Project-Pro/luxmed2.pagedev.pl
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
luxmed2.pagedev.pl/.paul/codebase/concerns.md

8.3 KiB
Raw Permalink Blame History

Codebase Concerns

Analysis Date: 2026-05-07

Tech Debt

Generated backup artifacts committed:

  • Issue: Backup archive and Duplicator working files are present in the repository.
  • Files: project_backup_2026-03-26_13-38-53.zip, wp-content/backups-dup-pro/.
  • Why: Likely copied from hosting/restore workflow.
  • Impact: Large diffs, possible secret/data exposure, noisy repository, unclear source of truth.
  • Fix approach: Add a .gitignore, remove generated backup artifacts from version control, and rotate secrets if already exposed.

WordPress core and plugins committed as source:

  • Issue: Full WordPress core and third-party plugins are committed.
  • Files: wp-admin/, wp-includes/, wp-content/plugins/.
  • Why: Common FTP-style WordPress project snapshot.
  • Impact: Accidental vendor/core edits are easy; updates/provenance are hard to audit; diffs become noisy.
  • Fix approach: Define an update/deployment policy and keep custom changes isolated in theme/MU plugin/project-owned plugin files.

Missing custom JS asset referenced by theme:

  • Issue: wp-content/themes/hello-elementor/functions.php references wp-content/themes/hello-elementor/assets/js/custom.js, but that file was not found.
  • Files: wp-content/themes/hello-elementor/functions.php, wp-content/themes/hello-elementor/assets/js/.
  • Why: Possibly planned custom JS or removed asset.
  • Impact: Extra 404 request or dead enqueue depending on existence checks and deployment state.
  • Fix approach: Create the asset intentionally or remove the enqueue.

Known Bugs

Possible duplicate GTM noscript output:

  • Symptoms: GTM noscript iframe may render twice on themes that support wp_body_open.
  • Trigger: Both wp_body_open and wp_footer actions run.
  • Files: wp-content/mu-plugins/cookie-notice-pro/cookie-notice-pro.php.
  • Workaround: Browser usually tolerates it, but markup is duplicated.
  • Root cause: Same callback registered to two hooks without a one-time guard.

Malformed consent cookie can break banner JS:

  • Symptoms: Cookie banner initialization or helper methods can throw if stored cookie JSON is malformed.
  • Trigger: User/browser has invalid consent cookie value.
  • Files: wp-content/mu-plugins/cookie-notice-pro/assets/cookienoticepro.script.js.
  • Workaround: Clear browser cookies.
  • Root cause: direct JSON.parse() calls without defensive parsing.

Security Considerations

Secrets committed in configuration files:

  • Risk: Database credentials, WordPress salts, and Duplicator auth material are present in source files.
  • Files: wp-config.php, wp-content/backups-dup-pro/installer/original_files_e507eb0-03080010/source_site_wpconfig.
  • Current mitigation: Secret values are not copied into PAUL docs.
  • Recommendations: rotate exposed credentials/salts/auth keys, move environment-specific secrets out of committed files, and remove generated restore artifacts from version control.

Backup archive may contain sensitive data:

  • Risk: Root backup archive may contain code, uploads, config, database dumps, or credentials.
  • Files: project_backup_2026-03-26_13-38-53.zip.
  • Current mitigation: none visible.
  • Recommendations: inspect outside normal docs, remove from repo, rotate credentials if contents were committed/shared.

Installer logs expose operational details:

  • Risk: Duplicator logs may reveal server paths, restore process details, and environment data.
  • Files: wp-content/backups-dup-pro/installer/dup-installer-log__c3605a4-03080010.txt, wp-content/backups-dup-pro/installer/dup-installer-bootlog__c3605a4-03080010.txt.
  • Current mitigation: none visible.
  • Recommendations: treat as sensitive generated artifacts and remove from version control.

Default WordPress table prefix:

  • Risk: Default prefix is a minor hardening weakness, especially on older/poorly protected installs.
  • Files: wp-config.php.
  • Current mitigation: WordPress security does not rely on prefix secrecy.
  • Recommendations: consider custom prefix only during rebuild/migration, not casually on a live site.

