Website management begins before you touch the site. The handover - or handoff, as it's known in the US - whether from a previous agency, a client's internal team, or a departing colleague, determines whether future operations will feel calm or chaotic.
Inadequate handovers create months of frustration: mysteries about why configurations exist, missing credentials discovered during emergencies, undocumented dependencies that break unexpectedly, and clients asking questions you can't answer because the information wasn't transferred. A thorough pre-management audit conducted before accepting responsibility helps identify gaps in this documentation early.
This checklist provides a framework for three scenarios:
- Outgoing handovers: You built the site, someone else manages it
- Incoming audits: You're accepting management of an existing site
- Internal transitions: Team members change, clients transfer between account managers
It's comprehensive, intentionally. Not every item applies to every situation, but the checklist prevents critical gaps that convert manageable websites into mysterious problems. As agencies quickly learn, what happens after a website goes live determines its long-term success.
Key Takeaways
- Inadequate handovers are one of the most common sources of ongoing agency stress - missing credentials, undocumented dependencies, and unclear configurations create problems that last for months or years.
- A comprehensive handover checklist covers access credentials, technical architecture, operational history, performance configurations, and client relationship expectations - not just login details.
- Handover documentation should be treated as a project deliverable and built into timelines from the start, not rushed as a final step before delivery.
- Agencies taking over a site they didn't build should conduct a site audit before accepting full management responsibility - gaps in documentation mean higher future costs that should be scoped explicitly.
- Well-documented sites transfer knowledge from individuals to systems, reducing dependency on any single person's memory and making team transitions far smoother.
- Platform-specific handovers for Shopify, Webflow, and managed services have unique requirements beyond the core checklist - dedicated checklists for each are included below.
I. Access & Credentials Foundation
Operations depend on access. Missing credentials block routine tasks and convert simple changes into expensive delays.
1. Hosting Account Access
- Primary hosting provider and account credentials
- Hosting plan details (resources, renewal date, costs)
- FTP/SFTP credentials with correct permissions
- SSH access if applicable
- Hosting control panel access (cPanel, Plesk, custom dashboards)
- Server location and configuration details
2. Domain Management Access
- Domain registrar and account credentials
- Domain renewal date and auto-renewal status
- DNS management access
- Current DNS records and their purposes
- Email routing configurations
- Subdomain setup and purposes
3. CMS/Platform Access
- Admin credentials with appropriate permission levels
- Multi-factor authentication setup and recovery options
- User roles and current active users
- Access history if security-sensitive
4. External Service Accounts
- Email service provider (transactional emails, newsletters)
- Analytics platforms (Google Analytics, etc.)
- CDN or performance services
- Backup services
- Security/monitoring services
- Form handling services
- Payment processor accounts
- Social media management tools
- SEO tools with ongoing subscriptions
5. Third-Party Integration Credentials
- API keys and secrets
- OAuth connections and refresh tokens
- Webhook URLs and authentication
- Integration documentation or setup notes
Because credentials are gathered gradually during a project and rarely documented formally as they're set up. By the time handover arrives, some credentials exist only in the original developer's password manager, some have changed without being updated anywhere, and some were never written down because the developer assumed they'd always be managing the site. This is the most consistently painful gap in website handovers - and the easiest to prevent with a simple running log from day one.
II. Technical Architecture Documentation
Understanding how the site is built determines how safely and effectively you can maintain it.
6. Platform & Stack Details
- CMS or framework (WordPress, Webflow, Shopify, custom, etc.)
- Version information
- Hosting environment (shared, VPS, dedicated, managed WordPress, etc.)
- PHP/Node/Python version and requirements
- Database type and version
- Server software (Apache, Nginx, etc.)
7. Theme/Template Information
- Theme name and version
- Whether it's premium, custom, or free
- Theme documentation or support access
- Customization approach (child theme, direct edits, page builder)
- License information for premium themes
8. Plugin/Extension/Module Inventory
- Complete list of active plugins/extensions
- Purpose of each (not always obvious from names)
- Premium plugins requiring licenses or renewals
- Custom-developed plugins
- Plugins with known compatibility concerns
- Inactive plugins still installed (and why they're retained)
9. Custom Code Documentation
- Custom functionality beyond standard plugins
- Code location (theme functions, custom plugins, etc.)
