Diagnose
One of the most common mistakes I see is organisations asking the wrong question. Instead of asking "Why is this happening?" they immediately ask "How do we fix it?" Those are completely different conversations. The second assumes the cause is already understood. In many projects, it isn't.
I've worked on engagements where a redesign was requested, only to discover the real issue was governance. I've seen migration projects that looked straightforward until the discovery phase revealed undocumented editorial workflows, hidden business rules, and years of accumulated technical debt. Technology wasn't the problem. The lack of discovery was.
That's why every engagement begins with diagnosis. Not because audits are exciting. Because good decisions require evidence.
Every deliverable becomes an input into the next phase. Nothing is wasted.
Site & Codebase Audit
What I find in the audit shapes the entire engagement. Hardcoded credentials in the theme. Plugins three major versions behind. Custom functions that override WordPress core in ways nobody documented. A child theme that breaks if you update the parent.
The Ministry of Education Ontario engagement started with a full codebase audit. What we found - an editorial workflow partially built in four different plugins, none of which talked to each other - completely changed the project scope before I wrote a word of spec. The audit saved months of rework.
I check: plugin and theme versions, custom code quality, database structure, query performance, deprecated function usage, and anything that looks like it was built under deadline pressure and never cleaned up.
Security Scan
Automated scanners catch what's in their database. Manual review catches what nobody has written a rule for yet.
I check file access controls, database configuration exposure, XML-RPC status, whether user accounts can be enumerated, login protection, SSL configuration, and security headers at the server level. Then I look at what your existing plugins have access to and whether any of them are calling home.
Why it matters: On one audit, I found a freelancer had left a debug log in the web root with database credentials in plain text. The site had been live for 14 months. The client had no idea. That's not an edge case.
Infrastructure Review
Is staging a subfolder of production? Is there version control? What's the deployment process - FTP drag and drop? That tells me everything about how the previous developer worked.
Are backups automated? Have they ever been tested? I'll ask for a restoration test during the audit. If nobody's ever run one, that's a risk that gets flagged immediately.
Hosting also matters. PHP version, server config, caching layer. These determine what's possible in the Develop phase without asking you to move infrastructure mid-project.
Performance Baseline
Core Web Vitals from CrUX field data - not just a Lighthouse run in a clean browser tab. Real user data, real conditions, real performance picture.
LCP, CLS, INP, TTFB. Database query count per page. I document everything before I touch anything. At the end of the engagement, the gains are measurable.
Note: Clients in government and financial services often need this baseline for internal reporting before work begins. Having it ready from day one saves a back-and-forth cycle mid-project.