Taking over management of an existing website feels simpler than building from scratch—the site exists, it's running, and the client just needs ongoing maintenance. This perceived simplicity often disguises complex, fragile implementations that create ongoing headaches for agencies that accept them without proper evaluation.
The moment to understand what you're accepting is before signing contracts and making commitments, not after inheriting responsibility for sites that turn out to be unmaintainable nightmares. A systematic pre-management audit reveals the actual complexity, identifies risks, and informs realistic pricing and expectation-setting. This audit should complement a thorough website handover checklist that documents everything your agency needs to manage the site effectively.
This isn't about finding every minor issue—it's about understanding whether the site is manageable within your standard operations or requires custom handling that affects pricing and capacity planning.
Why Pre-Management Audits Matter
Sites presented as "standard WordPress" or "simple site, just needs maintenance" often turn out to be complex tangles of custom code, abandoned plugins, security vulnerabilities, and undocumented configurations. Without audits, agencies commit to management fees that don't reflect actual maintenance burden.
The audit protects both parties: agencies avoid taking on unmanageable sites at unsustainable prices, and clients get honest assessments of what their site actually needs rather than discovering problems after agencies are frustrated and relationships are strained.
The Pre-Audit Access Negotiation
Before audit, you need read-only access to:
- Hosting control panel or FTP access
- CMS admin login
- Any relevant service accounts (if client provides them)
Most prospective clients provide this willingly if you explain: "Before we can quote accurately, we need to understand the site's actual setup. This brief audit ensures we can meet your needs and price appropriately."
If clients refuse audit access, that's valuable information: either they don't really control their site, or they're hiding problems. Both are red flags.
Critical Audit Areas
Not every aspect needs deep investigation—focus on factors that affect ongoing maintenance burden.
1. Platform & Version Currency
Check:
- CMS version (how outdated is it?)
- PHP version (is it supported or end-of-life?)
- Database version
- Whether updates have been consistently applied
Sites running ancient versions indicate one of: Previous agency abandoned maintenance, client refused to allow updates, or technical debt preventing updates. All three scenarios mean complications.
2. Plugin & Theme Inventory
Document:
- Total plugin count (more than 20 often indicates complexity)
- Abandoned or outdated plugins (no updates in 2+ years)
- Known problematic plugins (nulled premium plugins, security issues)
- Custom or modified plugins
- Theme status (actively maintained vs. old/custom)
Abandoned plugins are technical debt bombs: they'll eventually break, have security vulnerabilities, or conflict with necessary updates.
3. Custom Code Assessment
Look for:
- Custom plugin implementations
- Theme function modifications
- Direct core file modifications (huge red flag)
- Database customizations
- Unusual mu-plugins setup
Custom code isn't inherently problematic, but it needs evaluation: Is it well-written and documented? Does it serve essential functions? Can it be maintained without the original developer?
4. Security Posture
Evaluate:
- SSL certificate status (expired, self-signed, missing?)
- Security plugin presence and configuration
- Login security measures
- File permissions
- Evidence of previous compromises (malware, injected code)
- Admin username (is it "admin"?)
- Password strength requirements
Sites with poor security require cleanup before management begins. Inheriting already-compromised sites means immediate emergency work rather than calm onboarding.
5. Hosting Environment
Assess:
- Hosting provider quality (known reliable vs. problematic budget hosts)
- Resource limits (bandwidth, storage, database size)
- Current usage vs. limits
- Backup capabilities (host-provided or requires separate implementation)
- Support availability from host
Bad hosting creates ongoing problems that aren't your fault but become your responsibility. Some agencies require clients to move to approved hosting as a condition of management.
6. Backup Status
Investigate:
- Whether backups exist at all
- Backup frequency and retention
- Backup storage location (on same server vs. offsite)
- Last verified restoration test
- Automated vs. manual backup process
Sites without working backups are unacceptable risk. You either implement backups before accepting management (at client cost) or decline the engagement. Once management begins, backup verification becomes part of your weekly maintenance routine.
7. Performance & Optimization
Check:
- Page load speeds (use standard testing tools)
- Image optimization status
- Caching implementation
- Database bloat
- Excessive resource usage
Slow sites require optimization work. This work is either included in onboarding (at cost) or priced as separate project.
8. Content & Media Assessment
Review:
- Media library organization (or chaos)
- Image sizes and optimization
- Content quality and organization
- Broken internal links
- Outdated or placeholder content
Messy content situations indicate poor previous management. Cleanup is work that should be scoped and priced, not absorbed into "management."
9. Integration Complexity
Identify:
- Third-party service integrations
- API connections
- E-commerce functionality
- Form processing
- Email services
- CRM connections
Each integration is potential maintenance complexity. Some require ongoing monitoring, some break with updates, some need credential management.
