Taking Over a WordPress Website: The Ultimate Checklist

Last Updated on March 16, 2023 by 26 Comments

Editorial Note: We may earn a commission when you visit links on our website.
Taking Over a WordPress Website: The Ultimate Checklist
Blog / Resources / Taking Over a WordPress Website: The Ultimate Checklist

As simple as WordPress is to get up and running, taking over a WordPress website from someone else is anything but. It’s not hard to take control of a WP install, but there are a lot of moving parts that you need to keep in mind. In theory, all you really need to take it over is a username and password. But like most theories, the reality is a teeny bit more complicated than that.

So we want to give you an idea of what you should look for when starting to work with someone else’s WordPress website. All of these might not apply to your particular project, but having a checklist to run through when starting out can save you a world of trouble later on.

1. Get Every Single Password

You can’t start to work if you can’t log in. As you take over and transition into being in charge of the site, you will need the key to every door you might even potentially need to open. In general, you’ll want to check each of these off your list before moving any further down the line.

  • WordPress Admin Credentials – I mean…you kind of have to have these. But make sure they’re Administrator credentials, not User, Editor or Subscriber.
  • Hosting – whether it’s GoDaddy, WPEngine, or a local company, you need to be able to get in there and poke around.
  • Domain Registrar  Hosting and domain registration don’t always come together, so this may be separate.
  • cPanel – a number of hosts have separate logins for cPanel and their customer dashboard. Without this, you’re gonna hurt.
  • FTP – You simply can’t run a site without FTP/sFTP access.
  • Email – You will need access to any email addresses that have been used to set up third-party accounts, if for no other reason than password recovery and updates.
  • CDN – If you’re taking over a WordPress website with oodles of traffic, you’re gonna be working with a content delivery network (like Cloudflare). You do not want to be left without this password when you start troubleshooting.
  • Premium Themes & Plugins – Of course your new gig has an Elegant Themes account that you need access to.  And probably a bunch of other themes and premium plugins for SEO, Security, and more. These will often require third-party account credentials you will need.

2. Change Every Single Password

Okay, you have all the passwords even remotely associated with your new WordPress site. Awesome. Great. Now let’s change each and every one of them.

What, you didn’t think we were just going to keep them on Post-Its and hand them all over to the next guy, did you? Oh, that’s what happened to you? Oh…

Well, that’s not good practice. Not secure. Not safe. You want to set up a password vault using something like LastPass or 1Password. These services let you set up secure, encrypted collections of credentials that you can share and change and control easily.

Not only does having a vault of changed passwords make your life/job easier, it also prevents old users from having access to things they shouldn’t anymore.

3. Get Access to Connected Services

While we’re still on the subject of gaining access to stuff, you will want your hand-off team to add you to any services they use as a team. While this could technically be included under #1 above, the difference here is that you may not be the only person with this account. You may just need to be added in as part of the team and then given Admin/Owner/Moderator permissions.

  • Github – Even if you’re not a developer, you need access to every repo for the new project. You will be able to see issues and follow discussions that pertain to your site.
  • Dropbox/Google Drive – You need access to any collaborative folders and files the teams use. If your designers throw up some new assets, this is much easier than emailing them as attachments.
  • Trello/Slack/Basecamp/Asana – Whatever project management and communication software your company uses, make sure you’re in all the right channels, can see all the right boards, and can contribute to each and every discussion you are responsible for.
  • Social Media Accounts – While some places might give you a simple Twitter password and tell you to have fun, other companies may need to add you as an Editor or Admin on multiple Facebook pages. And if they use a service like Buffer, Hootsuite, or CoSchedule, you’ll need to get added as a team member so you can manage all the accounts at once.
  • Google Analytics – As easy as Jetpack stats are, GA is where it’s at. So make sure that your hand-off supervisor adds you as a new user to their analytics property.

4. Make Backups

Once those three steps are taken care of and checked off your list, it’s time to back everything up. You want to do this in two places, cPanel and WordPress itself. cPanel backups will be a full backup of the whole site. Then you can use a backup plugin like UpdraftPlus to back up (and then later restore) your WordPress installation or database if something goes wrong.

Please understand how essential this step is. As a new administrator taking over a WordPress website, you can never be sure that old backups haven’t been corrupted or if they even exist in the first place. Maybe I am cynical, but I never trust anyone who says, “Yep, we have backups of everything.”

Once you have all the access you need, it should be your top priority to protect and preserve what is now your data.

