Hosting Checks
____ Ensure that all required domains bring up the website including their www versions
____ Ensure that the static server cache is enabled
____ Ensure that the website is running on a currently supported version of PHP
____ Ensure that the web application firewall is enabled
____ Ensure that OCG’s office ip address has been whitelisted
____ If the site has been built with Oxygen visual composer then ensure that the disabled rule IDs list includes the requisite rule Id’s to disable. Refer to the ‘OCG – WAF Rules to disable for Oxygen’ in C2 password
____ Ensure that brute force attack protection is enabled
____ Ensure that block XML-RPC is enabled
____ Ensure that HTTP/3 is enabled
Security Checks
____ Ensure that Defender Pro is active and that ‘OCG Deender Pro Default Configuration’ has been applied
____ Ensure that blocklist monitor is active and reporting no issues
Ensure that mask login area is active:
____ Masking URL slug is appropriately set (the whole or part of the primary domain name and the word dashboard). Test by attempting to login using this url slug.
____ Redirect traffic is enabled and set to 404-error. Test by attempting to login using the /wp-admin default login.
Ensure that all security headers are enabled
____ X-Frame-Options
____ X-XSS-Protection
____ X-Content-Type-Options
____ Strict Transport
____ Referrer Policy
____ Permissions-Policy
Ensure that Password Rules are enabled
____ Pwned Passwords
____ Ensure that Session Protection is enabled with the default settings
Ensure Google reCaptcha is enabled
____ Verify the correct V3 keys and that is has been verified. The reCaptcha keys for the website should be in C2 Password for comparison
____ Ensure all reCAPTCHA Locations are enabled
____ If WooCommerce is active on the site then ensure reCaptcha is active for WooCommerce
____ If BuddyPress is active on the site then esure reCaptcha is active for BuddyPress
____ Ensure that disable for logged in users is checked
____ Ensure that audit logging is enabled and reporting
Ensure that the firewall is active
____ Ensure that AntiBot is active and set to basic mode
Ensure local blocklist is active
____ Ensure the OCG office ip address is in the allowlist
____ Ensure that the Maxmind license key is installed and active
____ Ensure the locations blocklist and allowlist are setup correctly for the clients specific needs. Typically for US companies only doing business in the US these should be set to Block all and United States respectively
____ Ensure that login protection is active
____ Ensure that 404 detection is active
____ Ensure that user agent baning is active
Notification Settings
____ Ensure that malware scanning reporting is enabled and reporting to websitesecurity@ocgcreative.com
Malware scan
____ Run an initial malware scan. Report to development if the scan uncovers any issues
Performance
____ Ensure that Hummingbird Pro is active and that ‘OCG Hummingbird Pro Default Configuration’ has been applied
____ Ensure that page caching is active and using the static server cache
Ensure that browser caching is active:
____ Javascript
____ CSS
____ Media
____ Images
____ Ensure that gravatar caching is active
Ensure that image optimization is active. Smush Pro is used to provide this feature
____ Ensure that Smush Pro is active and that ‘OCG Smush Pro Default Configuration’ has been applied
____ Ensure there are no images needing to be optimized
Ensure that GZIP compression is active:
____ HTML
____ JavaScript
____ CSS
____ Ensure that asset optimization is active
____ Run performance check. Report any issues uncovered or if the scores are low for further investigation. Desktop scores below 90 and/or mobile scores below 70 should be noted and investigated.
______ Initial desktop score
______ Initial mobile score
SEO
____ Ensure that SmartCrawl Pro is active and that ‘OCG SmartCrawl Pro Default Configuration’ has been applied
____ Ensure that a current sitemap is available and active
Link Checker
____ Ensure that broken link checker is active and that a scheduled scan is setup and active
____ Report any broken links to development for assesment
____ Ensure that backlinks checker is active
Backups
____ Ensure that nightly backups are activated and functioning
Uptime Monitoring
____ Ensure that uptime monitoring is active and reporting
The Hub Analytics
____ Make sure that the Hub analytics services is disabled as this currently interferes with our Matomo analytics integration
Automated Updates
Ensure that automated updates are setup and active
____ Ensure that WordPress, all installed themes and all active plugins are enabled for auto-updates
____ Ensure that automated updates schedule is set to once per week
____ Ensure that safe update check is enabled and set to the home page
____ Ensure that safe update alert is enabled and set to a minimum of 25%
____ Ensure that the weekly report is setup to email websitereports@ocgcreative.com
Reports
____ Ensure that the weekly activity report is setup, activated and reporting.
Ensure that all activated services are reporting:
____ Updates
____ Security
____ Performance
____ Uptime
____ SEO
____ Broken Link Checker
____ Backlinks