WordPress Audit Process – DEPRECATED

Owned by John Ouellet (Unlicensed)
Last updated: Nov 29, 2023 by Jeff Hebert

This audit is outdated. Progress for a new guide can be seen here.


Baseline Tech Specs

The basic audit template covers some basic technical stats so we can get a bird eye view of how well the site is put together. There are some tools and plugins that can help us preform the audit, but much is done by manual code review. We want to have a basic understanding of the client's website so we can come up with quick and informed plans for improvements. 

When we rank something red or yellow we need explanations of what these ratings mean in the Notes section. We will also need to change our default recommendations if, for instance, a multisite is a good solution for a client's needs.

Site Audit Template is HERE

Section 1: Basic WordPress Audit


ItemHow to find
Tools

Version Control

Go to the webroot and run "git version"

WP-CLI

Try running wp cli in the webroot; if it exists, "wp --info"
Directory Structure

Files Directory Size

Run "du -h wp-content/uploads"; this gives you total size at the bottom along with size on other directories/files. May be

Database Size

Run "mysqldump -uusername -ppassword databasename > db_backup.sql" then "du -h db_backup.sql"

or

Run the following query that lists the sizes of all the available databases.

SELECT table_schema AS "Database", 
ROUND(SUM(data_length + index_length) / 1024 / 1024, 2) AS "Size (MB)" 
FROM information_schema.TABLES 
GROUP BY table_schema;

Other “Files Directories”

See if any other large files exist in the codebase; particularly in the root of the codebase.

Codebase Structure

Are there non-standard directories? Is all custom code in wp-content/themes/themename (or appropriate multisite

directories)?
Are styles and libraries organized properly and extendable?

Multisite

Check for subdomains or subdirectories
 Codebase

Plugin Codebase Quality

How many plugins are in use? (the fewer the better, typically)
Are they up to date?
Any custom plugins? Are they coded using best practices?
Are the plugins in use well maintained/updated for security frequently? Do they have high ratings? Many installs?
Are they compatible with latest version of WP?
Run WordFence plugin if possible. Make sure to check the boxes in options to scan themes and plugins as well

Theme Codebase Quality

Is the theme up to date?
Was the Parent theme built by a well-respected developer? (If 3rd Party, Many installs, high ratings, well maintained)
Run WordFence plugin if possible. Make sure to check the boxes in options to scan themes and plugins as well.

Uses Child Theme

Is the site using a child theme of the enabled theme?

Custom Codebase Quality

Check custom codebase for WordPress Best Practices 
Do templates contain complex PHP? PHP coding standards
Is JS written properly? JavaScript coding standards
Is the site responsive?
Are images sized correctly?
is the Code legible? Will various developers be able to read it?
Are there any patches? Are the patches well documented?
Are they using Custom post types? How many? Are they being used properly/Is it clear how each is used? Are they
using a Plugin, such as Advanced Custom Fields or something else for this? 
Are they making use of taxonomies? (post type name > categories). 

CMS configurations

Has the admin dashboard menu been customized? Would cleanup improve ease of use for content editors?

Has the WYSIWYG been customized? Are they using a Page Builder of some kind (not preferred, but often
included with paid themes)

Are there any obvious improvements that could be made to the content editor experience?

Security


Site UsersCheck site users. Are there many site administrators? 
Is there an "admin" user? (if so recommend this user be deleted with content assigned elsewhere)
Do they have different user roles setup?
Restricted AccessAny password-protected areas of the site?
Are login forms secure?
Security PluginsAny security plugins installed?
WordFence, Sucuri, iThemes Security, All In One WP Security & Firewall might be good options
Update StatusAre plugins, themes, WP core up to date?
PHP version

Are they using PHP 7+? 

php --version
SEO
https

Is SSL installed?
Does site default to https (check site Settings > General for WP Address and Site Address)
Are they getting mixed media errors?