- Purpose and behavior of custom code
- Dependencies (libraries, external APIs)
- Known limitations or edge cases
10. Database Structure & Customizations
- Custom tables beyond standard CMS tables
- Database access credentials
- Backup and restore procedures
- Size and growth patterns
- Cleanup or maintenance requirements
III. Operational Procedures & History
How the site has been managed informs future decisions. History reveals patterns, problems, and working solutions.
11. Update History & Procedures
- Update frequency and timing (when updates are applied)
- Testing process before production updates
- Staging environment availability and access
- Problematic updates encountered previously
- Items deliberately not updated (and why)
12. Backup Systems & Verification
- Backup solution in use (host, plugin, external service)
- Backup frequency and retention period
- What's backed up (files, database, both)
- Backup storage location and access
- Most recent successful backup verification
- Tested restore procedure documentation
13. Security Measures & Incident History
- Security plugins or services active
- Firewall configurations
- Login attempt protections
- SSL certificate provider and renewal process
- Previous security incidents and how they were resolved
- Known vulnerabilities or security concerns
14. Monitoring & Alert Systems
- Uptime monitoring setup
- Performance monitoring tools
- Error logging and notification systems
- Who receives alerts and how
- Alert response procedures
These automated systems complement manual weekly maintenance checks to ensure comprehensive site health monitoring.
15. Maintenance History
- Recurring problems and their patterns
- Recent major changes or migrations
- Workarounds implemented for ongoing issues
- Performance optimizations applied
- Recent support tickets and resolutions
IV. Performance & Optimization Configuration
Performance configurations affect update behavior, troubleshooting difficulty, and user experience. Changes without understanding existing optimization can break functionality.
16. Caching Configurations
- Page caching method (plugin, server-level, host-managed)
- Object caching if implemented
- Browser caching rules
- Cache exclusions (dynamic pages, logged-in users, etc.)
- Cache clearing procedures and frequency
17. CDN Setup
- CDN provider and account access
- What's served through CDN (all assets vs. selective)
- CDN configuration details
- Cache purging procedures
- Cost structure and usage limits
18. Database Optimization
- Database cleanup schedules
- Query optimization implementations
- Indexing customizations
- Database size management approach
19. Image & Media Management
- Image optimization method (plugin, external service, manual)
- Media library organization approach
- External media storage (S3, etc.) if applicable
- Lazy loading implementations
- Media backup procedures
Understanding these optimization configurations prevents accidental performance degradation and connects to the quiet responsibilities that start after a site goes live.
V. Content & SEO Infrastructure
Content structure and SEO configurations affect both user experience and search performance. Changes require understanding existing structure.
20. SEO Configuration
- SEO plugin/tool in use
- XML sitemap location and generation method
- Robots.txt configuration
- Structured data implementations
- Canonical URL rules
- Redirect rules and their purposes
- Google Search Console and Bing Webmaster Tools access
21. Content Structure & Backup
- Content types beyond standard posts/pages
- Taxonomy structure (categories, tags, custom taxonomies)
- Custom fields and meta data usage
- Content migration history if applicable
- Editorial workflow or approval processes
22. User Roles & Permissions
- Custom user roles beyond defaults
- Permission customizations
- Users with admin access and their purposes
- User management procedures
VI. Client-Specific Configurations
Every site has unique requirements. Client-specific configurations often cause the most confusion during transitions because they're not standard or obvious.
23. Forms & Lead Capture
- Form plugin or service in use
- Form submission routing (where notifications go)
- Form data storage (database, external service, both)
- Spam protection methods
- Required field validation rules
- Form backup or export procedures
24. E-commerce Configurations (if applicable)
- E-commerce platform (WooCommerce, Shopify, custom)
- Payment gateway configuration
- Tax calculation methods
- Shipping configuration
- Inventory management approach
- Order fulfillment workflow
- Abandoned cart handling
25. Email Systems
- Transactional email configuration (SMTP, service)
- Newsletter/marketing email integration
- Email template customizations
- Email deliverability monitoring
26. External Integrations
- CRM integrations
- Marketing automation connections
- Social media feeds or sharing
- Live chat implementations
- Booking or scheduling systems
- Custom API integrations
27. Scheduled Tasks & Automation
- Cron jobs or scheduled tasks
- Automated content publishing
- Automated reports or notifications
- Background processing tasks
VII. Legal & Compliance Considerations
Legal and compliance requirements vary by industry, location, and client type. Violations create liability regardless of handover quality.
