what developers need to know, developer education, code audits 101, how to do a code audit, what should i offer in a code audit, what is a code audit, how to price a code audit, code audit tools, code audit analysis, code audit deliverable, code audit checklist, software code audit

What Developers Need to Know Before Offering Code Audits

So, you’re a developer. You’ve thought about offering code audits, but maybe you haven’t had a clear idea of what your code audit should provide, why clients go seeking one, or how to price the service.

In January, we covered the questions clients need to ask their developer before getting a code audit, and offered some guidance on how to vet their vendor. This time around, we’re going to cover the developer side of things: why clients seek code audits, what questions you need to be asking before you get started, and how code audits lay a good foundation for a future relationship with your clients.

Why Clients Look For Code Audits

Yes, of course, there’s a ton of information available on the internet, including all the information that a client could need regarding the basics of site performance and functionality. Most clients, however, either don’t have the time to do this research, or don’t have the technical expertise to make sense of it all.

Code audits benefit clients by empowering them to make informed choices about the future of their technology.

When clients are coming to you asking about code audits and an assessment of their technology, they’re looking for your extensive knowledge that empowers you to look at their code, quickly parse the information, and dictate which things are worth building on.

Basic Code Audit Questions

There are a few standard questions every developer should ask before diving right into someone’s code.

What type of project are we auditing?

Knowing what kind of project your client is looking to have assessed is vital to understanding how much time it will take you–and whether or not you’re a good fit for the project. Is it a website audit or a full-scale plugin? An eCommerce site or an app? Knowing what you’re looking at upfront helps you figure out if you have the right expertise to do your client justice…and what kind of scope you’ll set out for your clients.

Are we auditing code that has been custom written by a previous developer or is this a distributed plugin that we’re assessing?

Knowing the origins of the code can help you set your expectations. Custom code created by another developer may take longer to dissect, especially if something is buggy. Is the developer someone you know? If so, that gives you informative context on what you’re dealing with–and provides a point of contact for figuring things out. If not, you know that it may take you longer to dig through and assess what is happening with the code at hand.

If it’s a plugin downloaded from the WordPress Plugin Repository, you know that checking on when it was last updated, as well as going to the plugin page to look over developer updates and reviews, will be a part of your process.

The Most Crucial Thing Developers Need to Understand

The key to delivering a valuable code audit is understanding your client’s underlying goals. If you’re lucky, your client understands their own business goals, and has mapped out the future of their business, too. That information is an enormous assist in guiding you through this process.

The scope of a code audit can vary wildly depending on a client’s objectives.

Here are just a few reasons our clients have sought out code audits:

They want to get rid of a tool, but need a good reason.

Sometimes, a client doesn’t like a tool, but they don’t have the technical knowledge to evaluate whether or not it’s a necessity. They need someone to assess if this tool is truly their best option–or even something they need at all.

There’s a plugin that is freely available, but they want to make sure it’s contributing to a solid technical foundation for their business.

Our websites are our online real estate. A shop owner wouldn’t want to open up their store in a crumbling building, and business owners don’t want to open up their shop on a lousy website. They’re coming to you to find out whether these distributed plugins are their best choices and will set them up for future success.

Their site is custom built, but it’s slow, and they suspect the custom build may be the culprit.

This is fantastic information, because it tells you, the developer, that they’re looking for a performance based evaluation. Now, you know you need to find out more information about their business before getting started. Maybe their business has outgrown their site; the code they had built was once working, but now, it can’t scale. This gives you an opportunity to evaluate performance in a specific, measured way, and give recommendations accordingly.

Their business has changed, but their technology hasn’t.

For example, some plugins do well if they’re on a site that has no users logged in. However, if that same site has switched to a subscription model, it won’t have caching layers that allow the plugins to run as smoothly. Your client may not know this difference. All they know is that they made the switch when they needed to shift their business model. They didn’t recognize the impact it would have on their technology.

Understanding the history of your client’s business (and the trajectory of where they intend to go) provides context regarding what needs to be assessed and what kind of upgrades would serve them best.

There are two plugins that do the same thing, but which one is best for their site?

