Post Installation Checklist


This idea of the checklist is to confirm that the site has been set up correctly. This is NOT a to-do list to build a Tendenci site. If you are hitting more than one or two errors, stop, and push it back to your developers and project manager. This is for quality control only.

For developers you will note that many of these tests can be done using unit tests or selenium which is a far better method than having a human verify these things. We can look at this as a list of tests that need to be written for Tendenci while acknowledging there will always be a human element to quality control.

Basic Functionality Testing

  1. Newsletter Sending has been tested

  • Instead of the settings for the regular emails, the newsletter has a separate set of the settings. In your site’s conf/, make sure you have the following settings set up.

    # To send newsletters via an SMTP server (example: mailgun):
    NEWSLETTER_EMAIL_HOST = '<email-host>'
    NEWSLETTER_EMAIL_PORT = <email-port>
    NEWSLETTER_EMAIL_HOST_USER = '<email-host-user>'
    NEWSLETTER_EMAIL_HOST_PASSWORD = '<email-host-password>'
    # OR
    # To send newsletters via Amazon SES:
    NEWSLETTER_EMAIL_BACKEND = "django_ses.SESBackend"
    AWS_ACCESS_KEY_ID = '<aws-access-key-id>'
    AWS_SECRET_ACCESS_KEY = '<aws-secret-access-key>'
    # Additionally, if you are not using the default AWS region of us-east-1,
    # you need to specify a region, like so:
    AWS_SES_REGION_NAME = 'us-west-2'
  • Then, set up a test group. Send a newsletter. Make sure content is coming through. Has footer content been customized?

  1. Email sending from site is tested and sender address is client’s email

  • Do a password reset and confirm you received the email

  1. Redirects have been tested

  • If they are using /redirects - click links in the list. Try in a new browser window when you are specifically NOT logged in.

  • Note the redirects module only redirects within the same site.

  1. 404 page has search bar (Debug=True is off)

  • Test the reflex. Make up a page that doesn’t exist example:(/blah/blah) and see what the result is. Note that example link has two slashes to see if the images break.

  1. The security, 403 page is working properly

  • Not logged in try to access a page that requires you to be logged in. Make sure you are prompted to login.

  1. Merchant account has been tested

  • Donation form is a good way to test /donations or use /py

Site Content Review

  1. Verify homepage is not pulling in demo/blank content. An example might be an auto feed from the photos module but no photos have been added.

  • twitter feed - verify it is using latest twitter embed code

  • facebook feed - make sure it is using latest FB embed iframe method or the site will run very slow waiting on FB

  1. Favicon and apple-touch-icon.png are logo

  2. Check Title Tag Spelling and Unique Meta and keywords on homepage.

  • Check “Site Display Name”, “Site Primary Keywords”, and “Site Secondary Keywords” first. These are located at /settings/site/global/

  • Do a view source to see what is pulling in for <title></title>.

  • Check for duplicate wording.

  • Danger You can override dynamic title tags in the theme editor: /theme-editor/?file=/templates/homepage.html but this is a terrible idea. Instead check your base.html file in theme, that homepage.html is extending from base. Then check that your homepage.html is doing a block.super either at the front or back of the title tag block in your homepage.

  1. Page titles are H1’s on interior pages and no duplicate H1s on homepage or interior page

Contact and Custom Forms

  1. The “contact” form is one of the custom forms that is specified in the setting “Contact Form” /settings/site/global/#id_contact_form.

  • Check if the default Contact form has an email address in the “Send Copies To” field.

  1. Custom forms - a necessary evil. Verify all forms if used on the site are in “published” status

  • Logout. Make Sure you still see them. Submit form to test.

  • Test if admin receives notification as well.

  • Make sure “Send Copies To” field is filled out with an email address

  • Verify completion URL and/or submission text is updated to make sense for the site (no “lorem ipsum” etc)

Edit Default Data to Make Sense

To Repeat - this should already have been done because this is a QA checklist

  1. Unused Applications disabled in /admin/

  • Check if default users have email address ending in @<YOUR DOMAIN NAME>. Maybe delete them but be careful for deleting relational data.


  • Edit, don’t delete, default user groups. warning Edit/Don’t Delete.

  • Test pages edited to be relevant or possibly removed or set to draft where appropriate. (Recommended - Please check with project manager before deleting)

  1. Test invoices have been voided

  2. Images are using alt tags throughout the site

  3. Site has been checked in an html validator ( and on

  4. Optional: Test site speed (

  5. H2, H3 etc. subtitle tags are in place across the site

Site Settings

  1. Site URL field contains an url that starts with “www”

  • The canonical name must NOT be the apex/naked url. (This is BAD –> “” and so very 1990s. Do NOT do this.)

