Guide · 9 min read

The WordPress site-health checklist (and how to actually fix it)

Ten areas every WordPress site should pass, what to check in each, and how to close the gap instead of just logging it.

Most WordPress sites do not break all at once. They drift. A plugin updates and quietly loads a script on every page. An old post starts pointing at a URL that no longer exists. A setting flips during a migration and never flips back. Each one is small. Together they are the difference between a site that feels fast and trustworthy and one that feels neglected.

The fix is not a heroic once-a-year cleanup. It is a checklist you can run on demand, that tells you what is actually wrong right now, worst problems first, so you can close the gaps while they are still small. Below is the checklist we built RecapWP around: ten areas, what to look for in each, and, just as importantly, how to actually fix what you find instead of just writing it down.

Why a checklist beats a one-off scan

A single scan is a photograph. It tells you how the site looked the moment you ran it, and nothing about the moment after. Sites change every week: content gets published, plugins update, traffic finds the pages you forgot about. A checklist you can re-run turns that photograph into a habit, and a habit is what keeps a site healthy.

The other thing a good checklist does is order the work. Not every problem deserves your evening. "Search engines are blocked from this entire site" and "this one image is missing alt text" are not the same emergency, and a list that shows them in severity order saves you from fixing the trivial thing first. Everything below is meant to be triaged worst-first.

The ten areas every WordPress site should pass

This is the full sweep. On each item, the Check line is what to look for; the Fix line is how to close it, and where a tool like RecapWP can apply the change for you (every change it makes is recorded and reversible).

  1. Security & hardening

    Check: the common exposures, like XML-RPC open to the public, your WordPress version advertised in the page source, usernames that can be enumerated through the REST API, and missing security headers. These are the doors attackers rattle first.

    Fix: most of these are configuration, not surgery, so they can be closed with a single deterministic setting change. RecapWP applies the fix right where it found the problem and keeps an undo for it. Hardening is not a firewall, and it does not pretend to be one; it removes the easy footholds so the firewall has less to do.

  2. Platform & updates

    Check: outdated plugins, themes, and WordPress core, a PHP version that is past end of life, and inactive plugins sitting installed for no reason. Out-of-date code is the single most common way sites get compromised.

    Fix: review and update. This is one area worth doing by hand, because an update can change how a site behaves, so RecapWP flags what is stale and how serious it is, and leaves the click to you. Delete the inactive plugins you are never going to switch back on.

  3. Captured PHP errors

    Check: real fatal errors thrown on real visitor requests. Not a theoretical lint pass, the actual errors your visitors hit, which usually never reach you because they happen on the front end and vanish into a log nobody reads.

    Fix: RecapWP captures these as they happen and groups them so one error via three code paths is one finding, not three. You resolve the underlying cause, and if it ever recurs the finding reappears on its own, which is your signal that the fix did not hold.

  4. Performance

    Check: no page caching, no persistent object cache, autoloaded options that have ballooned, post revisions piling up by the thousand, and the emoji and embed scripts WordPress loads on every page whether you use them or not.

    Fix: the emoji and embed bloat is a one-click removal. Caching is a setup decision, so it is flagged rather than forced. Trimming runaway revisions and oversized autoloaded data keeps the database lean and every page query faster.

  5. SEO

    Check: pages missing a meta description, images missing alt text, and thin posts with almost no content. None of these sink a site on their own, but in volume they tell search engines the site is unfinished.

    Fix: these are editorial, so they are surfaced rather than auto-rewritten. RecapWP catches them per page in the Frontend Auditor (a Pro capability) as you browse the live site, not in the bulk scan. Writing a real description and real alt text is work only a human should do, but knowing exactly which page you are on and what it is missing turns a vague worry into a short, finite list.

  6. Broken links

    Check: internal and external links that now 404, orphan pages nothing links to, and dead URLs that are still getting real visitor traffic. Broken links waste link equity and quietly frustrate readers who hit a dead end.

    Fix: for an internal broken link, the fix is a 301 redirect to the right destination, and RecapWP can create that redirect for you, pre-filled with a suggested target you can edit. External links you cannot redirect, so those are flagged for you to repoint or remove.

  7. Content

    Check: stale, aging posts that have not been touched in a long time. Old content is not automatically bad, but a post that was accurate three years ago may quietly be wrong today, and it is still ranking.

    Fix: review the flagged posts and decide: refresh, redirect, or leave it. Marking a post as fine is a one-click action, so the ones you have deliberately kept stop nagging you on the next scan.

  8. Users

    Check: a default admin username, more administrator accounts than the site actually needs, and display names that exactly match the login (which hands an attacker half of the credential for free).

    Fix: create a fresh admin under a new name and retire the old one, drop over-privileged accounts down to the role they need, and set public display names that are not the login. These are account decisions, so RecapWP points them out and leaves the change to you.

  9. WooCommerce

    Check: if you run a store, products published with no price, products with no image, and items still listed for sale while out of stock. Each one is a sale you are quietly losing.

    Fix: these are catalog issues only you can resolve, so they are surfaced with a link straight to the product. The value is in finding them, because a shop with hundreds of products will always have a few that slipped through.

  10. Environment & config

    Check: the settings that silently sabotage a live site: "discourage search engines" left on after launch, debug mode running in production, and the built-in file editor enabled. The search-engine toggle is the one that costs people months of invisible traffic.

    Fix: re-enabling search-engine visibility is a one-click fix, and it is the highest-severity thing on this whole list for a reason. Debug mode and the file editor are flagged so you can turn them off in config the moment you see them.

A finding is only useful if something can close it. The point of the checklist is not the list. It is the shorter list you have after you have worked it.

Fixing vs. flagging: closing the loop

Here is the trap almost every audit tool falls into. It is genuinely good at the first half, finding what is wrong, and it leaves the entire second half, fixing it, to you. You finish the scan with a longer to-do list than you started with, and the easy half is the only half that got automated.

That split is the thing worth changing. A large share of the items above are not judgment calls; they are deterministic configuration. "XML-RPC is exposed" has exactly one correct fix, and a tool can apply it as reliably as it detected it. So RecapWP does: where a fix is a known, rule-based change, it offers a button that makes the change right there in the finding, and records it so you can reverse a single fix or roll the whole session back. Detection and fixing are both deterministic.

The items that genuinely need a human, updating a plugin that might change behavior, rewriting thin content, retiring a user account, are deliberately left as flags with a direct link to the right place. The goal is not to automate your judgment. It is to delete the busywork around it so your judgment is all that is left.

Make it a monthly habit

The whole checklist takes one scan. Run it on demand, read the findings worst-first, apply the fixes that are mechanical, and put the handful of judgment calls on your real to-do list. On most sites that is fifteen minutes, and it is the difference between catching a blocked-search-engines setting the week it happened and discovering it in three months when the traffic graph finally gets your attention.

Pick a rhythm you will actually keep. Monthly is plenty for a stable site; weekly if it is busy or you manage it for a client who expects it. The point is repetition. A site that gets looked at on a schedule almost never develops the kind of quiet, compounding rot that takes a weekend to dig out of.

None of this requires a checklist you keep in your head. It requires a scan you can trust to find everything, ordered by what matters, with the boring fixes already handled. That is the entire idea behind RecapWP, and the fastest way to see your own site's version of the list above is to run it.

  • WordPress
  • Site health
  • Security
  • Maintenance
Try it on a real site

Stop reading about it. Run the scan.

RecapWP Pro runs dozens of deterministic checks across every area and fixes them for you, with undo, plus the full-site crawl, redirect manager, frontend auditor and the Ask RecapWP assistant.