5. Audit and Update Users

Once your data is safe and sound for sure, it’s time for a quick audit of the site’s users. Go to the Users -> All Users tab of your dashboard to check on everyone.

Your tenure as the WP admin is the perfect time to pare the user permissions down to where they need to be. You have the ability to reset other users’ passwords and access levels. If you see 3 other Administrators when you’re supposed to be the only one, knock ’em down. And if you see some users you don’t recognize? Burn ’em to the ground.

6. Run Security Scans, Install Firewalls

Once you’ve locked down your site from the human side of things, it’s time to attack the code. You want to run a few security scans just to make sure that everything is safe and secure. A lot of them are free, too, which I am sure your new project heads will appreciate. Sucuri SiteCheckNorton Safe Web, and Acunetix are all great choices.

Once the scans are done, make sure you install a good firewall and security plugin like WordFence, iThemes, or Sucuri. (All of which have amazing premium plans that are definitely worth your time and money.)

7. Update Plugins and Themes

Now that you have everybody under surveillance and where everything needs to be, you are probably ready to get to the most WordPress part of taking over a WordPress website: maintaining and updating plugins and themes.

Before you do anything else, make sure that you’re running a child theme. If you aren’t, install one.

With that out of the way, it’s time to start messing with stuff. But you want to be slow and deliberate about this. Even though you’re near the end of your checklist, you still have some work to do.

Most likely, you’ve been given a site with bunches of updates required. If you haven’t, you should go buy a lottery ticket — you’re that lucky. The important thing is to avoid the temptation to bulk update plugins and themes. If something goes wrong then, you won’t know what broke the site. By updating one by one, you will.

So be mindful and wait on each individual element to update, check the site, then move on. Because you have backups made already, things are safe. Because you have a child theme, nothing can blow up too badly. And because you are updating individually instead of en masse, you can immediately address any concerns.

Once everything is as new and shiny as it can be, you’re done!

8. Take Notes, Ask Questions, Get Answers

Well, you’re done to the point where you can finally get to the job you were hired to do. You’ve finally made it through the transition phase, and you have successfully taken over a WordPress site. You’ve got passwords and top-level access, and you’ve run scans and set up security protocols.

The next — and final — step is just to keep your eyes open. While this is absolutely the ultimate checklist for taking over a WordPress website, there’s no checklist in the world that can prepare you for everything because every project is different.

As you work, take notes of stuff that doesn’t make sense to you, and later you can ask your transition team or supervisor about it. Maybe you have to email an old admin or someone who used to work there. In my experience, people tend to be happy to help solve problems that come up.

And as those extra issues get taken care of, make note of them for the next person. Keep adding new passwords to your vaults and running scans and updating the plugins and themes. Because while that site may be yours now, it won’t be forever. In a few years, someone else is going to be taking over a WordPress website that you ran. And you want their transition to go as smoothly as yours just did.

What are some of your absolute necessities when taking over a WordPress website?

Article featured image by mamanamsai / shutterstock.com


Want To Build Better WordPress Websites? Start Here! 👇

Take the first step towards a better website.

Get Started
Premade Layouts

Check Out These Related Posts

WordPress vs Medium (2024) — Where Should You Blog?

WordPress vs Medium (2024) — Where Should You Blog?

Updated on February 14, 2024 in Resources

If there is one question that goes back to the very beginning of blogging, it’s “what blogging platform should I use?” Everyone asks this question (to Google, most likely), and everyone gets bombarded with a thousand different answers. That’s primarily because there are so...

View Full Post
9 Non-Profit Child Themes for Divi

9 Non-Profit Child Themes for Divi

Updated on January 23, 2023 in Resources

There are lots of nonprofit organizations across the globe. Just about every one of them needs a well-designed website to tell their story and receive donations to help their causes. Divi is an excellent theme for nonprofits such as charities. Fortunately, you don’t have to start from scratch for...

View Full Post


  1. Really Grate Checklist. As a Beginner I must try to follow all your advice, Thanks!

  2. Let me add: As a kindness to the admin you’re replacing, remember to update the email address WP sends notifications to (Settings –> General –> Email Address).

    Right now I’m on the receiving side of this, getting “please moderate this comment” notifications for a site I don’t have access to. It’s not fun if it’s a busy site.

    • Oh, I still get that, too, haha. Good catch!

