Internal
Ops checklist
For Cloudflare Access–protected admin use. No data entry required.
Release steps (staging → production)
- Confirm Stripe links open on Pricing and Cohorts.
- Confirm CSP headers are present (see browser devtools → Network → Response Headers).
- Confirm security.txt is reachable.
- Confirm sitemap.xml includes new pages.
- Merge staging → main, then promote main to production in Vercel.
- Security headers: verify `vercel.json` headers and review SECURITY_HEADERS.md.
Hacked WordPress recovery (for peopleunitedfoundation.org)
- Move DNS to Cloudflare (if not already) and lock down DNS + registrar
- Rotate WordPress admin passwords + hosting + SFTP/SSH
- Rebuild from clean backups (avoid restoring plugins/themes blindly)
- Prefer static portal for training domain; keep WordPress only if you need CMS
This portal avoids logins/DBs and reduces attack surface compared to WordPress.