Pre-audit access

StackRefit Access Checklist

A safe, structured checklist for agencies preparing access for an inherited PHP/Linux system audit. The aim is enough context without unnecessary production risk, excessive permissions, or insecure credential sharing.

Start an audit → Read data-handling notes

Before sending access

Please do not paste code, credentials, API keys, customer data, database dumps, private logs, or screenshots containing sensitive data into the contact form or ordinary email.

Confirm who owns the system.
Confirm who is authorized to grant access.
Confirm whether this is your agency's system or a client system.
Confirm whether production access is required or avoidable.
Confirm whether sensitive data may be visible.
Confirm whether an NDA or DPA is required.
Confirm whether there is an urgent deadline, outage risk, or client commitment.
Prefer read-only access for audits.

Minimum audit access

The useful starting point.

Area	Minimum useful access	Notes
Business context	Short explanation of what the system does	Helps separate critical business logic from low-value technical noise.
Application/CMS	Admin access or guided walkthrough	Read-only or restricted admin preferred where available.
Codebase	Repository read access, zip snapshot, or hosted file-tree review	Repository access is best because history and dependencies are visible.
Hosting/server	Hosting dashboard, server notes, or read-only SSH	Root/sudo is not needed for the first pass unless explicitly scoped.
Database	Engine/version details and schema visibility	Full database dumps are usually unnecessary for an audit.
Backups	Backup location, retention, schedule, ownership, and last restore test	We need to know whether restore is realistic, not just whether backups exist.
Deployment	Notes on how changes currently go live	Manual FTP, SSH deploys, CI/CD, plugin updates, and rollback steps all matter.
Contacts	Technical owner, agency lead, client approver	Critical for assumptions, approvals, and incident escalation.

Project context

Gather ownership and business context first.

Useful questions: What happens if this system is down for one day? Who currently fixes production issues? What change is the client asking for now? What are you afraid might break?

System name and primary URL
Staging URL, if one exists
Client name or internal project name
Agency owner or delivery lead
Technical contact for access questions
Business purpose of the system
Revenue-critical or operationally critical functions
Known deadlines, quote dates, upgrade dates, or renewal dates
Known recent incidents or failed changes
Whether the original developer is available
Whether documentation exists

Application and code

CMS, framework, and repository access.

For WordPress, WooCommerce, Laravel, custom PHP, Symfony, CodeIgniter, or similar systems, temporary named users and repository read access are preferred.

Application/CMS items

Admin URL
CMS/admin role and permission level
Plugin, theme, extension, or framework version list
composer.json and composer.lock if present
package.json and lockfile if relevant
Cron jobs, queues, caching, search, and integrations

Repository options

Repository read access through GitHub, GitLab, Bitbucket, or similar
Temporary read-only deploy key
Zipped code snapshot through an approved secure channel
Screen-share walkthrough if repository access is not available

Hosting and database

Server, SSH, database, and backups.

Hosting/server

Provider, server type, OS version, web server, PHP runtime, database version, control panel, SSL, DNS, CDN/WAF, backup provider, and monitoring provider.

SSH guidance

Read-only or restricted user preferred for audits. Sudo/root only when explicitly scoped and approved. Key-based SSH preferred over password login.

Database access

Schema visibility and engine/version details are usually enough. Full production database dumps are usually unnecessary for an audit.

Backups

Gather location, owner, frequency, retention, encryption, off-server status, last successful backup, last restore test, restore procedure, and expected restore time.

Deployment and integrations

Know how changes go live.

The audit flags deployment risks and recommends safer next steps where appropriate.

Deployment notes

Whether staging exists and matches production
How staging is refreshed
Whether client data is present on staging
Manual or automated deployment process
Who has deployment permissions
Rollback procedure
Whether releases are documented
Whether updates are tested before production

External services

Payment gateways
Email delivery
CRM and booking systems
Analytics and search
SSO or identity providers
Shipping, accounting, automation, webhooks, imports, exports, and AI tools

Engagement access levels

Access depends on the engagement.

Engagement	Preferred access level	Production changes?
Audit	Read-only wherever possible	No, unless separately scoped
Handover	Read-only plus stakeholder walkthroughs	Usually no
Sprint	Limited write access for agreed fixes	Yes, with written approval
Upgrade	Staging and deployment access	Yes, with backup and rollback plan
Care	Ongoing least-privilege access	Only within agreed monthly scope
Rescue	Case-specific emergency access	Only with explicit approval and rollback thinking where possible

What not to share in the first message

Do not send passwords, SSH private keys, API keys, .env files, payment gateway credentials, database dumps, production logs, customer exports, screenshots containing personal data, code snippets containing secrets, or confidential documents before NDA if one is required.

Ready to prepare an audit?

Start with the business context and the current worry. StackRefit will confirm the minimum access needed after scoping.

Start an audit → Read data-handling notes