There are a few task I complete first for every new site including both WordPress and Drupal. This is not an all inclusive list, but covers the main items.
1) Analytics & Search Submission
The very first step I always take with any new site is to create a Google Analytics and Google Search (formerly Webmaster Tools) accounts. As soon as the site is functional, the first module I will install is something that will inject the GA code in to each page.
With WordPress I am currently using Google Analytics Dashboard for WP by Alin Marcu. On Drupal 8, I am using the Google Analytics module by Alexander Hass. Both of these modules will reliably insert the latest generation of Google Analytics code in our web pages while also adding some control over what we are tracking.
The point of this being a first step is to let Google and other search engines know we are out here as quickly as possible, while also being sure to know what our traffic patterns are before going live, and then being sure we capture our release events properly. I cannot tell you how times I seen new sites being released without traffic tracking in place. I can guarantee you that the first question any customer or boss is going to ask you after their "new" site goes live is, "Did we get a lot of hits during release week?"
If the URL is new and unknown to Google and other search engines, it is important to get them crawling as soon as possible. The search engine will take note of the activity during site creation as it is generating a lot of new content and can lead to an initial bump of placement which is always great. If you wait until after the site is complete to invite the search engines in, the site look static, could be old, and appears to be not changing. This is bad for SEO.
While we are on the topic of SEO, the second activity for any new site should be loading at least the basic SEO tools. Overall SEO is a huge topic and organizations have a wide variety of tools to choose from, with each being designed for the specific needs of different organizations. If this is a small organization without a defined SEO toolkit, be sure to install at a minimum at least one of the popular free SEO tools available. At the time of this writing I am using Yoast SEO for WordPress sites and for Drupal will start with the Metatag and XML sitemap modules.
The reason this is a prerequisite activity is because at some point very soon after the site is up, content is going to start going in. It is important to set the ground rules up-front that all content needs to be SEO aware and that all tags, keywords, etc, need to be entered along with the content and not later.
Security is of course a vast activity that needs to be built in to every process related to our web presence. It includes every component in the chain from the router to the employee entering data and everything in between. To kick off the process I always install some form of security module to help provide at least a basic level of security while the site is being developed. On WordPress I currently use WordFence and with Drupal, the needed primary tools are already built-in and just require configuration.
For WordPress I will also add WPS Hide Login which can be used to easily change the login page from the default /wp-admin to something of your choosing. In Drupal, this change can be made by going to 'admin/config/search/path' where you can set alias for 'user/login'.
At this point there are several hardening procedures which include everything from file and folder permissions to ensuring much of the infrastructure (such as phpinfo) is not being advertised.
I typically perform two steps right from the start to deal with spam related issues. One is the creation of spam user accounts on sites that allow users to create account on their own. These days captcha and email validation are not sufficient to stop the barrage of spam accounts. Luckily some creative tools have been developed to help with this issue such as the WP Spam Shield for WordPress which somehow is able to determine a human from a bot quite well.
The second spam related activity is for sites that will not have email hosted as part of the site. These days most individuals and companies have their email hosted elsewhere or have their own email system managed elsewhere. This means that the websites email, such as the recover password email, or welcome email, would have to rely on the sendmail or postfix mailers offered by the hosting providers servers which just happen to be shared with hundreds of other users. This means that any outgoing email from your website will have a reputation equal to the lowest common denominator of other websites hosted, or any other website that used the IP address now assigned to your site. In other words, outgoing email will be highly unreliable. For this reason I always add an SMTP Mailer app which can then be set up to use the site owners other email system for outgoing mail.