Website Handoff Checklist: 87 Things Your Agency Should Give You Before Launch

A website project is not finished when the homepage looks good.

It’s finished when the business can safely own, operate, measure, protect, and improve the site without begging the developer for every small change.

That gap is where a lot of website launches get expensive. The site goes live, everyone celebrates, then nobody knows who owns the domain login, where form submissions go, whether analytics is tracking leads, which plugins are safe to update, or what happens if the site goes down on a Friday afternoon.

This website handoff checklist fixes that. Use it if you’re a business owner receiving a new site, an agency packaging a cleaner closeout process, or a freelancer trying to look buttoned-up without adding six more meetings.

The stakes are not minor. WebAIM’s 2026 Million report found 56,114,377 accessibility errors across the top one million home pages, an average of 56.1 errors per page. Google says Core Web Vitals measure real-world loading performance, interactivity, and visual stability, with good thresholds of 2.5 seconds for LCP, under 200 milliseconds for INP, and under 0.1 for CLS. Verizon’s 2025 DBIR reported that third-party involvement in breaches doubled to 30%, which makes shared access, admin accounts, and vendor cleanup part of business risk, not just IT housekeeping.

Here is the handoff list worth using.

What a real website handoff should include

A good handoff has three jobs.

First, it transfers control. The business should own the accounts, files, content, data, and admin access needed to run the website.

Second, it reduces risk. The site should have documented backups, security settings, update responsibilities, privacy requirements, and support contacts.

Third, it preserves momentum. The launch should not wipe out SEO value, break tracking, lose form leads, or strand the team with a CMS they don’t know how to use.

The cleanest way to do that is to treat handoff as a deliverable, not an afterthought.

1. Ownership and access

If the business does not control the critical accounts, it does not really control the website.

This is the first part of the handoff because every other item depends on it. The goal is not to dump passwords into an email. It’s to confirm ownership, remove stale users, and document who is responsible for what.

Your handoff should include:

1. Domain registrar account owner confirmed.
2. DNS provider documented.
3. Hosting account owner confirmed.
4. CMS administrator access created for the business.
5. Agency admin accounts documented.
6. Temporary contractor accounts removed or downgraded.
7. Two-factor authentication enabled where available.
8. Password manager sharing process agreed.
9. Billing owner confirmed for domain, hosting, plugins, email, CDN, and third-party tools.
10. Renewal dates documented.
11. Emergency contact listed for domain, DNS, and hosting issues.
12. A plain-English account map showing which platform does what.

Do not skip the account map. Business owners do not need a lecture on DNS. They need to know that GoDaddy controls the domain, Cloudflare controls DNS, Kinsta controls hosting, Stripe controls payments, and Google Workspace controls email.

Security belongs here too. CISA’s Cyber Essentials guidance recommends MFA for privileged, administrative, and remote access users and enabling automatic updates whenever possible. That applies directly to CMS admins, hosting dashboards, domain registrars, and email accounts tied to password resets.

2. Website files, repository, and build documentation

A brochure site built on a hosted platform may not have a traditional codebase. A custom site should.

Either way, the handoff needs to explain how the site is built and where the working files live. Without that, the next developer has to reverse-engineer the project from production, which wastes money and increases the chance of mistakes.

At minimum, deliver:

13. Repository URL or platform project location.
14. Production branch identified.
15. Staging environment URL.
16. Deployment process documented.
17. Environment variables listed without exposing secret values.
18. Build command documented.
19. Hosting platform settings documented.
20. Theme or design system location.
21. Custom code areas identified.
22. Plugin or app list with purpose for each item.
23. License ownership for paid themes, plugins, fonts, stock photos, and scripts.
24. Backup copy of final design files.
25. Backup copy of final content files.
26. Known technical debt documented.

That last item matters. No site is perfect. A mature agency will tell you what was intentionally deferred, what should be watched, and what would become risky if ignored.

3. Content and CMS training

The handoff should make the business capable of changing normal content without breaking the site.