Once again, this comparison that may be available out there on the internet, but they want your expert insight. If you’ve assessed your client’s business goals and trajectory, you can make a recommendation based on their specific business model. That’s a boon for both you and them! It means that you have something to offer that they can’t get anywhere else.

What About Pricing?

One of the toughest quandaries of them all! Code audit pricing can differ wildly depending on the client. We’ve quoted simple code audits at anywhere from $2,500-$5,000, and have quoted much more complex audits of entire platforms/systems for $50,000+.

Why the disparity?

Three crucial factors come into play:

The deliverable

As we’ve said before, we offer a comprehensive deliverable, filled with detailed information. We take a pragmatic approach, and provide a transparent, realistic look at associated costs with the recommendations we make.

Your clients will need to know what they can expect from you. Is it a document or a confirmation email? Is it a walkthrough on a call? The details of the deliverable determine how much time it will take to create and what value you’re providing.

The scope of the audit

If you’re already a working developer, I don’t have to tell you how scope impacts cost. When pricing services, you need to know what kind of assessment is needed and how much time it will take.

The amount of experience you have

Although we’d all like to dive in and make a bazillion dollars at the start, less experience usually dictates a lower rate. Do the research on what other developers in the same experience bracket are charging. Evaluate what your time is worth (and don’t fall prey to Imposter Syndrome!). Realistically assess how your experience (or lack thereof) informs your expertise and turnaround.


Code Audits: Good for Your Clients and You

Code audits benefit clients by empowering them to make informed choices about the future of their technology. A successful code audit gives your client the opportunity to accurately assess the current state of their tools. It allows your clients the chance to evaluate recommendations, knowing that they were made with their business goals in mind.

It doesn’t just benefit them, though. It also benefits you.

Code audits give you an opportunity to develop new working relationships, and lay groundwork for a long-lasting partnership. The code audit is something you can build on with your client. Whether that leads to performing the recommendations you make or for future development overhauls, the options are endless! This is a low-commitment way to spark a relationship…if you do it right.

WordPress web development, Zao company values, WordPress plugin development, hire a plugin developer, WordPress eCommerce developer,

This is a Human Issue: Zao Stands with Refugees

We stand with our immigrant neighbors, our refugee neighbors–not because they have a positive effect on our bottom line, but because they are human and worth the inherent dignity of humanity

Like many of my fellow Americans, I’ve found myself a bit dumbstruck over the events that have unfolded from our nation’s executive branch over the recent weeks. An eternal optimist, I’ve done my best to find silver lining in it all.

The bright side of all of this? Americans all over our country are banding together in solidarity to show their support for their immigrant and refugee neighbors.

“What is a web development agency doing spouting political diatribes?”

That’s what you might be asking. It’s a fair question. This is not a political issue; this is not a “left” or “right” issue. This is a human issue.

Many business leaders have already come out in support of immigrants and refugees because they run companies who depend on those populations and their skills, or they run companies founded by immigrants.

This is all good and well, but at the risk of being repetitive: this is a human issue. 

We stand with our immigrant neighbors, our refugee neighbors–not because they have a positive effect on our bottom line, but because they are human and worth the inherent dignity of humanity.

None of this is (or should be) controversial. Many of us, in our dumbstruck state, are left asking ourselves, “What can I do?”

I don’t have all the answers, but I know that if all of us do something, it will make a difference.

This is what we’re committing to:

Starting Local

To me, this is the most important part.

We may not all be able to go protest, or go to the ends of the earth and alleviate suffering, but we can all do something right where we are.

Zao Supports Refugees

Locally, Zao is committed to serving an organization who has been committed to serving Portland’s local refugee population.

Refugee Care Collective equips refugees to adapt to life within their first year of entry through partnering with local resettlement agencies and mobilizing the city of Portland.

We’re doing a matching campaign for RCC.

That means we’ll match anyone’s donation to RCC, dollar for dollar, in their name.

matching donations, refugee

If you hate these matching campaigns as much as I do (I mean, seriously, you want me to RT you and you’ll give a dollar? Come on. Just give the dollar.), fret not.

