Earlier this year, a large company reached out to us regarding security issues across their ageing WordPress (WP) sites.
Earlier this year, a large company reached out to us regarding security issues across their ageing WordPress (WP) sites.
Aside from the large amounts of bot traffic adding spam, their sites were also slow and difficult to maintain.
Maintenance Issues
Long-term website maintenance is tricky, and in this case, many problems could have been avoided if they hadn’t been allowed to accumulate over time.
How well a site ages and its longevity, depends on a lot of factors including:
- How well the site was initially built
- Whether the theme is custom or pre-made
- If the developers are actively maintaining the theme
- If the original developers are still involved
- The number of themes and plugins installed and whether they are working well together
- The types of powerful plugins in use (e.g., multilingual plugins, WooCommerce)
- Who is responsible for ongoing maintenance and technical debt
These were all questions that came up during this audit and without the proper groundwork in place, the site wasn’t ageing well.
Security Issues
Bots are attracted to anything that collects visitor data, such as checkouts and forms. In this case, the security issues were caused by outdated plugins because maintenance was sporadic and the site had a lot of redundant plugins that couldn’t be updated without breaking the entire site.
The Original Theme
The original theme had been coded 5 years before and was not maintained by the original developers. It was difficult for the current team and their lack of experience to maintain the coding standards originally in place when the theme was first coded.
There were a few major dependencies in the theme that couldn’t be updated by the team as they would break the site. This is common as sites age when themes are dependent on third-party plugins and code that hasn’t been maintained.
Team Management
The team responsible for maintaining the sites were junior developers and they had no lead developer for code review or bringing them up to the standard necessary to maintain the sites well.
There were dependencies in the theme that needed updating but were also breaking changes. This highlights the importance of having a lead developer in a team. Someone needs to say ‘ok let’s get this done’, push the update button on a staging site, and be confident that they can fix any issues that come up or suggest a better way to remove the offending dependency entirely.
We recommended that the team should be brought up to modern-day coding standards and implemented code review as well as weekly meetups where we dived into best practices so they could maintain the sites better in the future.
Project Conclusion
This project required a multitude of skills including auditing and assessing the risks found on the current sites. It also included coordinating with different groups within the company and training the current team to manage the sites better in the future.
Being an outsider can also make it easier to bring up the issues found, however in a large company it can be difficult for them to pivot and fix the issues.
All-in-all it was an interesting project and very enjoyable working with junior devs and other teams to improve the sites.