In this post I want to share with you my opinions about the importance of a Magento Technical Audit. In the same time I will try to ask some frequently asked questions about Magento audits that I’ve answered over the years.
What is a Technical Audit?
According to Wikipedia, an “audit is a systematic and independent examination of …”. In our case, a Magento Technical Audit is an independent examination of your Magento based store.
In an ideal world, a Magento Technical Audit should be called for by every company that plans to launch an eCommerce store. Obviously, before the launch. Depending on the size/complexity of the project, it should be done quite a while before the T0 moment, providing the development team enough time to take actions about the issues found by the audit team or individual, if any.
Depending on the audit team and/or the company requesting it, the technical audit should cover all components of the project. You will find details about this in another part of this article.
In no way a tech audit is an end-to-end testing of an eCommerce solution.
Is a MAGENTO TECHNICAL audit really necessary? Why and when?
There is no right or wrong answer to this question because it depends on who you’re asking and his personal opinion on the matter.
So here’s mine.
It depends on how commited the company is about the eCommerce business.
A small eCommerce business hoping to reach 100 orders/month at some point might want to spend money on something else rather then audits. Maybe grow the marketing budget, if any. And he might be right. As long as his Magento is almost a default install, he doesn’t need it. Or if there are no pain-points regarding performance. Don’t fix problems that aren’t there yet.
On the other hand, a big company aiming for huge growth (or sustain it) in the eCommerce business would probably need an audit. Because they are more likely to want/need to scale sooner then later. And that should be possible before it’s actually needed.
My bottom line:
- small, see how it goes, invest if everything goes well? – Spend your money on something else
- aiming big (or already are but switching to Magento) – GET ONE
What should a Magento Technical Audit cover?
Short answer is Everything.
For the long answer, I think that we should use the following categories:
Hopefully, you have a plan about the “hardware” you want to run your eCommerce business on. What HTTP Server you want to use, what RDBMS, cache driver(s) and so on.
All these services should be properly configured, up-to-date and secured. Some services perform better than other in certain conditions.
You should have a back-up policy in place. Maybe even a disaster recovery one.
This is probably the easiest thing to audit. There’s only one rule: never touch/edit core files. Custom functionalities or changing the behaviour of default Magento modules should by done by following Magento Development best practices. This is what allows you to easy perform an upgrade to your Magento, among other things.
Besides checking the integrity of core Magento files, one should check if the latest official Magento patches are applied.
Checking the custom code is the most time consuming operation. And where probably 90% of the problems are.
Having good, quality code ensures easy upgrades, easy scaling (vertically and horizontally) and introduces other not-so-technical benefits, like ramp-up of new people in a team. This shouldn’t be optional, this should be a must. Good code is easy to maintain, further develop and even test.
Magento (at least version 1) is not a very strict framework, allowing a developer to write code in quite a few ways and still work. However, a high traffic eCommerce solution won’t be very stable and/or scalable while relying on a poorly written codebase. Same rules apply for both backend and frontend code.
Hardcoded values are a big no-no as well. That might require a new version deployed to change some obscure thing that could have been a setting in the Admin Panel.
3RD PARTY CODE
Sadly, most of 3rd party modules and themes are poorly written and usually contain a lot of bloatware due to vendors trying to cover as big as possible client bases.
As a developer I often found that there are modules from same vendor that can’t be installed in the same time due to silly licensing policies.
Before installing any 3rd party module it’s highly recommended that you first perform a mini-audit of that module and everything it brings into your codebase. Ideally, you don’t use popular 3rd party modules that by default do 12313 things when you only need part of the features. Developing a custom tailored module, fitting your needs exactly, might be a better solution.
security of both the application (Magento) and the services used – software running (on) the servers
Security was briefly covered before. Besides known security issues (XSS, RFI, SQL Injections, etc) an audit should also cover things that are not necessarily very obvious.
For example, if you use some module for Reward Points (just as an example), one might check if a user can spend more points than he owns. Or if clients can gain more points than they should.
Magento settings review
A clean/vanilla Magento instance has more than about 1000 things that someone can/has to set-up. These settings vary from site`s name and store number to tax zones, tax classes, tax calculation methods and so on. Also, there are various settings that can be a huge boost or decrease of the overall performance, depending on various factors.
Quite funny, I also saw a few custom/3rd party modules that were introducing “functionality” that was a few clicks away in a vanilla Magento instance.
Who is it for?
A professional Magento Technical Audit shoud be easy to understand by anyone, having an executive summary. The summary should provide a quick, honest overview of the Magento solution. Think E to A grades.
In the same time, if applicable, it should contain logically structured issues found and recommendations on how to fix them. This part is intended for the development team.
Furthermore, a good audit should contain suggestions on how the project can be improved even more, not just point out problems.
Do you need a Magento Audit?
Request a Magento Technical Audit