We’re giving $1,000 (to start) no matter what. We’d just love to be able to give it in your name, instead of ours. Just email your donation receipt to justin@zao.is, and I’ll hit you back with the matching donation in your name.

Other Pacific Northwest Organizations That Need Help

Latino Network

Latino Network is a non-profit that serves Latino youth, families, and communities. The news of the election has hit their community hard, and the support they offer the Portland-area is invaluable.

“At the same time, American voters made a choice to elect a President who has used harmful and divisive language that singles out Latinos, Muslims, immigrants, and other people of color.

I have heard from many of our staff members and community members about the deep fear that exists within our communities. Many of us, our families, and people we know came to this country as immigrants seeking a better life. Leaving one’s home to immigrate takes courage, strength, and a deep desire to seek something better for ourselves and our families.”

-Carmen Rubio, Latino Network Executive Director

Northwest Immigrant Rights Project

The Northwest Immigrant Rights Project fights for immigrant justice by providing direct legal services, systemic advocacy, and community education. Since the election, they have been doing a ton of work to continue to advocate for immigrants and educate social service providers in Washington.

IRCO

IRCO has spent the last forty-plus years working with Portland refugees and immigrants. Their goal is to “promote the integration of refugees, immigrants and the community at large into a self-sufficient, healthy and inclusive multi-ethnic society.”

Islamic Social Services of Oregon State (ISOS)

ISOS is a charitable organization that works with a network of non-profits and community service groups through financial and public assistance. They provide refugee services, as well as needy assistance, family crisis, and alliance support.

Oregon Jewish Museum and Center for Holocaust Education

There are parallels to history in what has recently happened. We said never again. The Oregon Jewish Museum and Center for Holocaust Education is an extremely important resource, particularly right now.

Hollywood Theatre

The Hollywood Theatre is a non-profit that screens special social justice related films and works with local non-profits (like Latino Network) to host screenings, with talkbacks, and gives the proceeds back to the organizations they partner with. Art has been a well-documented medium of political resistance and education, and supporting that is vital.

Regional Arts & Culture Council

The Regional Arts & Culture Council is serves Clackamas, Multnomah, and Washington counties with grants for artists, non profits, schools, as well as advocacy, community services, and arts education.

Once again, art is a well-documented medium of political resistance and education–as well as an excellent therapeutic tool and a huge contribution to the community. It has been suggested that the current administration may eliminate the National Endowment for the Arts, National Endowment for the Humanities, and privatization of the Corporation for Public Broadcasting, which would drastically damage many arts organizations–this one included.

The President and CEO of Americans for the Arts, Robert L. Lynch, shared a few things he has done, as well as how the community can rally against this, in a blog post on their site.

“I don’t take anything for granted with the will of an elected body, whether it’s federal state or local. Anything can happen…[s]o it’s important for the arts community to voice its concerns as much as possible.”

Robert L. Lynch, Americans for the Arts President and CEO 

Beyond Local

National Organizations That Need Your Help

U.S. Committee for Refugees and Immigrants

These folks help protect and fight for the rights of those who have been uprooted, based in Washington D.C. They’re doing vital work and a great central hub for supporting refugees and immigrants.

American Civil Liberties Union (ACLU)

You’ve heard of the ACLU, and we have them to thank for blocking the unconstitutional ban that the world is still reeling from. They’ve decided to keep fighting–and these lawsuits are expensive. Supporting them is crucial.

Electronic Frontier Foundation (EFF)

EFF has done important work for many years. Considering that Muslim Americans returning abroad were recently asked for their social media accounts for evaluation upon re-entry, the work they do is going to be more important than ever.

Black Alliance for Just Immigration (BAJI)

BAJI works with and on behave of African American and black immigrant communities by building coalitions and initiating campaigns to push for racial and social justice. They’ve released their official condemnation of the recent executive orders, and will need support for the people they serve moving forward as well.

Immigrant Legal Resource Center

ILRC trains attorneys, paralegals, and community advocates regarding how to work with immigrants, and work with many different groups to shape public policy regarding immigration.

National Immigration Law Center

NILC is dedicated to defending and advancing the rights of low-income immigrants through impact litigation, policy advocacy, and strategic messaging about immigration issues.