28. Privacy & Data Protection
- Privacy policy status and requirements
- Cookie consent implementation (GDPR, CCPA compliance)
- Data retention policies
- User data export/deletion procedures
- Third-party data sharing configurations
29. Accessibility Status
- Accessibility compliance level target (WCAG 2.1 A, AA, AAA)
- Known accessibility issues
- Accessibility testing tools or audits performed
- Required compliance (ADA, Section 508, etc.)
30. Legal Requirements
- Industry-specific compliance needs (HIPAA, PCI-DSS, etc.)
- Terms of service and legal page status
- Content licensing or attribution requirements
- Age restrictions or geographic limitations
VIII. Client Relationship & Expectations
Technical handovers without relationship context create client friction. Understanding expectations and communication patterns prevents misunderstandings.
31. Service Scope & SLA
- What's included in ongoing management
- Response time expectations
- Update schedules and procedures
- Emergency support availability
- Out-of-scope work boundaries
32. Communication Protocols
- Primary client contact information
- Preferred communication methods
- Communication frequency expectations
- Escalation procedures
- Reporting requirements
33. Budget & Financial Arrangements
- Monthly/annual fee structure
- What's included vs. billed separately
- Payment schedule and method
- Cost limits for work without approval
- Budget for external services (hosting, licenses)
34. Known Client Preferences
- Update timing preferences
- Notification preferences
- Risk tolerance (aggressive vs. conservative updates)
- Design change sensitivity
- Feature requests or wishlist items
IX. Future Planning & Roadmap
Understanding planned changes affects maintenance decisions.
35. Planned Updates or Changes
- Known upcoming feature needs
- Scheduled redesigns or major updates
- Platform migration considerations
- Integration plans
- Growth expectations and scaling considerations
36. Known Issues & Technical Debt
- Documented problems not yet resolved
- Workarounds currently in place
- Needed refactoring or cleanup
- Deprecated code or plugins
- Security concerns requiring eventual attention
X. Handover Meeting & Knowledge Transfer
Documentation alone isn't sufficient - verbal transfer catches context that written docs miss. The output of this meeting is your website handover document: a reference pack the incoming team or client keeps for future use.
37. Structured Handover Meeting
- Walkthrough of actual site (not just documentation review)
- Demonstration of common tasks
- Discussion of past problems and solutions
- Questions about unusual configurations
- Clarification of ambiguous documentation
- Record the session via Loom or screen recording for asynchronous reference after the meeting
38. Transition Period Support
- Availability for questions after handover
- Escalation path for unforeseen issues
- Timeline for transition support
- Documentation of transition support boundaries
Platform-Specific Website Handover Checklists
The core checklist above applies to all websites. But specific platforms have unique handover requirements that catch teams off guard. Here are focused checklists for the most common platforms agencies work with.
Shopify Website Handover Checklist
Shopify handovers are among the most documentation-heavy because of the payment, tax, and fulfilment configurations involved. The top question agencies receive is: what documentation is essential for Shopify handovers? The answer is more platform-specific than most expect.
- Shopify owner transfer: Use Shopify's "Transfer store ownership" feature - adding a staff account is not the same as transferring ownership
- Payment gateway configuration: Stripe, PayPal, or Shopify Payments settings, webhook URLs, payout bank account details, and saved card data handling notes
- Tax configuration: All tax zones, rates, and override rules - especially critical for businesses selling across multiple countries or US states
- Shipping profiles and carrier accounts: All carrier-calculated and manual rates, zones, weight-based rules, and connected carrier accounts (UPS, FedEx, etc.)