  • Do an nslookup and be sure apex “” forwards to “”

  • Do an nslookup to confirm is using a CNAME to a host and not the IP address. Verify your site is future proof.

  1. Site name is correct, spelled out and not abbreviated if possible.

  • there are exceptions but generally this is best practice.

  • Example: “California Dog Walking Association”

  1. Physical address is the actual physical address.

  • Required for email delivery by law.

  • Should match registered corporate or 501c address for SSL if possible

  1. Location setting is correct (and Time Zone).

  • this is important for reminders for events and merchant approvals

  1. Email - CRITICAL

  • Appropriate names and emails are set for administrator, contact, webmaster in site settings.

  • Default send email is set up in

  • Mail relay must have MX, SPF, DKIM records in DNS or email will not go through.

  • Domain must be verified through SES, or Mailgun or whatever your email relay server is.

Search Engine Visibility Site Settings

  1. HTML Sitemap is linked in the footer and is functioning properly

  2. RSS feed is referenced in HTML header (view source)

  3. check /robots.txt

  • if it is set to disallow all, update your site settings to make it public.

  • Make sure robots.txt links to your sitemap.xml file which is generated dynamically as well

  1. check /sitemap.xml to be sure it is updating and can be crawled by Google.

  2. Site Primary Keywords are set up

  • MUST NOT be the orgnaization’s name

  • Consequence is spammy titles like “NAME - NAME”

  • two to three words max with no commas

  • Example: “Leadership Training”

  • Note that these show up ON PAGES like articles list view so use proper case. They are not just used in metadata.

  1. Secondary Keywords are set up

  • Secondary keywords can use two to three commas max

  • Example: “dog walking, california dog walking, walking your dog in LA”

  • Don’t spam - should reflect what your site is about

  • Most modules have seo meta options at the bottom which override these on a per module or per page basis.

  1. Google Analytics is set up in site settings.

  • There is a field for the UA- code

  • If using google “tags” put javascript below the <body> tag in “base.html”

  • Direct further questions on this to forums or an SEO professional

Cross Browser Site Checking

Note - it is best to check your site with automated testing tools like Selenium but there is always a human element for formatting

  1. Browse site in

  • Firefox

  • Chrome

  • Safari

  • IE (gah!)

  • iPhones

  • Android Devices

  • iPad

  1. Themes for Tendenci are strictly Bootstrap3

  • you CAN use other frameworks in conjunction with it

  • use DIV IDs to avoid css conflicts if using other frameworks

  1. IE - We make little to no effort to support IE more than the current and previous version.

  • Example: If the current version of IE is 10, then Tendenci tries to support 10 and 9. Nothing further. (You can of course modify it to support older versions by doing a fork or submitting a pull request.)

  • Safari is getting to be more like IE so same policy - current and previous versions are the only ones we check.


  1. Check for Accessibility

  • Web Accessibility Measurement Tool

  • Note: The community’s goal is to make Tendenci 100% Accessible.

  1. Submit issues if you see something in core that is broken

  1. Not broken, but a pain? Submit on the forum.

  1. Talk to your developer if something in your theme is broken

Security Recommendations

  1. Recommended Check if web site is routing through a proxy IDS/IPS service

  • Securi is a low cost IDS/IPS that protects your site

  • Alert Logic has an AMI appliance that you can manage yourself

  1. Recommended Set your server to automatically install security updates

  2. Verify SSL configuration is correct

  • SSL we consider baseline although not everyone installs it unfortunately.

  1. Audit your site settings monthly

  • Frequently what looks like a security issue is a site setting.

  • Audit your site settings at least monthly

  1. Run the “administrators report”

  • remove security as needed

Security Awareness - YOU ARE RESPONSIBLE

  1. Check that all content on your site is licensed properly

  • know where the licenses are now and in the future.

  • Examples include but are not limited to images, content, video, audio, cat gifs, 3d monsters that jump out of your computer, etc.

  1. Tendenci is FOSS (Free/Open Source Software)

  1. YOU ARE RESPONSIBLE to confirm rights for anything uploaded to your site

  • Example: a user picks the password “12345678” that is guessed by a competitor and something inappropriate gets uploaded.

  1. Backups are your responsibility and strongly recommended.

  • Tendenci is not your typical software. This community pushes limits and moves fast. So sometimes things break. Use common sense.

  • You can download your database at /explorer/ on your site. If not enabled talk to your developer

  • You can create a static backup of your site by following the instructions on this blog post

  • You can arrange with your developer to have a scheduled backup of your site pushed to your own S3 bucket on Amazon via SSH.

  1. You, or your developer, are responsible to keep the code up to date to be sure you have the latest security patches.