My First 5 Minutes on Your WordPress Admin

As a systems consultant, I get to see a lot of WordPress websites.  The condition of the sites runs the gamut from mundane (my favorite) to a chaotic explosion of warnings, errors, and update notifications. I am going to describe the first key things that I examine when getting familiar with your website.

The WP-Admin Dashboard Login Experience

You would think logging into the site is the easy part, right? Unfortunately this is not always the case. The admin login experience itself can give a lot of insight into what to expect when before I lay eyes on your dashboard.

Is the dashboard URL /wp-admin or something else?

Has the WordPress login page branding been removed or changed?

Did you give me “admin” as my username?

How complex is the password?

I keep a poker face when receiving the site credentials but rest assured that I have already judged your level of sophistication by this seemingly innocuous task.

The Dashboard at a Glance

The time between clicking the Log In button and seeing your WordPress admin dashboard for the first time gives me the same thrill of a spinning slot machine.  Will I break even or am I going to miss every pay line? (I don’t seem to ever hit the jackpot! lol)

Let’s start with the easy case, breaking even.  To me, this means a clean dashboard.  No warnings of plugins being out of date, no crazy customizations. I’m okay with seeing a long list of sidebar items. I figure your website serves a purpose so a moderate number of custom post type menus and settings panels aren’t an immediate red flag for me.

Now let’s get real, most people don’t hire me to look at a well run website.  Hitting a bust is seeing warning banners, red alert bubbles, and general craziness happening on the dashboard.  My heart may drop a little bit but that feeling quickly turns to determination to improve the site better than how I found it.

Let me show you the screenshot of a real site with problems:

I have annotated some of the stand out issues in dark blue.  It’s important to take note of the good and the bad. Out of date software is one of the largest vulnerability vectors in the online world. But you can see at some point in the past a person cared enough to install Google Analytics to judge their marketing performance and a server side caching plugin for improved hosting performance. (also make a mental note your site changes might require a cache clear to be visible!)

What’s Next?

So you may think that we’re ready to jump in and get fixing. Not so fast. We’ve only scratched the surface of our evaluation. There are several more things that we need to know before we can responsibly report back to the site owner.

First, do we have a real administrator account? Sometimes you will see web development agencies setup roles to give the site owner an “almost-admin” account to protect the site owner from completely wrecking things.  Go to the Users page and take notice of several things.

• How many user accounts exist?
• How many of the accounts are administrator accounts? Use the role filters above the Users table if you have a lot of accounts.
• Should all of these people be admins? Ask the site owner if unsure.
• Does the much brute-force attacked “admin” account exist?
• Finally, is your account role set to Administrator, not a custom role with administrator-like privileges.

Site Functionality

Now that you have established that your admin account has full access, is the website being backed up? Everybody has their favorite backup plugin from the free Updraft Plus to the commercial BackupBuddy or a developer oriented plugin such as Duplicator. Actually go into the backup area and determine when the last good back was taken. (hint: the correct answer is nightly with an offsite push to Dropbox, Google Drive, Amazon S3, or similar)

Next I like to go to the Installed Plugins page and browse down the list to see what I’m working with.

• How many total?
• How many are duplicate functionality of others? (6 social media plugins)
• How many disabled plugins are just sitting there?
• How many need updates?
• How many are commercial and not entitled to update?
• How many are known to cause problem when updated? (Woocommerce theme templates)
• Is there a performance caching plugin? (perhaps will want to disable during development)
• Is there a security plugin?
• Are there post builder plugins? (visual composer, etc)
• Is there a backdoor login plugin like InfiniteWP? (premium versions may be named something else)
• What’s in here that I don’t recognize?

The Theme

I see a lot of junior people head straight for the theme when they are trying to fix a site.  You saw me go to plugins before themes because I want to know what functions I am dealing with before thinking about how the functions are presented to the user. Plugins exist to change how the theme works (and how the system as a whole works). I’d rather have an inventory of these behavior mods in the back of my head before looking at how these functions are presented to the user. Otherwise it’s too easy to make an assumption that isn’t true.

With that said, the theme tells me a ton about the mindset behind the developer who built the site. Go to Appearance – Themes. Is your site running on a primary theme or a child theme? Is the theme from a major vendor, a free wp.org theme or something completely custom?  What control panels are provided by the theme? Is it customized by a quasi-drag and drop system, widget based, or primarily rely on the stylesheets to control layout?

At this point I have a good feeling for the IT practices, function and design of the site. I can give you, the client, a set of educated opinions of where to go next.