- Installed apps and subscriptions: Every app, what it does, its monthly cost, and what breaks or stops if it's removed or cancelled
- Theme files and Liquid customisations: Access to the theme editor, any custom Liquid code, original theme files if custom code was added, and theme version history
- Product metafields and custom data: All metafield definitions, their namespaces, and how they render on the storefront
- Domain and DNS settings: Shopify-managed vs. external domain configuration, email forwarding, and any subdomain setups
- Email notification templates: All customised order confirmation, shipping, abandoned cart, and return email templates
- Analytics and pixel configuration: Google Analytics 4, Meta Pixel, TikTok Pixel event tracking setup, and any GTM container configuration
- Fulfilment setup: Third-party logistics (3PL) connections, fulfilment service accounts, and dropshipping supplier integrations
Beyond standard credentials, Shopify handovers must document: store ownership transfer via Shopify's official transfer feature, payment gateway webhook URLs, complete tax zone rules, all shipping profiles, every installed app with subscription costs and dependencies, and custom Liquid theme code. Payment and tax configuration errors after handover are the most costly and disruptive issues for Shopify stores.
Webflow Agency Handover Checklist
When a Webflow agency transfers a site to a client's internal team, the knowledge gap is often significant. The internal team inherits a powerful platform they may not have used before. These are the items that make or break a Webflow agency handover to an internal team.
- Workspace ownership transfer: Transfer site ownership to the client's Webflow workspace - being a collaborator is not the same as being the owner
- Hosting plan and billing transfer: Document the hosting tier and confirm billing transfers fully to the client, including any custom domain billing
- CMS collections documentation: Map every CMS collection, its fields, field types, and exactly how each renders on the frontend - essential for clients managing blog posts, team members, or product listings
- Style guide and class naming: Document the component library, class naming conventions, and global swatches so the internal team can make consistent edits without breaking the design system
- Interactions and animations: List all custom Webflow interactions, what triggers them (scroll, page load, click, hover), and which elements are connected - these break if the element is moved
- Custom code embeds: Document every custom code block (head, body, page-level), what it does, and whether it requires any external accounts or API keys
- Form submissions and integrations: Where form submissions go (Webflow native, Zapier, Make, direct CRM integration) and how to access or export them
- Ecommerce configuration: Payment gateway, order notification email routing, tax zone setup, and any custom fulfilment logic
- Editor access training: Record a Loom walkthrough showing the internal team how to edit CMS items, add new pages, and publish changes without breaking the design
- What NOT to touch: Flag sections built with advanced techniques that are fragile - complex nested CMS structures, Finsweet attributes, or interactions tied to specific element names
Managed Services and IT Infrastructure Handover Checklist
Managed services handovers - where an IT provider or MSP is transferring service responsibility to an in-house IT manager or incoming provider - require infrastructure-level documentation beyond typical website handovers.
- Server and infrastructure documentation: Hosting provider, server specifications, OS version and patch level, control panel access (cPanel, Plesk, custom)
- Network and DNS configuration export: Full DNS record export, nameserver details, any CDN or proxy layer (Cloudflare, Fastly, AWS CloudFront)
- SSL certificate management: Certificate authority, renewal process, whether it's auto-renewing (Let's Encrypt vs. paid), and expiry dates for all certificates
- Monitoring and alerting configuration: Uptime monitor setup, performance alert thresholds, error log alert recipients, and escalation runbook
- Backup configuration and last verified restore: What's backed up, backup storage provider, retention schedule, and date of last successful restore test
- Security configurations: Firewall rules, fail2ban or IP allowlist configuration, login attempt rate limits, 2FA enforcement policy
- SLA and service scope document: What the managed service covers, response time commitments, on-call procedures, and what is explicitly out of scope
- Vendor and licence inventory: All third-party services with contracts, renewal dates, costs, and account login credentials
- Runbooks for common procedures: Step-by-step guides for routine tasks such as deployments, rollbacks, cache clears, and database maintenance
Website Handoff Checklist for Small Business
If you're a small business owner receiving your website from a freelancer or departing agency, this website handoff checklist covers the 10 essentials you must get before your developer or designer moves on. You don't need the full 38-item checklist above - just these, and you're protected. Missing any of these creates serious problems later.
The 10 Must-Haves for a Small Business Website Handoff
- Domain registrar login: The account where your domain name is registered (GoDaddy, Namecheap, Google Domains, etc.). If you can't access this, you can lose your domain at renewal time.