That does not mean every owner needs to edit templates or touch code. It means the team should know how to update staff bios, service pages, blog posts, testimonials, images, FAQs, and calls to action.

Deliver these items:

27. CMS login instructions.
28. Short screen-recorded walkthrough for common edits.
29. Written guide for adding a blog post or resource.
30. Image size and format guidance.
31. Naming rules for files and URLs.
32. Instructions for editing menus.
33. Instructions for updating forms.
34. Instructions for editing metadata.
35. Instructions for publishing, saving drafts, and rolling back changes if available.
36. List of pages the business should not edit without help.
37. Content inventory showing final URLs.
38. Archive of approved copy.
39. Brand assets folder with logos, colors, fonts, and image rules.

Keep the training practical. A 20-minute video showing exactly how to update a service page is worth more than a 40-page PDF nobody opens.

4. SEO handoff

SEO handoff is where many redesigns lose money.

A site can look better and still perform worse if redirects, metadata, internal links, crawl settings, and indexation controls are mishandled. Google’s canonical URL guidance says redirects and rel=“canonical” annotations are strong canonicalization signals, while sitemap inclusion is a weaker signal that can still help. Translation: launch details affect which URLs Google trusts.

Your SEO handoff should include:

40. Final URL list.
41. Old-to-new redirect map.
42. Confirmation that redirects were tested.
43. XML sitemap URL.
44. Robots.txt URL and notes.
45. Canonical tag rules.
46. Page titles and meta descriptions exported.
47. H1 checks completed.
48. Internal links checked for broken URLs.
49. 404 page tested.
50. Open Graph and social preview tags checked.
51. Structured data listed and tested.
52. Google Search Console property access transferred.
53. Bing Webmaster Tools access transferred if used.
54. Local business NAP details checked where relevant.
55. Image alt text reviewed for core pages.
56. Crawl report or QA export included.
57. Post-launch SEO watch list for the first 30 days.

Search engines are not the only audience. Buyers use review platforms, social previews, AI answer engines, maps, and local news sources to build trust. BrightLocal’s 2025 Local Consumer Review Survey found that just 4% of consumers say they never read online business reviews, and the same report found that 48% of US adults turn to local news outlets as sources for local business reviews. Your site handoff should protect the basic trust signals customers see before they ever submit a form.

5. Analytics, forms, and lead tracking

If the site cannot measure leads, the launch is not business-ready.

Analytics handoff should confirm that the business can see what matters: form submissions, phone clicks, appointment bookings, quote requests, ecommerce purchases, downloads, and traffic sources. Pageviews alone do not tell you whether the site is working.

Include:

58. Google Analytics 4 access transferred.
59. Google Tag Manager access transferred if used.
60. Key events documented.
61. Test form submissions completed.
62. Form notification recipients confirmed.
63. CRM integration tested.
64. Call tracking tested if used.
65. Thank-you pages or success states documented.
66. Ad pixels documented.
67. Cookie consent settings documented if used.
68. Monthly reporting dashboard link shared.
69. Baseline launch metrics recorded.
70. UTM naming rules documented for campaigns.

Use official naming where possible. Google’s GA4 developer documentation says events measure user interactions on your website or app and are used by Google Analytics to create reports about your business. That is exactly why a lead form should be tracked as a key business action, not buried as a random pageview.

6. Performance, accessibility, and browser QA

This is the part that separates a polished launch from a pretty mockup.

Performance and accessibility should be checked before handoff because they affect users immediately. The 2025 Web Almanac performance chapter describes Core Web Vitals as user-centric metrics for loading performance, responsiveness, and visual stability. Google recommends good Core Web Vitals for Search success and general user experience. These are not vanity metrics.