What Else Can We Do?

Call your representatives and voice your opinion.

The Sixty Five makes it easy to find your reps, as well as provides a simple script for callers to use, which is especially great for those of us who get anxious regarding calling on the fly.


I’ve given a lot of thought to giving, and I want to make sure that we can have the best impact possible.

If you’re familiar with organizations that are having a significant positive impact for refugees and immigrants, or if there are other things you think we can do to help, I’d love to hear about them.

 

what is the discovery phase?, web development, wordpress web development, what does the discovery phase include?, what does discovery web development mean?, what should a web developer do, what does a web developer do, zao wordpress web development, zao wordpress ecommerce development, Zao WordPress plugin builder, Zao code audit

What is the Discovery Phase and Why Do I Need It?

If you are one of our potential clients, it’s likely that you have been around the block and have heard the term “discovery” more times than you can count. The discovery process is the first step taken in moving from a prospective client to an actual client; it’s the time when a professional digs in deep, asking pertinent questions and figuring out what the client is seeking.

From what I can tell, this is becoming a standard in our industry. Why? Because building software (websites, apps, et al) is hard. One of our industry’s running jokes is that every project will be under-scoped and over-budget.

According to Hofstadter’s law, “It always takes longer than you expect, even when you take into account Hofstadter’s Law.”

This truth is magnified when estimates are requested before understanding the entire scope of the work needing to be done.

There are actually many reasons projects go over budget or time — some positive and some negative:

  • A key requirement is missed during the requirements-gathering phase.
  • A simple line-item balloons into days of work (For example,”Import items through ACME API” turns into days of digging through a massive API ebook PDF)
  • Crucial information is brought to the table late in the game. (“By the way, that API requires NSA security level clearance passed through a token.”)
  • Developers discovered a missed user-case problem and solved it without bothering to set up meetings/discussions/approvals.
  • A feature was given a bit more pizzazz than was scoped. (Developers get carried away!)
  • Straight-up underestimation of the work needing to be done and what it is going to take.

Building software is hard, but estimating software is even harder. After all, it’s rare for us to build the same thing twice. Though we work with WordPress, it’s actually quite impressive how little of our work deals with the actual blogging component. WordPress has the basic, expected features on lockdown, and so what we end up building is ways to make WordPress do something unique.

Uncharted territory

Let me remind you: Christopher Columbus’ intentions were to sail around the world to establish a shipping route to Asia. He estimated the distance to be about 2,300 miles (the true figure was much more vast at about 12,400 miles). This idea was controversial at the time; the prevailing theory was that the earth was flat. So Chris was spot on about the earth being round, but what he completely missed in his estimations was the existence of an entire continent between Europe and Asia. The United States of America is an example of massive scope creep.

What’s the point?

If we opt for skipping the discovery phase, we’re likely to run into this unfortunate truth: The short term gains are not worth the long-term pain.

At Zao, our goal is to give your project the best chance of success. The primary way we can help guarantee that success is by providing an accurate budget and timeline estimate (with some margin). As you have established by now, the primary way we establish an accurate estimate is through a discovery phase!

So enough about why…let’s talk about what.

What exactly is a discovery phase?

There are actually many ways to define a discovery phase, but the discovery generally involves gathering requirements, reviewing goals, identifying what is working, and what isn’t.

In order to do the work of discovery, we need access to all the relevant resources, which can include things like:

  • Existing scoping documents
  • Stakeholder requirements
  • Admin access to existing solution (CMS login)
  • Developer access to existing solution (FTP, GitHub repos, etc)
  • Access to relevant documentation
  • Project Review

Once we have access to all the relevant resources, we take time to review with you, the client. Some of the things we need to review together include:

  • Current pain points with your existing solution (This involves in-depth conversations, and likely a demo walkthrough or two)
  • The new proposed solution, and any of your accompanying wireframes, mockups, documentation, etc. (When possible, this can be accomplished through tools like InVision.)
  • Any of the gathered resources which require additional context (e.g. internal API documentation)

This review process is a great opportunity for Zao to collaborate with you. Our intent is to work alongside you as a trusted partner and help you maximize the potential for your project. We can offer industry-level insight based on our years of experience, and even help you to determine if the proposed solution is the best way to accomplish your goals.