- Hosting account login: The account where your website files live. Needed for renewals, backups, file access, and emergency recovery.
- Website admin login: Your WordPress admin, Shopify owner account, Wix account, or other CMS credentials - with full admin rights, not just editor access.
- Google Analytics and Search Console access: Add yourself as an admin on both platforms using your own Google account. Do not rely only on your agency's access.
- SSL certificate status: Confirm it's active and set to auto-renew. An expired SSL takes your site offline and damages search rankings.
- Backup confirmation: Confirm backups are running, where they're stored, and how to restore from them. Test a restore before the handoff is complete.
- Plugin and theme licence keys: Premium plugins and themes require licence keys to receive security updates. Missing these means your site stops receiving security patches.
- Contact form routing: Confirm where form submissions go, and test the form yourself to verify it works and sends to an active email address.
- All connected tool accounts: Any CRM, email marketing, booking, live chat, or payment tool connected to the site - with working login credentials.
- A recorded walkthrough: Ask your developer to record a 15-minute Loom or Zoom walkthrough showing how to make basic content edits. This saves dozens of support calls later.
None - they refer to the same process. "Handoff" is the US English term, used widely by American web designers, developers, and agencies. "Handover" is the UK and Australian English equivalent. Both describe transferring website ownership, access, and documentation from one party to another. This page uses both terms interchangeably.
Using This Website Handoff Checklist in Practice
For Outgoing Handovers (Sites You Built):
Use this checklist during project closure to ensure complete knowledge transfer. Complete it before the final client meeting, not during rushed last-minute preparations. Treat it as part of project completion, not an afterthought.
For Incoming Audits (Sites You're Accepting):
Use this checklist during sales/discovery before committing to management. Missing items aren't necessarily deal-breakers, but they inform effort estimation and pricing. Some items missing = standard onboarding. Most items missing = either refuse the client or charge for site reconstruction before management begins.
For Internal Handovers (Team Transitions):
Use this when team members change or clients transfer between account managers. Prevents knowledge loss during team evolution.
Adapting the Checklist
This checklist is comprehensive, not prescriptive. Adapt it:
- Small simple sites may not need every item
- Complex applications may need additional platform-specific items
- Your agency's standards might make some items redundant (if you always use X backup solution, no need to document it per-site)
- Some clients have unusual requirements needing custom additions
The goal isn't checklist compliance, it's ensuring whoever manages the site next (including future-you) has the information needed for calm, effective operations.
The Completeness Reality Check
Complete handovers are rare. Even agencies following checklists systematically often discover gaps months later. Perfection isn't the goal, significant improvement over ad-hoc handovers is.
A handover covering 80% of this checklist is excellent. A handover covering 50% is acceptable for many contexts. A handover covering 20% creates problems. No handover creates chaos.
The checklist exists to raise the floor from "we'll figure it out" to "we have most of what's needed and know what's missing."
The Post-Handover Refinement
Good agencies refine handover documentation throughout the management phase. When something undocumented causes problems, it gets documented immediately. The handover becomes a living document that improves based on operational experience.
This refinement benefits:
- Future team members who inherit the client
- The client if they later change agencies
- The agency's understanding of effective handover practices
Common Handover Failures
Most inadequate handovers fail in predictable ways:
- Credential rot: Passwords documented but changed later without updating docs
- Assumption documentation: "It's just a standard WordPress setup" (it never is)
- Personal knowledge: Information in someone's head, not captured anywhere
- Process invisibility: Automated tasks running without anyone knowing they exist
- Integration blindness: External services connected without documentation
- History amnesia: No record of why decisions were made or problems encountered
This checklist addresses these failure modes through structured, comprehensive documentation.
Personal knowledge - information that exists only in someone's head and is never captured anywhere. When the person leaves, that knowledge leaves with them. Reconstructing it takes significant time and often involves making educated guesses about why certain configurations exist. Agencies that document reasoning alongside decisions - not just what was done, but why - avoid this entirely.
