427 – Manage an Existing WordPress Site


Is there a plugin for that?

With more than 50,000 plugins in the WordPress repository, it’s hard to find the perfect one. Each week, I will highlight an interesting plugin form the repository.

For more great plugins, download my 50 Most Useful Plugins eBook.

Hide WP Login is a plugin that will completely hide WordPress from hackers and detectors like wappalyzer or builtwith.

Manage an Existing WordPress Site

Here are the things you must get before you start managing an existing WordPress site:

  • Access – things like WordPress / FTP / Server passwords
  • Backup – make sure there is a backup system in place and if not add one
  • Security – see if iThemes Security or WordFence is installed and if not add one
  • Check for other admin users – if so remove them
  • SSL Certificate – if not, add one
  • Premium Plugins – see who owns the licenses to the premium plugins on the site
  • Management plugins – if you plan on managing the site with the help of a management plugin, you can add it now
  • Start to make changes – you are finally ready to start making changes to your site

Thank you!

Thank you to those who use my affiliate links. As you know I make a small commission when someone uses my link and I want to say thank you to the following people. For all my recommended resources, go to my Resources Page

Full Transcript

Business Transcription is provided by GMR Transcription.

On today’s episode we are going to talk about what we do when we start working with an existing WordPress site. Whether that’s your helping a friend do something with their website or you’re taking over a new client. We are going to talk about what we do when we log into WordPress and kinda take over and start managing that site. Right here on Your Website Engineer podcast episode number 427.

Hello and welcome to another episode of Your Website Engineer podcast. My name is Dustin Hartzler and I’m excited to be here with you this week as we are going to be talking about what we do when we log into that WordPress site for the very first time. I get this almost every time I log into somebody’s site at work, or when I’m working and helping with somebody’s WooCommerce site, I always see 100 things that could be done better or differently and whatnot. And so we’re gonna go ahead and talk about the right way to kind of get set up, get our frame of reference, and get ready to best help whoever we are helping with their WordPress site.

Before we do that let’s talk about two announcements and one plugin of the week. The first announcement is all about Gutenberg 5.0. New Gutenberg 5.0. Yeah, we haven’t been talking about Gutenberg lately because that is rolled into WordPress 5.0. But Gutenberg continues to get updates and lately in this version 5.0 over the plugin, which was released earlier last week, they have added some features for embedding RSS feeds and they’ve also introduced an Amazon Kindle embed block. So that gives an instant preview from Amazon Kindle URL and so if you’re looking for something like that, that’s coming in the new version.

So basically what’s happening is there’s a lot of new features happening with Gutenberg that’s not just necessarily on a Posts in Page where we’re getting a lot of that content now. Now they’re expanding some of those blocks but then they’re also expanding outside of that area. Just trying to make the whole editing experience of WordPress that much better.

So instead of doing them on each individual point release of WordPress they are doing it still in the Gutenberg plugin. They’re continuing to update Gutenberg and basically it’s all newish type features that are there. It’s not going to conflict with WordPress 5.0 or whatnot. But if you’re interested in seeing what the latest and greatest is there just had on over to your WordPress repository and add Gutenberg 5.0.

The other thing in the news that I want to share this week is all about the WordPress 5.1 release candidate. So this basically means that WordPress 5.1, the development cycle is done. They are working on getting a few more bugs taken care of but Thursday February 21st, so next week, they are looking to push out WordPress 5.1. Speed and security has kinda been in the mind, in the forefront thoughts of the developers on WordPress 5.0 and so they’ve got site health features that are built into this new version. And it’ll start showing notices to admin users of the site that are running outdated versions of PHP, which is the main language that powers WordPress.

Also with installing this new plugin the site health feature will check whether a plugin requires a special version of PHP or is it’s incompatible with the PHP that’s running on your site, and it will prevent you from installing that plugin. So those are some of the things that are coming, and we’ll see those next week. If you want to give it a whirl you head on over to the WordPress repository and grab the beta version plugin. It’s called the Beta Tester WordPress at beta tester plugin and you can select the bleeding edge nightlies and that will get you the latest and greatest version of WordPress, WordPress 5.1.

