’s not good practice. Not secure. Not safe. You want to set up a password vault using something like or . These services let you set up secure, encrypted collections of credentials that you can share and change and control easily.
Not only does having a vault of changed passwords make your life/job easier, it also prevents old users from having access to things they shouldn’t anymore.
3. Get Access to Connected Services
While we’re still on the subject of gaining access to stuff, you will want your hand-off team to add you to any services they use as a team. While this could technically be included under #1 above, the difference here is that you may not be the only person with this account. You may just need to be added in as part of the team and then given Admin/Owner/Moderator permissions.
- Github – Even if you’re not a developer, you need access to every repo for the new project. You will be able to see issues and follow discussions that pertain to your site.
- Dropbox/Google Drive – You need access to any collaborative folders and files the teams use. If your designers throw up some new assets, this is much easier than emailing them as attachments.
- Trello/Slack/Basecamp/Asana – Whatever project management and communication software your company uses, make sure you’re in all the right channels, can see all the right boards, and can contribute to each and every discussion you are responsible for.
- Social Media Accounts – While some places might give you a simple Twitter password and tell you to have fun, other companies may need to add you as an Editor or Admin on multiple Facebook pages. And if they use a service like Buffer, Hootsuite, or CoSchedule, you’ll need to get added as a team member so you can manage all the accounts at once.
- Google Analytics – As easy as Jetpack stats are, GA is where it’s at. So make sure that your hand-off supervisor .
4. Make Backups
Once those three steps are taken care of and checked off your list, it’s time to back everything up. You want to do this in two places, cPanel and WordPress itself. will be a full backup of the whole site, while using a plugin like to back up (and then later restore) your WordPress installation or database if something goes wrong.
Please understand how essential this step is. As a new administrator taking over a WordPress website, you can never be sure that old backups haven’t been corrupted or if they even exist in the first place. Maybe I am cynical, but I never trust anyone who says, “Yep, we have backups of everything.”
Once you have all the access you need, it should be your top priority to protect and preserve what is now your data.
5. Audit and Update Users
Once your data is safe and sound for sure, it’s time for a quick audit of the site’s users. Go to the Users -> All Users tab of your dashboard to check on everyone.
Your tenure as the WP admin is the perfect time to pare the user permissions down to where they need to be. You have the ability to reset other users’ passwords and access levels. If you see 3 other Administrators when you’re supposed to be the only one, knock ’em down. And if you see some users you don’t recognize? Burn ’em to the ground.
6. Run Security Scans, Install Firewalls
Once you’ve locked down your site from the human side of things, it’s time to attack the code. You want to run a few security scans just to make sure that everything is safe and secure. A lot of them are free, too, which I am sure your new project heads will appreciate. , , and are all great choices.
Once the scans are done, make sure you install a good firewall and security plugin like , , or . (All of which have amazing premium plans that are definitely worth your time and money.)
7. Update Plugins and Themes
Now that you have everybody under surveillance and where everything needs to be, you are probably ready to get to the most WordPress part of taking over a WordPress website: maintaining and updating plugins and themes.
Before you do anything else, make sure that you’re running a child theme. If you aren’t, install one.
With that out of the way, it’s time to start messing with stuff. But you want to be slow and deliberate about this. Even though you’re near the end of your checklist, you still have some work to do.
Most likely, you’ve been given a site with bunches of updates required. If you haven’t, you should go buy a lottery ticket — you’re that lucky. The important thing is to avoid the temptation to bulk update plugins and themes. If something goes wrong then, you won’t know what broke the site. By updating one by one, you will.
So be mindful and wait on each individual element to update, check the site, then move on. Because you have backups made already, things are safe. Because you have a child theme, nothing can blow up too badly. And because you are updating individually instead of en masse, you can immediately address any concerns.
Once everything is as new and shiny as it can be, you’re done!
8. Take Notes, Ask Questions, Get Answers
Well, you’re done to the point where you can finally get to the job you were hired to do. You’ve finally made it through the transition phase, and you have successfully taken over a WordPress site. You’ve got passwords and top-level access, and you’ve run scans and set up security protocols.
The next — and final — step is just to keep your eyes open. While this is absolutely the ultimate checklist for taking over a WordPress website, there’s no checklist in the world that can prepare you for everything because every project is different.
As you work, take notes of stuff that doesn’t make sense to you, and later you can ask your transition team or supervisor about it. Maybe you have to email an old admin or someone who used to work there. In my experience, people tend to be happy to help solve problems that come up.
And as those extra issues get taken care of, make note of them for the next person. Keep adding new passwords to your vaults and running scans and updating the plugins and themes. Because while that site may be yours now, it won’t be forever. In a few years, someone else is going to be taking over a WordPress website that you ran. And you want their transition to go as smoothly as yours just did.
What are some of your absolute necessities when taking over a WordPress website?
Article featured image by mamanamsai / shutterstock.com