# Concerns & Technical Debt

> Generated by /paul:map-codebase — 2026-04-26

## CRITICAL

### 1. Credentials committed to git
- **wp-config.php**: DB password in version history
- **.vscode/ftp-kr.json**: FTP credentials in version history (host, user, password, path)
- **Action**: Rotate both passwords. Add `wp-config.php` and `.vscode/ftp-kr.json` to `.gitignore`.

### 2. FTP auto-upload to production with no staging
- `autoUpload: true` in `.vscode/ftp-kr.json` — every file save goes live immediately
- No review step, no staging environment
- **Action**: Disable autoUpload for risky changes; test locally first.

### 3. bbPress — 100+ core plugin files modified
- Git shows every file in `wp-content/plugins/bbpress/` as modified
- Next bbPress update will silently overwrite all customizations
- **Action**: Document what was changed and why. Move custom logic to a custom plugin or mu-plugin using bbPress hooks/filters.

## HIGH

### 4. No .gitignore
- Sensitive files (wp-config.php, ftp-kr.json) are tracked
- Uploads, cache, and build artifacts can be accidentally committed
- **Files to add to .gitignore**: `wp-config.php`, `.vscode/ftp-kr.json`, `.vscode/sftp.json`, `wp-content/uploads/`, `wp-content/cache/`, `*.log`

### 5. Deprecated PHP in divi-children-engine
- `extract(shortcode_atts(...))` in `divi-mods/divi_mod_functions.php:28` — deprecated PHP 8.0+, security risk
- `query_posts()` in same file — deprecated, should use `WP_Query`
- **Action**: Replace `extract()` with explicit variable assignments when touching this file.

### 6. AJAX handler without nonce verification
- `custom_selectors_action_callback()` in `custom_codes.php` processes `$_POST['selector']` without sanitization or nonce check
- **Action**: Add `check_ajax_referer()` and `sanitize_text_field()` before the `set_theme_mod()` call.

### 7. No error logging
- `WP_DEBUG = false` with no `WP_DEBUG_LOG` — silent failures in production
- **Action**: Enable `WP_DEBUG_LOG = true`, `WP_DEBUG_DISPLAY = false` to log errors server-side without exposing them.

## MEDIUM

### 8. Inline JavaScript using deprecated jQuery methods
- `custom_codes.php` uses `.toggle()` (removed in jQuery 3.9+) via inline PHP-embedded JS
- **Action**: Replace with `.slideToggle()` or vanilla JS when modifying this area.

### 9. Hardcoded Polish strings without i18n
- `functions.php`: stock text, email address hardcoded as string literals
- `cron-products.php`: hardcoded Polish date strings
- No `.pot` / `.po` / `.mo` files; uses `woocommerce` text domain instead of `body-relax`
- **Action**: Wrap new strings in `__('...', 'body-relax')`, create proper text domain.

### 10. Child theme author URL uses HTTP
- `style.css` Author URI: `http://www.body-relax.baumer.vot.pl` (HTTP, not HTTPS)
- Minor, but update to HTTPS when touching the file.

### 11. FTP over plain FTP (not SFTP)
- `.vscode/ftp-kr.json` uses unencrypted FTP protocol
- Credentials and file contents transmitted in plaintext
- **Action**: Switch to SFTP (port 22) if host supports it.

## LOW

### 12. Poor git commit history
- All recent commits are "Save" — no meaningful history for auditing or rollback
- **Action**: Use conventional commit messages going forward.

### 13. Divi Children Engine version 1.0.4
- Relatively old; last update date unclear
- Non-standard approach that may conflict with Divi updates
- Low urgency, but track for compatibility issues when Divi updates.

### 14. AUTOMATIC_UPDATER_DISABLED = true
- All updates are manual; security patches may be missed
- Acceptable if monitored; ensure a process exists to apply patches.