Performance Bottlenecks

Cookie notice script loaded on every frontend page:

  • Problem: Custom consent script is about 25 KB and includes inline SVG strings.
  • Files: wp-content/mu-plugins/cookie-notice-pro/assets/cookienoticepro.script.js, wp-content/mu-plugins/cookie-notice-pro/cookie-notice-pro.php.
  • Measurement: file is about 438 lines / 25 KB in scan.
  • Cause: MU plugin enqueues the script globally.
  • Improvement path: minify it, defer where safe, and keep it cached.

Per-request filemtime() cache busting:

  • Problem: PHP calls filemtime() for custom assets on frontend requests.
  • Files: wp-content/mu-plugins/cookie-notice-pro/cookie-notice-pro.php.
  • Measurement: not measured; likely minor.
  • Cause: development-friendly cache busting.
  • Improvement path: use a fixed plugin/theme version constant if filesystem calls become a concern.

Fragile Areas

Cookie/consent frontend logic:

  • Files: wp-content/mu-plugins/cookie-notice-pro/assets/cookienoticepro.script.js.
  • Why fragile: public page code controls consent defaults, GTM updates, DOM rendering, and cookie parsing.
  • Common failures: malformed cookies, duplicate events, console noise, markup string escaping issues.
  • Safe modification: add defensive parsing first, then test accept/deny/update flows manually.
  • Test coverage: no automated tests detected.

Elementor form configuration lives in DB:

  • Files: wp-content/plugins/elementor-pro/modules/forms/, WordPress database.
  • Why fragile: the actual form actions and field configuration are not visible in the file tree.
  • Common failures: code/files appear unchanged while form delivery changes in admin/database.
  • Safe modification: verify WordPress admin form settings and a real submission after any lead-flow work.
  • Test coverage: no project E2E tests detected.

Encoding of Polish copy:

  • Files: wp-content/mu-plugins/cookie-notice-pro/cookie-notice-pro.php, wp-content/mu-plugins/cookie-notice-pro/assets/cookienoticepro.script.js.
  • Why fragile: some text appears mojibake in scans.
  • Common failures: broken Polish characters after edits.
  • Safe modification: confirm encoding before editing copy; preserve UTF-8.
  • Test coverage: manual visual verification only.

Scaling Limits

Unknown hosting/deployment capacity:

  • Current capacity: not documented.
  • Limit: unknown.
  • Symptoms at limit: not measured.
  • Scaling path: document hosting, cache strategy, and form delivery path.

Dependencies at Risk

Duplicator Pro restore tooling with PHP 8.4 noise:

  • Risk: installer logs show PHP 8.4 deprecation noise during restore.
  • Impact: future restores on newer PHP runtimes may be noisy or brittle.
  • Migration plan: update Duplicator Pro before relying on it for restore, or validate restore in staging.

Committed plugin versions without update policy:

  • Risk: security/update status is hard to audit from repo alone.
  • Impact: outdated plugins can create security and compatibility risk.
  • Migration plan: document update ownership, version checks, and deployment process.

Missing Critical Features

No project-owned .gitignore:

  • Problem: generated artifacts and OS files are committed.
  • Current workaround: manual care.
  • Blocks: clean source control and safer collaboration.
  • Implementation complexity: low.

No deployment/update notes:

  • Problem: unclear how WordPress core/plugins/theme changes are deployed.
  • Current workaround: infer from FTP/SFTP/hosting behavior.
  • Blocks: reliable updates and rollback planning.
  • Implementation complexity: low to medium.

Test Coverage Gaps

Lead capture flow:

  • What's not tested: landing page CTA, Elementor form submission, delivery/storage, thank-you/redirect behavior.
  • Files: wp-content/plugins/elementor-pro/modules/forms/, WordPress database configuration, wp-content/themes/hello-elementor/assets/css/custom.scss.
  • Risk: lead form could break silently.
  • Priority: High.
  • Difficulty to test: requires running WordPress environment and real/staged form configuration.

Consent/GTM behavior:

  • What's not tested: consent defaulting, malformed cookie handling, GTM consent updates.
  • Files: wp-content/mu-plugins/cookie-notice-pro/.
  • Risk: analytics/compliance behavior can break public pages.
  • Priority: High.
  • Difficulty to test: moderate; JS unit tests or browser tests could cover this.

Concerns audit: 2026-05-07 Update as issues are fixed or new ones discovered

Reference in New Issue View Git Blame Copy Permalink