Deliver:

71. PageSpeed Insights or Lighthouse results for key templates.
72. Core Web Vitals notes for homepage and major landing pages.
73. Largest image issues fixed or documented.
74. Mobile layout tested.
75. Tablet layout tested if the audience uses tablets.
76. Chrome, Safari, Firefox, and Edge spot checks completed.
77. Form validation tested on mobile.
78. Keyboard navigation checked.
79. Color contrast checked.
80. Missing alt text reviewed.
81. Heading order reviewed.
82. Cookie banner and popups checked for mobile usability.
83. Error states reviewed.
84. Uptime monitor configured if included.

Accessibility does not end with an automated scan. WebAIM notes that automated tools have limitations and that absence of detected errors does not mean a page is accessible or conformant. Still, automated checks catch enough common mistakes that skipping them is hard to defend.

7. Security, privacy, and maintenance

The handoff should answer one uncomfortable question: what happens after launch?

If nobody owns updates, backups, monitoring, and support, the site starts aging the day it goes live. That is especially risky for CMS sites with plugins, contact forms, user accounts, payment tools, or customer data.

The final handoff should include:

85. Backup schedule documented.
86. Update responsibility assigned.
87. Support plan, response times, and escalation path agreed.

Those three items look simple, but they carry a lot of weight. IBM’s 2025 Cost of a Data Breach Report found the global average breach cost was USD 4.44 million. Cloudflare reported that it blocked more than 20 million DDoS attacks in Q1 2025, a 358% year-over-year spike. A small business site may not be the headline target, but the same operational basics matter: patched software, limited admin access, tested backups, and someone accountable when things break.

Privacy belongs here too. The FTC’s business guidance on protecting personal information tells businesses to pay particular attention to sensitive data and limit access to employees with a need to know. If your forms collect names, emails, phone numbers, quote details, health information, financial information, or customer files, the handoff should document where that data goes and who can access it.

Website handoff red flags

If you’re a business owner, watch for these signs that the handoff is not ready:

• The agency owns the domain and will not transfer it.
• Nobody can explain where leads are stored.
• Analytics is installed, but no lead events are configured.
• Redirects are promised, but no redirect map exists.
• The site has no documented backup plan.
• Admin accounts are shared by multiple people.
• The agency says accessibility, SEO, or performance will be handled later.
• There is no support plan after launch week.

One red flag may be fixable. Several at once usually means the project is being closed for the agency’s convenience, not the client’s success.

Agency handoff template you can copy

Here is a simple structure agencies can use for every handoff packet:

1. Executive summary

List the launch date, project scope, primary contacts, hosting setup, CMS, and any items that need follow-up.

2. Account ownership

Document every account, owner, billing contact, renewal date, and access level. Do not include raw passwords in the document.

3. Technical documentation

Include repository, hosting, deployment, staging, plugins, integrations, licenses, and known limitations.

4. Marketing documentation

Include final URLs, redirects, metadata, sitemap, Search Console, analytics, key events, form routing, and reporting links.

5. Training materials

Include recordings, written instructions, and a short list of safe routine edits.

6. Maintenance plan

Define updates, backups, monitoring, support response times, emergency process, and monthly responsibilities.

That packet can be lean. It just cannot be vague.

FAQ: website handoff

When should website handoff start?

Start handoff planning before launch, not after. Access, redirects, analytics, CMS training, and support responsibilities should be reviewed during final QA so problems can be fixed before the public launch.

Who should own the domain name?

The business should own the domain name. An agency can manage DNS or technical settings, but the legal and billing ownership should sit with the business whenever possible.

Should the agency keep admin access after launch?

Only if there is an active support or maintenance agreement. If not, agency access should be removed or downgraded after a short closeout period. Shared admin accounts are a bad habit.

What is the biggest website handoff mistake?

The biggest mistake is treating handoff as a goodbye email. A real handoff transfers control, documents risk, confirms measurement, and gives the business a clear path for support.

Make the launch easier to own

A website should not become a mystery box the day it goes live.

If you’re planning a redesign, migration, or new business website, build the handoff into the project scope from the start. It protects your SEO, your lead flow, your data, and your team’s sanity.

Need a website partner who documents the details instead of disappearing after launch? Start here and we’ll help you build a site your business can actually own.