All right, in the “Is There a Plugin for That?” section, this one is kind of cool, and it popped up on my radar this week. And this one is called Hide WP Login and this basically allows you to hide that wp-login.php screen on your website and the wp-admin and redirects to a page of your choice. So that makes it harder for people to hack into your WordPress site because they can’t find where that login URL is.

The other thing that you can do is it automatically hides WordPress features from services like Wappalyzer or BuiltWith. And so there are a couple tools. Wappalyzer is one of those browser extensions you can install in your browser. I have this installed in Chrome and so when I go to a website I’m like, “Aw this kinda looks like a WooCommerce store,” then I can look up and see, and yes, it’s WordPress. Then you click on that and shows you all the technologies running behind on that website. So if you install Hide WP Login, this plugin on the WordPress repository, you can hide all that information from those services and people will not know you are running a WordPress site.

So that’s pretty cool and if you are interested in trying to get people from trying to login in or hack into your site, I recommend this plugin.

Moving right along to the main part of this show, we’re gonna talk about the eight different steps to take over an existing WordPress website. And this, I don’t know, I feel like there’s so many things you could talk about and so many things that you can do when you first log into a website. I try to break them down just a little bit and this is kind of a methodical process.

And this is really good whether you are starting out as you’re a freelancer or you’re an agency and you’re taking over a website project from somebody else. Or if you are just somebody that’s just trying to help out a local non-profit. Or if you’re helping out a friend who’s getting maybe a resume site up and running or whatever the case may be. Both of these paths or the steps that we’re gonna talk about today can go very well with both of those different situations.

This is a little bit of a checklist. I like checklists and I like to be able to know exactly each, every site has all of this information and it helps you gather the information that you need to run a site or maintain a site. It’s just kind of a best practice that kind of come across or kind of put together over the last couple years. So let’s go ahead and dive right in.

The first piece of, the first step in the checklist I guess is access. So obviously you need WordPress dashboard access. You need administrator level access to the WordPress dashboard. And then you can remove any access from any previous developers or site owners.

So this is important if you should have a separate admin access for you and there should be an admin access for your customer, your client, your friend, whoever you’re helping out. If they only give you theirs then you can go in and you can create your own admin account and then they can use their account. But anything else outside of that, if there’s other people, other past developers, or past people that are helping, just go ahead and remove them from the website. You can always add them again later if necessary but let’s go ahead and remove them.

You also, when it comes to access, you need hosting access. So that’s FTP, SFTP, cPanel if necessary, you need. Some websites may have a special or separate CDN access so if that’s the case you definitely want to have that. In very slight cases you may need a domain registrar; you may need their login to do things with their domains. Most the time this won’t happen but if you’re grabbing information it’s probably best to just go ahead and grab it and create a list and have all of the details right at your fingertips.

It’s always the worst and I can remember back to five, six years ago now, that when I was developing website for clients, it was like I’m all ready to get going and geared up and I’m in the mindset, I’m gonna start to do work and then a password didn’t work or I couldn’t log in right or I didn’t have the right credentials for something, and it’s just like, “Oooph”, it’s so painful and you had to stop everything you were doing and try to get those details and information. So just trying to get all of the pieces of the puzzle and get them all in one place.

Then once we’ve done all these, we gathered all these, then maybe the next best thing to do is to go in and change all the password and then document what those passwords have been changed to.

I haven’t heard about this a lot because your customers or friends have their GoDaddy passwords written down. They have their WordPress user names and passwords and stuff written down. But probably a good safe bet if you are the one that’s gonna be managing this from now on, it would be a good idea to just go ahead and change all the passwords for hosting, for SFTP, for FTP, access for your domain registrar, for the WordPress dashboard, just so that nobody else can get in.

It’s going to be a big deal if you’re starting to make a lot of changes and do things inside their WordPress site that you do not need them to have somebody else access it and do something crazy and wipe out all the changes you’ve been working on.

So that’s the access piece. That’s step No. 1. Step 2 is a backup solution. Check to see if they have one. If not, adding a backup solution is top priority before you do anything past logging in and updating passwords. Then you create an initial backup for yourself and you make sure that before you make any other change. So make that backup and then save it somewhere, that you have a “This is what the site looked like when I took it over”. And then you can always roll back to that or you can always create that or create a duplicate version of their site so you can see in case something breaks you always have that backup copy.

