What is an audit?
The goal of the audit is to identify the current state of a website: a thorough review. A certified architect-level developer completes the technical pieces of an audit. A business analyst should explore customer-experience-related areas.
Our audits take many hours to complete—sometimes over 100. There are a few shortcuts to make an audit faster.
This depends on the level of audit. The more that is reviewed, the more access is needed.
- Server access via SSH. We need to review database records and configuration. We will also investigate the structure of the deployment and web server. This is a critical step for verifying the security of your website.
- Code access. We request access to your version control system (GitHub or GitLab). If this is not possible, we can look at the code on the server. Version control gives insight as to who changed what and when.
- The admin area. We can get this for ourselves once we have SSH access. However, this is included in the list for full disclosure.
- Google Analytics. This helps determine revenue trends. When paired with a conversion rate audit, we use this to identify points in time. We also use this to diagnose technical issues that affect specific browsers.
- New Relic. If you are using New Relic (as we do with all of our customers), we will have visibility into performance problems with a glance. This provides insight into slowness on the website—poor performance leads to customer frustration which hurts the conversion rate.
- Other tools like Full Story, Algolia, etc. These tools provide additional clarity to how the website is operating.
We usually bring plenty of our findings regarding your website—but it is pretty helpful to hear specific complaints. We research these issues and formulate a game plan for their resolution.
What options are available?
We split our audits into three categories:
- Core: a review of the 3rd-party modules, customizations, security posture, and hosting environment.
- Performance: a review of the bottlenecks that affect system stability and conversion rate.
- Customer experience: a review of how customers approach and interact with the checkout process. This entails conversion rate optimization, purchase journey details, and more.
Each of these categories are split further. From here, we get more technical. Note that while we describe the audit process in as much detail as possible, this does not substitute for having an architect perform the review.
Core: Module review
This is a hands-on/manual review of every 3rd-party module in your project. These are found in app/code/ and the vendor/ directories.
The first thing is to compare the currently-installed version with the latest version. We often find significant disparities that can account for bugs or security issues.
We focus on all modules in app/code/ to identify whether or not these can be moved into Composer version management. What’s the problem with leaving them in app/code/? They are harder to update. In other words, updates don’t happen. It’s even worse in that the Composer-managed modules are updated: having some outdated modules can cause bugs when interacting with updated modules (that’s a lot of the word “update” in a paragraph!).
Our following review is to understand what each module does. We can achieve immediate performance boosts by removing modules that no longer provide value. We take an initial stab at determining a module's value by reviewing the database and log files.
Every module is evaluated for significant security issues. We don’t review every line of code, but it’s pretty close. A good developer has first places they review that often are markers for the quality of the rest of the module. These issues are called out for further review or diagnosis.
Core: Custom code review
3rd-party modules can have poor-quality code, but custom modules are often worse.
These must be reviewed with a fine-toothed comb. Every line must be checked. Depending on the size of the website, this is very time-consuming.
Our developers often apply well-learned heuristics to identify the overall quality of the architecture. As the code passes or fails basic checks, the developer knows what further to review.
RED FLAGS
If a problem, like a SQL injection vulnerability, is found in one module, it’ll be found in others. It is up to the architect to find every case of these violations and notate to ensure they are promptly fixed.
We use tools such as phpcs to assist in the more automatable processes. For example, if the developer uses tabs instead of spaces, this will likely point to further issues. If there is a significant amount of commented code, we see they were not relying on version control.
One of my personal favorites is ObjectManager in the code. This should never be present in almost any circumstance.
Problems that affect upgradeability
If one problem was king over all difficulties, it’s the strong preference. The preference is powerful and capable. It can change any functionality and fix any bug. In the short term, preferences are fantastic.
In the long run, they are upgrade killers.
So what is a preference? A preference is pointing to Magento to use a different class instead of a core class. This almost always entails copying significant amounts of code. When Magento is upgraded, there is a reasonable chance the original class has been changed. Thus, a preference uses old code instead of new code. You can imagine how this creates significance for strange bugs.
We, at SwiftOtter, have used preferences for this situation, but they are our last resort. Instead, we use Composer patches. When we use a preference, they are small and well-documented.
Preferences are incredibly time-consuming to clean up in preparation for an upgrade. We have to pay special attention to this to ensure you get as accurate of an estimate as possible.
(Almost) every Adobe Commerce release fixes critical issues. While you don’t have to upgrade from Adobe Commerce 2.3 to 2.4 the day it’s released, it’s essential to follow the lifecycle policy (Adobe Commerce 2.3 is no longer supported on September 8, 2022).
Security goes beyond the version of Magento. The modules and customizations must also be secure. This is another reason why manual code review is so important. We have found plenty of vulnerabilities in these reviews.
Conversely, the Backend is what provides data to the front. If a page takes a long time to load, there is a good chance that the backend has poorly-performing processes.
We have seen even simple mistakes cause a catastrophic loss of speed. We use tools like New Relic to understand where the problems are.
There is no “one size fits all” solution for these problems. We provide an essential roadmap and an estimate for the fix.
If we don’t have access to New Relic, our starting point is anecdotal observations through the customer journey.
Customer experience: Conversion Rate Optimization
The conversion rate is the ratio of visitors to orders. The higher the ratio, the better. There is no “set” conversion rate, but 5-7% is outstanding. We have seen it closer to 0.5% for some content-heavy websites.
This phase is started in Google Analytics. We spend significant time piecing together segments to get unique vantage points on the website. We review year over year and different date ranges to identify seasonality.
We look for trends in customer acquisition and how the conversion rate is affected. We find drop-off locations.
Then, we take this data to the website and identify the conversion rate killers.