A complete checklist for taking over a client's website from another agency.

The first 14 days after a website handover are the only window where you have leverage. The old agency is still half-responsible, still answering emails (mostly), and still has access if something breaks. Day 15 onward they go quiet, your access goes from "shared" to "yours, plus whatever they retained quietly," and any gaps in handover become your problem to find at 9pm on a Tuesday when something breaks.

What follows is a checklist for those first two weeks. It's long, deliberately. Skim it before the handover meeting, work through it during, and tick it off in week two. If you do nothing else from this list, do the first section — access. Everything else can be reconstructed; access can't.

Day 0–2
Access — the only thing you cannot recover later

The biggest risks live here. Lost access is sometimes unrecoverable, and the old agency's willingness to dig out forgotten credentials decays sharply after the handover meeting.

• Domain registrar — login credentials, recovery email, MFA codes.
• DNS provider — login, plus a screenshot of the current DNS zone before anything changes.
• Hosting / server — root or admin login for every server involved.
• CMS admin account — fresh admin account, not a shared one.
• All other admin accounts — list everyone with access. Demote everyone who shouldn't have it.
• Transactional email — Mailchimp, SendGrid, Postmark, Mailgun. API keys and account login.
• Payment processor — Stripe, PayPal, GoCardless. All production and test keys.
• Analytics — GA4, Google Tag Manager, Search Console, Bing Webmaster (don't forget Bing).
• Social accounts — if the agency posts on the client's behalf, you need access to schedule and respond.
• CDN / Cloudflare — login plus API tokens. Specifically check for active page rules, workers, or waiting-room configs.
• SSL certs — if not auto-renewed via Cloudflare or Let's Encrypt.
• Third-party services — chat widgets (Intercom, Drift), CRM (HubSpot, Salesforce), forms (Typeform, Tally), heatmaps (Hotjar, FullStory).
• Backups — where do they live, who has decryption keys, when did they last actually run.

Test every credential during the handover meeting. Roughly half of them won't work first time — wrong password, expired MFA, account belongs to someone who already left. The agency is still in the room; that's the only window to fix them.

Day 2–5
Baseline — so you can prove what was there

Once access is yours, lock in evidence of the current state. This is the bit most agencies skip and regret. The point of a baseline isn't documentation — it's leverage in the inevitable later conversation about what changed.

• Full site archive — every important page captured, screenshots plus HTML plus assets, timestamped. This is your evidence trail for everything that follows; if something breaks in week three, you need to know what was there in week one.
• robots.txt and sitemap.xml — saved copies. Sitemap.xml changes silently as content moves and you want a fixed baseline.
• Google Search Console performance — last 28 days and last 16 months exported as CSV.
• Google Analytics top-line — last 28 days exported, plus the audience / acquisition view for the last 12 months.
• Lighthouse / PageSpeed scores — for at least 5 key pages, with screenshots saved.
• Live forms — submit each one with a test address. Confirm the email lands where you expect.
• Live integrations — confirm every webhook, third-party callback, and scheduled job is firing.
• Tag Manager containers — export the current version as JSON.
• Custom code in the CMS — copy the contents of any custom scripts in functions.php, theme templates, or page-level injected scripts.

The "I'll get to this later" version of this list is a guaranteed three-month-later incident. Do it in week one when nothing's broken and the old agency is still answering questions.

Day 5–10
Risk surface — what the old agency might not tell you

Some things they're not actively hiding — they just won't volunteer.

• Outstanding contractor or freelancer access — anyone still logged in who shouldn't be.
• Subdomains in use — staging.client.com, dev.client.com, old.client.com — each has its own auth, certificates, and security surface.
• Legacy redirects — the previous redesign probably left dozens. Broken ones tank SEO.
• Paid plugins/extensions — licence keys, renewal dates, whose credit card they're on.
• Anything custom — bespoke code, custom themes, scheduled scripts, cron jobs. Get the source or you can't change it.
• Authentication audit — who has 2FA enabled vs who just has a password. Reset everyone you don't trust.
• API keys exposed in client-side code — a quick "view source" on a few important pages turns up surprising things.
• robots.txt restrictions — anything blocked from search engines that shouldn't be.
• Cookie consent / GDPR setup — is it working, who configured it, where is it managed.
• Server-side scheduled tasks — cron jobs, queued workers, anything not visible from the CMS.

Most of these become incidents at 11pm on a Tuesday a month after handover.

Day 10–14
Monitoring — the bit that actually pays back

Set up the watching infrastructure. The handover is the only time you'll have undivided attention and pristine data to baseline against.

• Daily change monitoring on the homepage, pricing page, and top ten SEO landing pages. AI-summarised digest to a shared inbox you check daily.
• A fortnightly archive of every page that matters legally — privacy, T&Cs, contact, pricing. Replayable, timestamped. This is the bit that wins disputes later.
• Uptime monitoring — at least the homepage and one key transactional page.
• Search Console weekly digest — flag sharp ranking drops within the week they happen, not the month.
• Analytics anomaly alerts — at minimum, traffic drops over 30% week-on-week.
• A standing agenda item in your first three client meetings: "anything strange you've noticed."

If this looks like a lot of monitoring, it is. Most agencies don't do it, and most takeovers have a "what changed?" moment in the first six months. Pre-empting that conversation by having the data is the cheapest insurance policy in agency work.

Day 14
Document and hand to client

Everything above goes into one shared document. This is partly defensive (you need a record) and partly offensive (it's a strong artifact that the client received from you in week two, demonstrating competence).

• Master credentials list — encrypted, in 1Password or Bitwarden, shared with the client.
• Risk-surface summary — what you found, what you fixed, what's still outstanding.
• Baseline metrics — current Google performance, Lighthouse scores, traffic levels.
• Monitoring setup — what's being watched, where alerts go, how often you'll report.
• Roadmap items — what needs doing in the first 90 days.

Email this to the client and the previous agency on day 15. The previous agency's silence on follow-up emails is your sign the handover is complete. If they correct anything in your document, that's free information; if they don't, you have a record of what they were silent about.

The one mistake nobody warns you about

The handover document the previous agency sends will be incomplete. Not always deliberately — often just because they forgot they had a script running on a £5/month VPS three years ago, or that a freelancer they used in 2022 still has admin access, or that the contact form actually fires through a Zapier they set up routed to a personal Gmail.

You won't find these things by asking. You find them by working through the checklist above. Every agency takeover hides one or two of these surprises. The good news: working the checklist surfaces them within two weeks, when the previous team is still vaguely responsible. The bad news: skip the checklist and you find them six months later, in production, on a Friday.

This is a long list. Print it. Tick boxes. Done in week one beats discovered in week ten.