If it already has a backup solution then make sure you know where those backup files go. You wanna make sure that they’re not going to the previous web developer or somebody else that might have been helping them with their website. Make sure that it’s going to their hosting account or to a Dropbox account or it’s being saved at a certain site like VaultPress or the Jetpack Rewind or wherever it’s going, Updraft, where ever you’re putting it, make sure that it only can be accessed by your client, your friend, or you.

And then you also want to check if it is a paid plugin like BackupBuddy, wanna make sure to see who’s paying for that license. Is that license taken care of by the client, your friend, the person that you’re working with, or is it by the previous web developer, were they using their license? Find out what that system is and then if it’s paid for by somebody else then you’ll definitely want to update that and change that into the right person’s name.

All right that’s step No. 2, the backup solutions. Step No. 3 is security. So you wanna make that there is some sort of security protocol going on. You wanna add a security plugin is usually the next priority after creating a backup. That’s like iThemes security or the Wordfence plugin, one of those should do the trick. Get those logged in and ready to go. And then make sure that the alerts are going to the correct email address. It’s probably not the client if you’re taking over and you’re managing, you want the access and the notifications if something’s wrong or going down or there’s some sort of security threat on your website.

And then this also is the same case if it is a premium extension, maybe IThemes Security Pro or something that is a paid for subscription, check to see who paid for that license and get it assigned to the correct person. So security is No. 3. Get that all squared away and lined up.

No. 4 is general site contact and admin users. So you wanna check to see what email address is listed to the general point of contact. If it’s the client you can leave that alone. If it’s another service provider you probably – that may be the person that was taking care of the website, maybe their old website owner or the web developer or whatnot, so you can change those, so you can those pieces of information.

Most likely though it’s going to need to stay in the person that is going to answer the contact forms or different things along the website. If it’s a WooCommerce site you want the main contact to be the store owners so they get those notifications. As a web developer or friend you don’t want to be getting all the notifications about something going on, on their website. So that’s something that’s there. Also when you’re checking out the admin users, like I said earlier, you wanna make sure there’s no other WordPress contractors or anything like that, any other users that have admin access listed there in the list.

Also No. 5, moving right along to step No. 5, is check to see if they have a SSL certificate. If not that’s the next item or next priority, to just go ahead and add one. That’s usually done pretty easily and pretty simply within the WordPress host. And most the time their coming with those anyway and so that is something just to check out.

Step No. 6 is check for the premium content with renewable license. So take an inventory of all the plugins, every premium feature that the WordPress site has. You wanna make sure that if it’s the developer might have built the website and then had an itemized list of all the plugins and what they paid for them and when the subscription dates are going to expire.

Most the time that is not the case. Most people will just install the plugins it needed and then it’s usually a surprise to the website owner that, “Oh hey, you need to renew these $400 worth of plugins for your website to continue to work.” So you wanna list them all out and basically the easiest way is just to go the WordPress plugins page and then just go through all the ones that look like they’re paid or that cannot be find on the WordPress repository. Then those ones usually have a paid for license and you can find out more and see how much those are going to cost and when they’re going to renew.

Then you wanna ask your friend, your client, to see which ones of those they paid for, which are those ones that they’ve actually spent money themselves or which ones were billed as part of the website package as a whole and if they’re not in their name, again this is going to be a process of trying to transition them into them owning their own plugins.

It’s one of the hardest pieces about owning or doing this WordPress thing because website developers usually have bought the tool kit or the package or somehow have unlimited access, they pay a flat fee for unlimited access for as many of the plugins on websites as they can use.

BackupBuddy’s a good example, if you buy the one-year subscription for unlimited, you can put that on 1,000 websites. But the terms and conditions only say, like, the plugin can only be used on sites that are being directly managed by you. And so you wanna make sure that you’re not going against those terms and conditions and you wanna make sure that somebody that is responsible for the website has access to the license key and the renewals, otherwise when it comes time for renewals or updates it’s going to be a big headache and it’s better to have all this information up front when it’s not needed.

