WordPress Audit Process – DEPRECATED
This audit is outdated. Progress for a new guide can be seen here.
Baseline Tech Specs
The basic audit template covers some basic technical stats so we can get a bird eye view of how well the site is put together. There are some tools and plugins that can help us preform the audit, but much is done by manual code review. We want to have a basic understanding of the client's website so we can come up with quick and informed plans for improvements.
When we rank something red or yellow we need explanations of what these ratings mean in the Notes section. We will also need to change our default recommendations if, for instance, a multisite is a good solution for a client's needs.
Site Audit Template is HERE
Section 1: Basic WordPress Audit
Item | How to find |
Tools | |
Version Control | Go to the webroot and run "git version" |
WP-CLI | Try running wp cli in the webroot; if it exists, "wp --info" |
Directory Structure | |
Files Directory Size | Run "du -h wp-content/uploads"; this gives you total size at the bottom along with size on other directories/files. May be |
Database Size | Run "mysqldump -uusername -ppassword databasename > db_backup.sql" then "du -h db_backup.sql" or Run the following query that lists the sizes of all the available databases. SELECT table_schema AS "Database", ROUND(SUM(data_length + index_length) / 1024 / 1024, 2) AS "Size (MB)" FROM information_schema.TABLES GROUP BY table_schema; |
Other “Files Directories” | See if any other large files exist in the codebase; particularly in the root of the codebase. |
Codebase Structure | Are there non-standard directories? Is all custom code in wp-content/themes/themename (or appropriate multisite directories)? |
Multisite | Check for subdomains or subdirectories |
Codebase | |
Plugin Codebase Quality | How many plugins are in use? (the fewer the better, typically) |
Theme Codebase Quality | Is the theme up to date? |
Uses Child Theme | Is the site using a child theme of the enabled theme? |
Custom Codebase Quality | Check custom codebase for WordPress Best Practices |
CMS configurations | Has the admin dashboard menu been customized? Would cleanup improve ease of use for content editors? Has the WYSIWYG been customized? Are they using a Page Builder of some kind (not preferred, but often |
Security | |
---|---|
Site Users | Check site users. Are there many site administrators? Is there an "admin" user? (if so recommend this user be deleted with content assigned elsewhere) Do they have different user roles setup? |
Restricted Access | Any password-protected areas of the site? Are login forms secure? |
Security Plugins | Any security plugins installed? WordFence, Sucuri, iThemes Security, All In One WP Security & Firewall might be good options |
Update Status | Are plugins, themes, WP core up to date? |
PHP version | Are they using PHP 7+? php --version |
SEO | |
https | Is SSL installed? |
Header tags | Are they written properly? Are they in the proper order? |
Social sharing | Using proper tags and setup for social sharing? |
Broken links | Can use Broken Link Checker Plugin to check on broken links |
Google Analytics | Is GA installed? Take a look at Analytics account setup |
Plugins | Yoast SEO is a popular and easy to use Plugin for adding metatags, etc. |
A11y | |
If you turn off CSS is the site legible? | |
Performance | |
Server Response | This will vary between requests; for a quick idea, load the page in question with the Network tab open and the browser cache disabled and see how long it takes for the initial request of the HTML document to be returned. |
Google Page Speed | What's the PageSpeed Insights score for the URL you're investigating? Use the mobile speed and the desktop |
Image Optimization | Is the site effectively using image styles to make sure that images are an appropriate size? Bonus points if they |
Load testing | Blazemeter is an option for load testing. Pantheon guide to testing with Blazemeter. |
CDN | Check for CDN if it would be helpful |
Caching | Any caching plugins in use? W3 Total Cache and others can sometimes be appropriate but other times cause more trouble than they're worth. Check caching options offered by the host. |
Front-End performance
A lot of drain can happen on the front end, and this can vary per browser. Lots of calls to external JS or iFrames can really slow things down.
A speed test is the best place to start:
Yslow is a browser extension you can install that can provide stats and recommendations for performance improvements.
Deeper Technical Audit
DRAFT - MATERIAL NEEDS WORK
Some clients who have specific concerns or have a technical background may require further research. Here are some resources that may assist in preparing audits for them:
- Benchmarking with AB and Siege
- Google PageSpeed
- Basic Performance Audit Template
- Performance + Code Audit Template
Resources
Example Audits
Considerations With Managed WordPress Hosting Services
Managed WordPress hosting services such as Pantheon and WP Engine handle all of the dev ops aspect of website management. Furthermore, their hosting platform is geared towards hosting WordPress websites and many aspects of a good website are handled by them. These aspects include but are not limited to:
- overall web server security
- PHP, nginx/Apache, and Database performance, updates, and security
- server side performance including various types of caching
- CDN (content delivery network) management and implementation
It can be assumed that if a website is using a reputable managed hosting company, the above aspects of the website are of high quality and up to date.
It is almost always desired that a client use a managed website service to host their website. At Kalamuna, Pantheon and WP Engine are the recommended managed WordPress hosting services.
Considerations With Self Hosting
If the client is currently hosting their website internally and plans on continuing to host internally various precautions need to be taken. In addition to doing a thorough technical review the client needs to confirm the following:
- In general, if their web server is set up to effectively run WordPress. https://en-ca.wordpress.org/about/requirements/ can be used as reference
- If they have the appropriate IT resources to do ongoing server/security updates
- If their server setup is capable of handling current and reasonably foreseen increased website traffic. One way to examine the current server load is to examine a week long log of CPU and RAM usage. If the usage is close to maxing out then they should update their server hardware.
If the client is not able to properly set up and/or maintain their website server it could result in:
- slow page load times, for both front end and back end
- hacked websites and other security compromises
- vulnerability to DDoS attacks
- PHP errors
The client may not understand the technical nuance of the website creation service we do at Kalamuna and the website hosting. They may erroneously view Kalamuna as being responsible for their web server issues.
WordPress Code Structure
WordPress offers a lot of flexibility with how themes and plugins are structured code-wise. This is both positive and negative. This flexibility can allow a WordPress site to technically function and work while being very fragile and difficult to extend (adjust or add new features). On the contrary, a WordPress theme or plugin can have excellent architecture which makes adding or adjusting features and functionality easy. It is very important to determine what kind of project Kalamuna is taking on as early as possible. There are many plugins available that can allow a novice website editor to make structural and styling changes directly from the WordPress admin. These types of plugin can result in fragile and confusing architecture. If a WordPress website has any of the following plugins installed (this is not a complete list, but a list of some of the more popular plugins) it should be viewed as a red flag:
- Custom Post Type UI
- WCK Custom Post Types and Custom Fields Creator
- Pods
- Toolset Types/Views
- Custom Post Type Maker