The Business Case for Thorough Handovers
Investing time in complete handovers reduces long-term costs:
- Faster troubleshooting (information is documented, not rediscovered)
- Reduced errors (understanding configurations prevents mistakes)
- Smoother team transitions (knowledge isn't person-dependent)
- Better client service (faster responses, fewer "we'll have to research that" delays)
- Reduced stress (confidence from understanding vs. anxiety from mystery)
The handover time investment is measured in hours. The operational efficiency gain is measured in years. The ROI is obvious once agencies track the cost of inadequate handovers.
When an agency can answer client questions quickly, troubleshoot issues without delay, and onboard new team members without visible disruption, clients experience that as professionalism. They don't see the documentation behind it - they feel the calmness it produces. Good handover practices are therefore a client-facing quality differentiator, not just an internal operational preference.
Conclusion: Handover as Investment
Website handovers aren't administrative tasks to rush through, they're investments in operational sustainability. Every hour spent documenting during handover saves dozens of hours troubleshooting, researching, and reconstructing knowledge later.
Agencies that treat handovers as essential project components rather than optional paperwork operate more calmly, serve clients better, and accumulate manageable portfolios rather than mysterious collections of sites held together by tribal knowledge and luck.
The difference between stressed agencies constantly firefighting and calm agencies managing predictably often traces back to systematic handover practices implemented consistently across all clients.
Build a Handover System That Actually Works
NoCodeVista helps agencies create websites designed for stable management and smoother handovers - so every site transfer is a strength, not a liability.
Explore NoCodeVistaFrequently Asked Questions About Website Handovers
1. Isn't this checklist too extensive for small, simple websites?
Yes, if applied rigidly. The checklist serves as a comprehensive reference, use relevant sections for each project. A five-page site needs less documentation than a custom application. But even simple sites benefit from basic documentation: hosting access, update history, backup verification, and client expectations matter regardless of site complexity.
2. What if the previous agency won't provide thorough handover information?
Common problem. Options include: (1) Charge the new client for site archaeology and reconstruction, (2) Refuse the client unless they can obtain better information, or (3) Accept the client with clear communication that incomplete information means higher costs and longer troubleshooting times initially. Never accept inadequate handovers while promising standard service.
3. How do agencies balance thorough handovers with project timelines and budgets?
By treating handover documentation as a project deliverable, not an afterthought. Build handover time into project estimates from the start. Document throughout development, not during final rush. Use templates and checklists to standardize documentation work. The cost is real but necessary, underfunding handovers creates larger future costs.
4. Should agencies charge separately for comprehensive handovers?
Depends on positioning. Some agencies include thorough handovers in project pricing as a quality differentiator. Others explicitly itemize handover work to make the value visible. Either approach works if handover time is realistically accounted for in pricing. What doesn't work: promising thorough handovers while not budgeting time to create them.
5. How often should handover documentation be updated after initial transfer?
Whenever significant changes occur: major updates, new integrations, configuration changes, security incidents, or process modifications. Good practice: quarterly review of documentation accuracy, updating anything that's drifted from reality. Handover docs should always be current enough that they'd be useful if the site transferred tomorrow.
6. What documentation is essential for a Shopify website handover?
Beyond the standard credentials (hosting, domain, analytics), Shopify handovers require: store ownership transfer via Shopify's official transfer feature, payment gateway configuration including webhook URLs, complete tax zone rules, all shipping profiles, every installed app with subscription costs and dependencies, and custom Liquid theme code documentation. Payment and tax configuration errors after handover are the most costly and disruptive issues for Shopify stores.
7. What should an IT manager ask for during a website handover?
An IT manager receiving a website from an agency or outgoing developer should ask for: full DNS record export, SSL certificate details and renewal process, server and hosting documentation, backup configuration with last verified restore date, all monitoring and alerting setup, firewall and security configuration, complete vendor and licence inventory with renewal dates, and runbooks for common operational tasks like deployments and rollbacks. Infrastructure-level documentation is often overlooked in agency handovers that focus only on CMS credentials.
8. How long does a website handover take for a small business?
For a straightforward small business website, a proper handover should take 2-4 hours: 1-2 hours to prepare the documentation package and a 1-hour handover call to walk through everything together. Agencies that rush this to under 30 minutes almost always leave critical gaps. The 10-item small business checklist in this article covers the essentials efficiently without overwhelming a non-technical client.
