szkoleniauryzaj.pl/.paul/codebase/concerns.md

Concerns & Technical Debt

Generated by /paul:map-codebase — 2026-04-26

CRITICAL

1. Credentials committed to git

• wp-config.php: DB password in version history
• .vscode/ftp-kr.json: FTP credentials in version history (host, user, password, path)
• Action: Rotate both passwords. Add wp-config.php and .vscode/ftp-kr.json to .gitignore.

2. FTP auto-upload to production with no staging

• autoUpload: true in .vscode/ftp-kr.json — every file save goes live immediately
• No review step, no staging environment
• Action: Disable autoUpload for risky changes; test locally first.

3. bbPress — 100+ core plugin files modified

• Git shows every file in wp-content/plugins/bbpress/ as modified
• Next bbPress update will silently overwrite all customizations
• Action: Document what was changed and why. Move custom logic to a custom plugin or mu-plugin using bbPress hooks/filters.

HIGH

4. No .gitignore

• Sensitive files (wp-config.php, ftp-kr.json) are tracked
• Uploads, cache, and build artifacts can be accidentally committed
• Files to add to .gitignore: wp-config.php, .vscode/ftp-kr.json, .vscode/sftp.json, wp-content/uploads/, wp-content/cache/, *.log

5. Deprecated PHP in divi-children-engine

• extract(shortcode_atts(...)) in divi-mods/divi_mod_functions.php:28 — deprecated PHP 8.0+, security risk
• query_posts() in same file — deprecated, should use WP_Query
• Action: Replace extract() with explicit variable assignments when touching this file.

6. AJAX handler without nonce verification

• custom_selectors_action_callback() in custom_codes.php processes $_POST['selector'] without sanitization or nonce check
• Action: Add check_ajax_referer() and sanitize_text_field() before the set_theme_mod() call.

7. No error logging

• WP_DEBUG = false with no WP_DEBUG_LOG — silent failures in production
• Action: Enable WP_DEBUG_LOG = true, WP_DEBUG_DISPLAY = false to log errors server-side without exposing them.

MEDIUM

8. Inline JavaScript using deprecated jQuery methods

• custom_codes.php uses .toggle() (removed in jQuery 3.9+) via inline PHP-embedded JS
• Action: Replace with .slideToggle() or vanilla JS when modifying this area.

9. Hardcoded Polish strings without i18n

• functions.php: stock text, email address hardcoded as string literals
• cron-products.php: hardcoded Polish date strings
• No .pot / .po / .mo files; uses woocommerce text domain instead of body-relax
• Action: Wrap new strings in __('...', 'body-relax'), create proper text domain.

10. Child theme author URL uses HTTP

• style.css Author URI: http://www.body-relax.baumer.vot.pl (HTTP, not HTTPS)
• Minor, but update to HTTPS when touching the file.

11. FTP over plain FTP (not SFTP)

• .vscode/ftp-kr.json uses unencrypted FTP protocol
• Credentials and file contents transmitted in plaintext
• Action: Switch to SFTP (port 22) if host supports it.

LOW

12. Poor git commit history

• All recent commits are "Save" — no meaningful history for auditing or rollback
• Action: Use conventional commit messages going forward.

13. Divi Children Engine version 1.0.4

• Relatively old; last update date unclear
• Non-standard approach that may conflict with Divi updates
• Low urgency, but track for compatibility issues when Divi updates.

14. AUTOMATIC_UPDATER_DISABLED = true

• All updates are manual; security patches may be missed
• Acceptable if monitored; ensure a process exists to apply patches.