10. Documentation Quality
Request:
- Existing documentation
- Handover materials from previous agency
- Credentials and access information
- Known issues or quirks
Quality of documentation provided reveals how the site has been managed. No documentation suggests poor previous management, which usually means hidden problems throughout the site that will emerge during routine operations.
Red Flags That Should Pause Acceptance
Some findings indicate sites that are problematic to manage:
- Core file modifications: Direct changes to CMS core indicate someone didn't know proper development practices
- Nulled (pirated) premium plugins: Legal and security risks, impossible to update properly
- Multiple layers of abandoned custom code: Technical archaeology required before making any changes
- Evidence of previous security compromises: Might still be compromised in non-obvious ways
- Hosting on problematic providers: Creates ongoing issues outside your control
- Client unable/unwilling to provide access: Can't manage what you can't access
- Site breaks during basic audit: Extremely fragile, will break constantly
- Massive technical debt: Would require rebuild to manage properly
The Audit Report & Client Conversation
After audit, provide clients with:
- Current State Assessment: Objective description of what exists
- Risk Identification: What problems exist or are likely
- Recommendation Tiers:
- Critical (must fix before management begins)
- Important (should fix soon after onboarding)
- Nice-to-have (can address over time)
- Pricing Implications: How findings affect management fees
- Onboarding Requirements: What needs addressing before ongoing management begins
This honest assessment sets realistic expectations, justifies appropriate pricing, gives you option to decline problematic sites, and establishes you as professional and thorough.
Pricing Adjustments Based on Audit
Audit findings should affect pricing:
- Clean, well-maintained site: Standard management pricing
- Minor issues requiring fixes: Onboarding fee + standard management
- Significant technical debt: Higher monthly fee reflecting ongoing complexity, or major onboarding project before management begins
- Severe problems: Either significant remediation project + premium management pricing, or decline the engagement
Don't quote "standard management" before seeing the site. Sites that appear simple often aren't, and discovering complexity after pricing creates either financial loss or relationship strain.
The Decline Decision
Sometimes audits reveal sites you shouldn't accept:
- Technical debt so severe that rebuild is cheaper than management
- Client expectations misaligned with reality (wants $50/month for site needing $500/month attention)
- Hosting or infrastructure you can't control making management impossible
- Custom functionality you can't maintain without original developers
- Risk profile beyond your comfort level
Declining bad-fit clients protects your operations and team wellbeing. Accepting problematic sites out of optimism or revenue pressure creates regret.
Onboarding Conditional Acceptance
For sites needing work before management begins, conditional acceptance works:
"We can manage this site, but these items must be addressed first:
- Update to current PHP version
- Remove abandoned plugins X, Y, Z and implement alternatives
- Implement proper backup system
- Fix security vulnerabilities A, B, C
We can do this work for $X as onboarding project, or you can have another agency address these items before we begin management."
This approach manages risk while potentially capturing onboarding project revenue.
The Standard Checklist
Create standardized audit checklists for efficiency. Use the same evaluation criteria for every potential client so nothing gets overlooked and findings are comparable across prospects.
Checklists also enable delegation: junior team members can conduct audits following the checklist, escalating unusual findings for senior review.
Time Investment & Pricing
Thorough audits take 2-4 hours depending on site complexity. This time investment should be either:
- Included in sales/discovery process (overhead cost of client acquisition)
- Charged as separate audit fee (refundable against management if client proceeds)
- Included in onboarding fees
Don't provide free audits then let clients take the report elsewhere to shop for cheaper management. Either charge for audits or make them contingent on management contract.
The Portfolio Coherence Factor
Beyond individual site assessment, consider portfolio fit:
- Does this site match others you manage?
- Is the platform familiar to your team?
- Do client expectations align with your service model?
- Would accepting this client improve or dilute portfolio coherence?
Perfect sites that don't fit your portfolio can still be wrong to accept. Specialization enables efficiency; diversity creates complexity.
Frequently Asked Questions
What if the current agency or previous developer won't cooperate with audit access?
That's a major red flag indicating either unprofessional previous relationships or attempts to hide problems. Options: (1) Require client to obtain access as condition of proposal, (2) Charge higher fees to account for unknown risk, or (3) Decline the engagement. Never accept responsibility for sites you haven't been able to audit.
Should agencies charge for pre-management audits?
Depends on your sales process and market. Options include free audits as sales investment, paid audits refundable if client proceeds, or paid audits as standalone service. What's important is not investing multiple hours per prospect without conversion compensation. Many agencies do first-pass free audit (30 minutes) and charge for detailed audit (2-4 hours).
How do you audit without breaking the live site during investigation?
Read-only access is usually sufficient for meaningful audit. If you need to test things actively, request staging site access if available. If you must test on production, inform client of risk and test minimal changes during low-traffic periods. The audit shouldn't require risky changes.
