Knowledge / The WordPress-on-VPS go-live checklist
The WordPress-on-VPS go-live checklist
Before you point DNS at a new WordPress VPS, run through these essentials — SSL, backups, caching, security headers and PHP tuning — so launch day is boring.
A VPS gives you full control of your WordPress stack — and full responsibility. Run through this list before you go live so launch day is uneventful.
1. TLS everywhere
Issue a certificate and force HTTPS. Redirect http:// to https://, enable HTTP/2, and set HSTS once you're confident the certificate auto-renews.
2. Automated, off-site backups
A backup that lives on the same disk as the site isn't a backup. Schedule daily snapshots and ship at least one copy off the server. Test a restore before you need one.
3. Full-page caching
PHP should not run on every request. Put a cache in front of WordPress and add an object cache (Redis) for logged-in traffic and the admin.
4. Security baseline
- Disable file editing in
wp-config.php - Limit login attempts and enforce strong admin passwords
- Add security headers (
X-Content-Type-Options,Referrer-Policy, a sensible CSP) - Keep SSH key-only, no password auth
5. Right-size PHP
Match pm.max_children to available memory, set a realistic max_execution_time, and bump upload_max_filesize only as high as the site actually needs.
Each of these is a one-click toggle in MZPanel, but the principles hold wherever you host. Get them right once and the rest of operations gets a lot quieter.