In addition to the collaborative review effort, this is also the time we do in-depth research into your desired goals, and audit any existing solutions that we may be building with or on. These audits may include things like your eCommerce platform, web hosting provider, codebase, performance, etc.

Delivery of the discovery document

When we have completed the previous steps, we compile a discovery document for delivery.

This discovery document is the concrete answer to questions like:

  • “How do our requests align with our budget and timeline?”
  • “What will the individual components cost, and can I prioritize based on costs/effort?”
  • “What should be our MVP (Minimum Viable Product)?”
  • “Where does the MVP fit into our long-term roadmap?”
  • “How long will it take to launch our MVP?”

This discovery document represents a significant investment of time and energy and is the result of our collaborative efforts.

Completing the discovery phase and producing the discovery document brings a cohesion and clarity to the project that cannot exist otherwise, and provides a value far beyond the associated costs.

What…so what’s the point, again?

While our ultimate and obvious goal is to continue into the development phase with you, we also recognize that the discovery process may provide a broader insight into our working relationship. Zao is a small, focused team, and we recognize that not every project, timeline, or budget is a good fit for us. If, by the end of the process, it is determined that Zao is not the perfect fit for your project, the value you gain through discovery, and the resulting document is not wasted, and you now have much better clarity moving forward.

We’ve talked about the value of the discovery phase, but what if you don’t have the time, or budget for this important step? If we opt for skipping the discovery phase, we’re likely to run into this unfortunate truth: The short term gains are not worth the long-term pain.

Lacking the clarity of vision over the long-term work of the project, dealing with the surprises and scope creep, and pivoting on features mid-project — these are all very real risks of skipping this phase, which is why we consider it the first step in working together, and a high priority.


Have questions about the discovery phase? Or have any tales of horror of working without one? Let’s hear ’em!

WordPress developers, WordPress eCommerce developers, Zao, Justin Sainton, Justin Sternberg, Cancer Tutor, best WordPress developers, what it's like to work with a WordPress developer, why choose Zao, Zao web development reviews, WordPress web development, code audit, hiring a WordPress dev, WordPress developer red flags, what is a code audit, how do i get a code audit, what is in a code audit, what's included in a code audit, how do i find a developer, finding a WordPress web developer, best WordPress web developers

Crucial Questions You Need to Ask Before Getting a Code Audit

Code audits are one of the main things Zao offers to our clients. Many of our clients are strategically looking at how they can expand their businesses, and a crucial aspect of that is making sure their technology is not hindering their growth.

There’s a lot of muddled information about what a code audit should look like, and many clients start their search for a code audit without any idea of what to expect, what questions to ask, or what they should be looking for when vetting developers to do the job.

Are you looking for a code audit? Here’s what you need to know and ask before you sign that check:

Code Audit Questions Clients Need to Ask

— What is the final deliverable I can expect from this audit?

Depending on your developer, the final deliverable can range from a simple confirmation that everything is working as it should to an in-depth delivery document that details what is working, what isn’t, and appropriate recommendations for improvement.

Nowadays, we all research what we’re spending our money on before we pay up. Whether that research is looking at Yelp reviews of local restaurants or comparing the best and the worst Amazon reviews on new products, we want to make sure we’re getting the best bang for our buck. So often, though, clients don’t ask what they can expect to receive when it comes to code audits.

Maybe you just want a developer to look things over and confirm if everything is solid. That’s great! If you find a developer that will simply send over an email with a 👍🏼 and “Everything’s cool,” then they’re a good choice for you!

code audit, getting a code audit, code audit my plugin, WordPress web developers, WordPress web development agencies, WordPress ecommerce developer, getting a developer, hiring a WordPress developer, should I get a code audit?, what is a code audit?

If you’re looking for a more intensive analysis of your current code, you’ll want to find a developer who provides that. Since there’s no industry standard on what deliverable comes with a code audit, you’ll need to investigate to find the developer that is providing what you want.

