Legacy handover checklist for agencies
What agencies should capture before taking responsibility for an inherited PHP, WordPress, Laravel, or Linux-based client system.
Inherited systems are where agency margin goes to disappear. The risk is rarely only code quality. It is missing history, unclear access, untested backups, and client expectations built around a system nobody has fully mapped.
Use this checklist before accepting responsibility for a legacy client system.
Access and ownership
Confirm who owns each account and whether the agency is expected to become the operator.
- Domain registrar
- DNS provider
- Hosting provider
- Server SSH users
- Source repositories
- CMS admin accounts
- Payment provider
- Email provider
- Backup storage
System inventory
Create a one-page map before quoting fixes.
- Main application or CMS
- Framework and runtime versions
- Database version
- Server OS
- Active plugins or packages
- Cron jobs and queues
- External integrations
- Known custom modules
Operational confidence
Ask the questions that reveal future emergency work.
- Where are backups stored?
- Has a restore been tested?
- How are deployments made?
- Is there staging?
- Who has production access?
- What monitoring exists?
- What breaks most often?
Commercial boundaries
Do not accept unlimited responsibility for undefined risk. Put the first engagement in audit language, not open-ended maintenance language.
Useful first scope:
- Read-only review
- Risk register
- Backup and deploy assessment
- Documentation of unknowns
- 30 / 60 / 90-day roadmap
- Clear exclusions for emergency recovery and production changes
White-label handover note
If the client relationship belongs to the agency, keep the output usable in that context. A good handover report should help the account lead explain the situation without exposing the client to unnecessary technical noise.
The goal is not to shame the old system. The goal is to make the next decision safer.