Service Audit
Security, performance, maintainability, scalability. A written report you can act on this quarter, not a sales pitch for our implementation services.
# WordPress Code Audit Output (Critical findings excerpt)
[CRITICAL] mu-plugins/legacy-tracker.php:42
SQL injection: $_GET['user_id'] passed unsanitized to $wpdb->query
Impact: full database read access for unauthenticated users
Fix: use $wpdb->prepare() with %d placeholder, add capability check
Estimated effort: 2 hours
[HIGH] wp-content/plugins/custom-rest/api.php:88
REST endpoint /wp-json/cust/v1/users with permission_callback => __return_true
Impact: user enumeration including admin emails
Fix: gate to current_user_can('list_users'), add per-route rate limit
Estimated effort: 1 hour
[HIGH] wp-content/themes/active-theme/functions.php:215
Hardcoded credentials in get_option() fallback
Impact: credentials leaked if file accessed via dump or backup leak
Fix: move to wp-config.php or environment variables
Estimated effort: 30 minutes
[MEDIUM] wp-content/plugins/widgets/render.php:67
Missing escape on user-supplied widget title in admin preview
Impact: stored XSS for editors viewing widget settings
Fix: wrap output in esc_html(), add unit test
Estimated effort: 30 minutes
Why audit
The team knows the slow page. The team knows the plugin nobody updates. The team knows the function that everybody is afraid to touch. None of it is written down. None of it is prioritized. It lives in tribal knowledge and Slack scrollback and gets forgotten when the engineer who knew it leaves.
An audit converts that tribal knowledge into a written report with severity ratings and effort estimates. The CTO can decide what ships this quarter and what waits. The next engineer joining the team gets a roadmap, not a mystery. The audit pays for itself the first time it prevents a fire drill.
What we audit
Security, performance, maintainability, scalability. Every finding rated, every finding actionable, every finding with an effort estimate so prioritization is data-driven.
01
SQL injection, XSS, CSRF, authentication bypasses, capability bypasses, file disclosure, REST endpoint flaws. Each finding rated by severity with concrete remediation steps and effort estimates.
You ship the critical fixes this sprint, the rest in a planned cycle.
02
Slow queries, missing indexes, autoload bloat, render-blocking assets, N+1 patterns, cache misses. Profiled with WP-CLI and Query Monitor, with measured before-and-after estimates per fix.
You know which fixes move the needle and which are noise.
03
WPCS violations, PHPStan findings, deprecated function calls, missing test coverage, dead code, technical debt hotspots. Findings ranked by risk to future development velocity.
Tech debt becomes a list, not a feeling.
04
Every active plugin and theme reviewed for vulnerability history, abandonment status, license compliance, performance impact, and code quality. Custom plugins reviewed line by line.
You know which plugins to keep, replace, or remove.
05
Database schema, custom post type design, taxonomy structure, REST API surface, hook usage. Identifies architecture decisions that will hurt at 5x or 10x current scale.
You see the scaling ceilings before you hit them.
06
We do not require you to hire us for remediation. The audit report is yours, your team or any other agency can implement. We are happy to scope the implementation, but the audit value stands alone.
The audit is honest because we have no incentive to pad it.
100+
WordPress plugins shipped, including ones we have audited for clients
Same standards we apply to our own code we apply to yours.
Process
01
Three days. Audit scope confirmed, NDA signed if needed, read-only access to staging or local clone provisioned, WP-CLI access on production for profiling. Fixed-price quote.
Audit starts on day four.
02
Two to four weeks. Code review, security scan, performance profiling, plugin and theme inventory, architecture review. Findings collected and rated as we go.
Report drafted by week three.
03
Three days. Final report (PDF and Markdown) delivered with executive summary, prioritized findings, remediation roadmap. 60-minute walkthrough call to discuss next steps.
You leave the call with a clear plan.
Common questions
A written report (PDF + Markdown) with executive summary, methodology, full findings list ranked by severity, prioritized remediation roadmap with effort estimates, and a 60-minute walkthrough call. Source artifacts (WP-CLI profile output, slow query log analysis, vulnerability scan results) included as appendices.
Two to four weeks depending on site complexity. A focused audit (single plugin or single theme) is one to two weeks. A full site audit (core, custom plugins, theme, multisite network, integrations) is three to four weeks. We give you a timeline in the discovery call.
No. Read-only access to a clone (staging or local) is enough for code review and most performance work. For runtime profiling we need read-only WP-CLI access on production, no write access required. We work under NDA on request.
A code audit is not the same as an incident response engagement. We will flag suspicious code patterns we encounter, but if you suspect a compromise, the right service is incident response. We can scope that separately.
Yes, but it is a separate scope quoted after the audit completes. Audit fee is independent. Most clients implement themselves or with their existing dev team and bring us in only for the highest-effort findings.
A focused audit (single plugin or single theme) are scoped per project. A full site audit is sized per project depending on complexity. Multisite network audits run higher. Discovery call is free, fixed price quote within 48 hours.
Need a code audit you can act on?
Discovery call is free. Fixed-price quote within 48 hours. Audits are scope-dependent.