Here at Zao, our code audits come with an exhaustive document that assesses our clients’ current technology with a specific eye on their needs and challenges, and includes recommendations that pragmatically account for budget, time, and priority.

We also provide a timeline that, should the client choose to work with us on implementing those recommendations, gives a realistic perspective on how long it will take for those technical goals to be accomplished. Lastly, we detail in each recommendation how and why this change adds value to our clients’ businesses.

— What kind of code do you audit?

Investigating the details of what to expect from your code audit is vital because some developers only offer specialized code audits. Some developers exclusively audit plugins, themes, or apps, whereas others are focused on auditing detailed eCommerce integrations or your entire site.

If you know you’re looking for a specific kind of code audit, finding a developer who specializes and focuses on that kind of development is key. If you’re looking for a full site audit, but the developer you’ve contracted with focuses specifically on auditing Genesis themes, you may not get the most effective and comprehensive audit that you need.

— Can you provide more details on code audits you’ve done? Do you have a sample I can look at?

When you find out more about the scope of a developer’s experience and take a look at a code audit sample, you’ll get a better understanding what the end deliverable will be–even beyond the initial response. You’ll get a better idea of how your developer tackles code audits and communicates the end result.

This information is crucial, as it helps you understand what to expect of your developer, and can help you find a developer who communicates in a way that works best for you.

— What kinds of clients have you worked with in the past?

Most developers have worked with companies that span a broad range of industries, and can tackle projects in unfamiliar industries like a champ. However, knowing if their experience includes working with companies in your particular niche helps you know whether or not you’ll need to explain specific industry nuances to them.

Your technology needs to meet your business’ needs, and those can vary slightly from industry to industry. Knowing your developer’s history with your industry can help you determine what kind of crucial information you need to communicate–or whether your developer is already in a position to take on those challenges without extra explanation.

Red Flags

what questions to ask your developer, what is a code audit, when should i hire a developer, should i use WordPress, WordPress for eCommerce, WordPress web development, hire a WordPress developer, build a WordPress plugin, get a WordPress plugin for my business

In an initial introduction, everyone is on their best behavior.

Job interviews are like dating. As Chris Rock says, “When you meet somebody for the first time, you’re not meeting them, you’re meeting their representative.” You need to know what red flags to look for when seeking out a developer–and how to look past the friendly representative to make sure it’s going to be a good fit.

— A dev who doesn’t ask questions

If you’re talking with a developer about a code audit (and potentially more work beyond that) and they don’t ask detailed questions about what you’re looking for, what your current technology is, what kind of pain-points you’ve experienced, and more, you have a problem.

You want a developer who is invested in your company’s success, in solving your technical problems, and bringing value to your business. A developer who doesn’t ask questions isn’t going to know what you need, nor have the full understanding required to adequately assess what is going on with your site.

That’s one of the reasons that we ask detailed questions and make sure we know exactly where our clients are coming from. We want to make sure that we have specific notes on what to look for and what they’re trying to accomplish with their technology. Even if our clients don’t have the technical savvy to articulate what they need done, by knowing their goals, their struggles, and their technical history, we can help by capitalizing on our technical knowledge to come up with creative solutions.

— A dev who can’t tell you in concrete, clear terms what you’re going to get

There’s a reason asking about the deliverable is so important. Code audits, without planning, can beget intangible results. Unlike design, there’s no Photoshop mockup, or unlike copywriting, there’s no first draft. If a developer isn’t willing to say, “Here is the end result you can expect from me,” it’s a huge red flag.

hiring a WordPress dev, WordPress developer red flags, what is a code audit, how do i get a code audit, what is in a code audit, what's included in a code audit, how do i find a developer, finding a WordPress web developer, best WordPress web developers

Your developer needs to be able to set your expectations accordingly. You need to know what you are paying for at the end of this–and a developer who cannot tell you what you are getting for your money is not one you should hire.


We know vetting developers who, as far as you may be concerned, basically work magic on the internet, can be stressful. It doesn’t have to be, though. Now that you’re armed with these questions and red flags to look out for, you can assess which developer is going to be able to provide the code audit you need.

Have any other questions about code audits that we haven’t covered? Drop ‘em in the comments; we’re here to help!