Another thing you may wanna look at when it comes to premium content, some addons aren’t premium but they require accounts to grant API requests and keys. Something that I’m thinking about is like the Google Maps functionality, if there’s some sort of plugin that’s using Google Maps you have to have a Google Maps account or a Google account that’s linked to the Maps API. And while yes, you can use 25,000 requests per month for free, some websites may have more requests than that and so that could be a potential issue if you don’t have those ducks in a row and you’re not exactly sure where those accounts and what’s set up there correctly.

And then once you have this whole list you wanna just got through and read through and find out, again, which ones the client has or your friend has. And then which ones they have purchased and which ones they haven’t. And just try to figure out a game plan of when we’re going to budget and when we are going to make sure that we are gonna pay for these plugins as they are getting ready to renew and whatnot. So that’s premium content with renewable license.

The next step is about management plugins. And sometimes agencies have management plugins in there that will help keep plugins updated and themes updated and kind of run backups and systems and whatnot. So if any of that stuff is there you wanna go ahead and make sure that that has been removed. And that way you can put in your own if you’re using some sort of manage plugin or you can just kind of manage it manually. Depends on your level of engagement or what your – how involved you’re gonna be in the website. So try to get rid of that and get ready for something along those lines.

And then the last step is start to manage. You can finally start to manage. So you’ve got seven steps before you can start doing this. But then the eighth step is actually managing your WordPress site. So that’s going in and probably the first thing you’ve already done a backup, you’ve got the security plugin in place, then what you want to do is you can go in and you can start making sure those plugins are updated. And you can do some testing to make sure these new features that are needed or maybe they need updates to a theme.

And now, okay we’ve got everything in place and we’ve got backups in place and now we can start editing the theme files or we can change themes or whatever the case may be, whatever they were originally gonna ask you to do. I know that’s a lot of work and there are a lot of steps to get to this point but in the end it’s going to make life so much easier. And diving into a project, I know that this happens all the time, we dive in, we try to fix something, all of a sudden it’s broken, and now we didn’t do a backup so we can’t restore to the last known state, and it just creates more headaches, after headaches, after headaches.

And so if you go in, you’re trying to take over a website or you’re trying just help somebody out, these are some of the best tips. And all the time when I’m speaking with customers of WooCommerce and they’re asking, “Should we do this, should we this, should we update a plugin?,” it’s always like, “Yes, but I’d recommend you create a backup first. Let’s do a backup before you do anything else while we’re doing this live chat, because you never know what could happen.”

And we ask for admin credentials sometimes so that we can log in and we can make sure that things are set up and configured properly. And then the last step is always remove that admin access. Okay, have a great day. Also you can remove that admin access, delete that account because we don’t need those credentials floating around there on the web anywhere.

And so it’s a painful process, it’s a little bit redundant, if you will. It takes a little bit – a few steps. And if you are doing this as a career, you’ve taken on this client, now you are managing their website and, I mean, these are billable hours that you can use, you can charge for. Maybe there’s a – they’ve got a current website, they’ve got a project, maybe you charge $100 per month for managing the website but there’s a $200 or $300 or $500 or whatever the number is, there is an upfront cost to be able to get things set up and running.

Those are my ideas on how to take over a website. Again, I haven’t done this in a long time and I only manage my sites and a couple for friends and family, but it’s always the complete urge to open up the dashboard, you see 100 different notifications of things that need updated and this is broken and this needs fixed and you need this API key over here and you need this, this, this, and this. And you just want to go ahead and start tackling these but having a system in place of doing things repeatedly the same way every time is going to help so much and it’s gonna just help keep, I wanna say it keeps your head clear.

You go through the checklist, you get the access that you need, you create a backup solution so that everything’s backed up. We’ve got a security protocol going so that everything is – nobody else can get into our website. We look at all the admin users. We remove the ones that aren’t there. We’ve already changed passwords so people can’t get in if they’ve had access beforehand. We’ve made sure that we’ve got an SSL certificate. We’ve got premium content with renewable license, all of those plugins we know where they came from, we know how much we paid, we know when we’re gonna get charged for them again, and whatnot.

And then if you have any sort of management plugin and whatnot, we’ve got those under control, we’ve installed those. And then we start to manage the site and manage getting plugins updated, updating themes, changing things around, and whatnot.

And that’s what I wanted to share with you in this week’s episode of Your Website Engineer podcast. Take care and we’ll talk to you next week. Buh-bye.