Audit Process
This is the checklist we go through when auditing and documenting a site. This is done on initial sign up to a monthly plan with Fixed, and we keep our file updated regularly. We’ll feed any findings and recommendations back to you.
We can do almost everything without any input from you; you can let us get on with this, and we will come back to you if we have any questions or require more access.
1. Get the site setup on our systems.
My.fixed.net is our client area, where you can correspond with us. We (and you) can use it to manage backups, and store data and notes on the websites we manage for you. The first thing we always do is ensure we have access, and that backups are setup. We cannot make any changes until we have a complete backup of the website.
- File backup. We take incremental backups of your website at least twice a day. Ideally we use SSH/SFTP, but we can also use FTP if you do not have SSH credentials.
- Database backup. We will set up remote database dumps - again twice per day. This usually requires opening your database server to one of our external IP addresses.
- Data collection. This is the fundamental information about your website and where it runs from.
- Who is the current web host?
- What software stack does your website use?
- Who is the current dns provider?
- Who is the current domain registrar?
- Who is the current SSL provider, if any?
- Who is the current email provider, if any?
- Are there other parts of the same website that we are not managing -- for instance a subdomain, or a subfolder with another website in?
- Are there any alias domains?
2. Hosting options
If you want to host the website with fixed, we will arrange this and agree a time to migrate (no disruption) with next steps. We will migrate a copy of the site and provide a preview URL so you can test it first. Our hosting automatically includes an SSL certificate. We can also move over your domain and dns if required (and handle that whole process for you).
- If you want to keep your hosting with your current provider, we will check the following:
- Do you have an SSL certificate? If not, we will provide options, (including free options) as every website should be encrypted. If you do, where is it from and are you over-paying?
- Do we have access to take remote file backups and mysql backups.
- Who is managing the server? Or is it a shared host? Where is the status page for this web host?
- What software versions (e.g. PHP, MySQL) are supported by the host?
- Does the site share a hosting environment with other websites that can write to the website files? If so, explain the consequences.
Once backups are complete...
3. Initial site errors
Here we are trying to establish if there are urgent, obvious problems that we need to fix, which you may or may not be aware of.
- Are there any site errors or issues that the client is aware of, or urgent problems that need fixing? If so, we will document those as tasks to move to after the audit, or deal with immediately if required.
- Do any errors appear on the website?
- Enable a debug log and see if any errors show there.
- Check server error logs.
- Check the javascript console and network requests.
- Check for mixed content errors.
- If the site is an eCommerce site, can we get through to a payment screen?
- Have a cursory look over the website and check for glaring errors (styling that appears broken, white pages of death etc).
- Try the site on a mobile browser.
- Is the client aware of any issues on google search?
4. Security
Website security is a fundamental part of what we offer at fixed.net. Our initial audit makes sure that your site is clean and set up properly, giving us a solid foundation to work from.
- Has our malware scan found anything suspicious? This malware scan is based on our backups and checks files against our own internal signature database. We also use various other scans that check for issues like javascript injection. If malware is found, we need to clear up the site immediately.
- Are any plugins or software vulnerable? This would require urgent fixing.
- We will run a check on file permissions, .htaccess rules in the hosting environment.
- Check for other common security issues with the software you are using.
- Are there remnant software admin users, ftp users or database users added - or is remote database access enabled to unknown IPs?
- What are the permissions on your database configuration file (usually a wp-config.php, a configuration.php or a .env file)? If these permissions are set incorrectly on some hosting environments, it could allow others to access your database.
- Are there old versions of adminer.php, or other database management software, in the file system.
- Is there a generic security plugin installed (e.g. Wordfence, Cerber)? If not, we may make a recommendation.
5. Data cleanup
Our aim now is to remove anything unnecessary, or any historic data or files which are not used and might cause either complication or risk.
- Check for legacy un-necessary plugins and content that can be removed or serve no purpose. We have a backup and won’t touch anything that changes the live site.
- Are there old backups stored in the user directory?
- We should remove old host-specific additions to core files (for example mu-plugins files, or wp-settings which are no longer in use).
- Other data to be removed includes:
- Old un-enabled plugins
- Themes that are not active
- Multiple plugins that do the same thing
- One-time plugins that are no longer in use (e.g. migrations, imports)
- Old backup files (we have a backup of those backup files, of course).
- Old cache files.
- Run a scan for large files and see why they might be there - what is causing them?
6. Document functionality
For our own needs, we need to document what the site does and how it does it. We will add to this documentation over time as changes are made and any bugs are fixed.
- Write down the key functionality of site (i.e. what is the site for).
- Which software or plugins, if any, are used on the website and to what end?
- Which parts of the site are custom-built, as opposed to created with plugins/external software?
- When was the site built and by whom. Are they still in contact?
- E-Commerce
- Does the site take orders / payment. Which software does it use for that functionality?
- What payment providers? Do any require IP allows?
- What adjustments or plugins have been edited from the default installations? This would mean that those plugins cannot be easily updated or changed.
- Does anything require non-vanilla versions of PHP, or require a server environment that is either old or non-standard?
- If WordPress, do you have a child theme? Or are edits made to the main theme?
- Are there plugin compatibility issues we are aware of.
- Are you using more than one page or site builder?
7. Contact forms and integrations
- Does the site connect to any external systems (including databases, mailing software, social media feeds, crms, forums etc)?
- If there are contact forms, are emails sent through php mail, smtp, or an external provider? Is it working. Shall we set up mail logging?
- Do you have ReCaptcha verification added?
- If you store cookies, do you need to comply with GDPR legislation?
8. Update setup
Now that we understand how the site fits together and have the start of our documentation, we can run the initial updates to get the website up to date.
- We need to ensure all software is up to date.
- We can stage this if there is any risk of it causing a problem. This means that we will create a preview copy of the website and perform the updates there first.
- Do any plugins not have a licence that require one to be updated? What are the consequences of keeping old version, if any?
9. Site performance
Lots of customers come to us with requests to speed up their site. Now that we have audited the site and cleaned any bloat, we can work out the best way to optimise performance. For example, different caching methods work with different types of website; some web hosts package their own caching which may or may not be beneficial.
- What caching exists at the moment?
- Does the web host provide caching?
- Is anything obvious conflicting?
- Are expires headers added?
- Should we be minifying and compressing CSS and javascript?
- Check GTMetrix/Pingdom for any issues or obvious problems like broken links, large images etc.
- Optimise performance based on those recommendations.
10. Monitoring and schedule
Your website will be added to our monitoring system. Our 24/7 monitoring team are alerted if there is any disruption to your site. However, we need to know if there is anything other than the main website to monitor, and also what our actions should be in case of disruption.
- Ask the client for any specific areas we should be monitoring apart from the main website. For example, a key landing page.
- Ask the client for steps we should take in case of issues where we require their input. Most of the time we can resolve issues ourselves, but let's say for example your domain is registered elsewhere, and there's an issue with the registrar -- we'll need to get in touch to tell you to take action.
- Ask the client for their desired frequency of website software updates. By default, we'll do vulnerability updates immediately - and minor website updates on a weekly/fortnightly cycle.
Finally, it is good for us to understand where you want to go with your site. Is there a feature you are looking to change in future, or might you be getting a development agency to redesign parts of it? All of this helps us understand more about your website, and for us to better support you.