  3. Very very useful. Thank you!

  4. Great list, BJ! Bookmarked for future reference.

    I would also add to find out about:

    DNS management and email hosting provider – these could be different from the domain registrar or host.
    Backups location e.g. Amazon Web Services.
    Email marketing services e.g. MailChimp.
    Any CRM used.
    Google Search Console.

    Also, audit all the plugins and check if they’re still needed as well as getting logins for any of them.

  5. Great reference that I’ve shared in my group. I’ll be referencing this when I take on new existing projects. Especially useful for when you take on a WordPress site for monthly maintenance. They always come completely out dated and the first clean up always takes the longest, It’s great to have a process/checklist documented so you don’t miss steps.

    • Yeah, it’s those recurring projects that tend to always have the issues. When you can have a checklist of what you need to do, it makes life so much easier to handle. Hope it helps! 🙂

  6. And a HUGE issue not mentioned is that of moving the domain to a new web host. If the domain had SSL you need to ensure that you transfer and install the SSL Certificate at the new web host.

    • Nice catch! Yep, this! So much this!

  7. Will using this in tips in my website will make it more secure and easy to use?
    can you please refer a plugin to me to make site more secure?
    Jordan Taylor

    • In terms of security, I always run with WordFence, Sucuri, or iThemes for firewalls and malware blockers. I don’t think you’d go wrong with any of those. 🙂

  8. Great tutorial as usual, I have to say ET set the bar so high they have me lock in for life 🙂

    • That’s what we are going for! You’re ours! haha

  9. The accounts and connected services are most important things that you need to claim your ownership right after you take over a WordPress website. If they relates to emails, then change the emails. Make sure they’re yours, even if the previous owner tries to reset password.

    • Yeah, this is mega-important. I’ve dealt with this in the past (not just for WP sites, but just software in general), and it’s a big ole pain to have to use [email protected] as your login 😛

  10. B.J. – Thanks for a very informative checklist.

  11. Great article, thankyou. I have had many many hurdles taking over clients websites in the past… so this will be a great checklist for future!

  12. Good compilation, B. J.
    May be asking for documentation or at least notes about hidden customizations “somewhere” in the code could be helpful?!

    Or would you state that always only 100% professionals had administered the site? ?

    • Hah, it’s always 100% professionals. 😉 ALWAYS. #donottakemeseriously

      But you’re right. The issue there is that they might not have a list of customizations. Many devs don’t document as well as they should (or use child themes/version control for comparisons), so it becomes hard to do. I’ve had to muddle through with a lot of finding out on my own, so I always at least ask…even though the answer has always been a shrug and an “I am not really sure.”

  13. amazing tutorial!!
    very useful !

  14. @ B.J. Keeton

    Very nice tutorial.

    I was taught by changing the password of admin only. But, the real checklist is here.


    • This is a great list. I would add a couple of things (based on the premise that you are taking over a live website that serves a business or non-profit). Get names, and contact info of everybody who has a stake in review/approval of website, also permission to contact anybody who has touched the code, design or content of the site. (Can be tricky if there has been a problem with previous vendor(s) but probably worth checking.)

      Ask for any documentation (may not be any but good to find out).

      Be prepared to have a discussion about themes, plugins, other elements that are not properly licensed, not updated, otherwise not to the standard they should be. (A suggestion is that you identify the problem and have a proposed solution). Be prepared to find out that the site you are taking over has been hacked or is vulnerable to it because of lack of updates, etc. Build in some repair/redo time in budget.

      If you will be responsible for ongoing editorial including editorial graphics, video etc. (or interact with/support people who will) ask for contact names, workflows, content calendar, formats naming/storage convention for assets–including where original assets are housed and what form they are stored in (who has the “psd’s of the logo” the world’s most asked question in website takeover/renovation).

      Have some kind of viable tool/protocol with client for bugs etc. I use mantis, but you can do it in other ways of course. (If it’s happening in trello/basecamp versus a bug tracking program, make sure everybody knows it.)

      Prepare for a a little chaos and manage your own and client’s stress. Realize that it’s likely that the site you take over will have some issues (if it were a well-oiled beautifully running machine it’s less likely client would be looking to hand it over.)

      • Wish I had this advice about 3 months ago. Would have helped me on board smoothly.

        Thank you for suggesting it here.

      • #goldstar

      • Excellent additions to an already excellent list!

  15. Good advice.

Leave A Reply

Comments are reviewed and must adhere to our comments policy.

Get Started With Divi