Header tagsAre they written properly? Are they in the proper order?
Social sharingUsing proper tags and setup for social sharing?
Broken linksCan use Broken Link Checker Plugin to check on broken links
Google AnalyticsIs GA installed?
Take a look at Analytics account setup
PluginsYoast SEO is a popular and easy to use Plugin for adding metatags, etc.
A11y

If you turn off CSS is the site legible?
Are images using alt tags properly?
Is color contrast correct?
Can you use a keyboard to navigate the site?
Can you use a text browser (Lynx)?

Performance
Server ResponseThis will vary between requests; for a quick idea, load the page in question with the Network tab open and
the browser cache disabled and see how long it takes for the initial request of the HTML document to be
returned.
Google Page Speed

What's the PageSpeed Insights score for the URL you're investigating? Use the mobile speed and the desktop
speed (mobile/desktop) in the audit.

Image Optimization

Is the site effectively using image styles to make sure that images are an appropriate size? Bonus points if they
have a system in place to handle responsive images.

Load testingBlazemeter is an option for load testing. Pantheon guide to testing with Blazemeter.
CDNCheck for CDN if it would be helpful
CachingAny caching plugins in use? W3 Total Cache and others can sometimes be appropriate but other times cause more
trouble than they're worth. Check caching options offered by the host.

Front-End performance

A lot of drain can happen on the front end, and this can vary per browser. Lots of calls to external JS or iFrames can really slow things down.

A speed test is the best place to start:

http://www.webpagetest.org/


Yslow is a browser extension you can install that can provide stats and recommendations for performance improvements.

Deeper Technical Audit

DRAFT - MATERIAL NEEDS WORK

Some clients who have specific concerns or have a technical background may require further research. Here are some resources that may assist in preparing audits for them:

Resources

Google Network Tab Docs

Example Audits


Considerations With Managed WordPress Hosting Services

Managed WordPress hosting services such as Pantheon and WP Engine handle all of the dev ops aspect of website management. Furthermore, their hosting platform is geared towards hosting WordPress websites and many aspects of a good website are handled by them. These aspects include but are not limited to:

  • overall web server security
  • PHP, nginx/Apache, and Database performance, updates, and security
  • server side performance including various types of caching 
  • CDN (content delivery network) management and implementation

It can be assumed that if a website is using a reputable managed hosting company, the above aspects of the website are of high quality and up to date.

It is almost always desired that a client use a managed website service to host their website. At Kalamuna, Pantheon and WP Engine are the recommended managed WordPress hosting services.

Considerations With Self Hosting 

If the client is currently hosting their website internally and plans on continuing to host internally various precautions need to be taken. In addition to doing a thorough technical review the client needs to confirm the following:

  • In general, if their web server is set up to effectively run WordPress. https://en-ca.wordpress.org/about/requirements/ can be used as reference
  • If they have the appropriate IT resources to do ongoing server/security updates
  • If their server setup is capable of handling current and reasonably foreseen increased website traffic. One way to examine the current server load is to examine a week long log of CPU and RAM usage. If the usage is close to maxing out then they should update their server hardware.

If the client is not able to properly set up and/or maintain their website server it could result in:

  • slow page load times, for both front end and back end
  • hacked websites and other security compromises
  • vulnerability to DDoS attacks
  • PHP errors

The client may not understand the technical nuance of the website creation service we do at Kalamuna and the website hosting. They may erroneously view Kalamuna as being responsible for their web server issues. 

WordPress Code Structure

WordPress offers a lot of flexibility with how themes and plugins are structured code-wise. This is both positive and negative. This flexibility can allow a WordPress site to technically function and work while being very fragile and difficult to extend (adjust or add new features). On the contrary, a WordPress theme or plugin can have excellent architecture which makes adding or adjusting features and functionality easy. It is very important to determine what kind of project Kalamuna is taking on as early as possible. There are many plugins available that can allow a novice website editor to make structural and styling changes directly from the WordPress admin. These types of plugin can result in fragile and confusing architecture. If a WordPress website has any of the following plugins installed (this is not a complete list, but a list of some of the more popular plugins) it should be viewed as a red flag:

  • Custom Post Type UI
  • WCK Custom Post Types and Custom Fields Creator
  • Pods
  • Toolset Types/Views
  • Custom Post Type Maker