StackRefitStart with an audit
← Resources Legacy PHP

Signs your PHP system needs a refit

A practical field guide to spotting when an old PHP, Laravel, WordPress, or custom web system needs stabilization before it needs a rewrite.

May 3, 2026 4 min read

Old PHP systems rarely fail all at once. They usually keep making money while the cost of every change rises in the background.

That is the moment a refit is useful: the system is still valuable, but the operating risk is no longer obvious from the outside.

The code still works, but nobody trusts changes

The clearest signal is not age. It is fear.

If a small content tweak, plugin update, PHP version bump, or payment integration change creates a full-room pause, the system is carrying hidden operational risk. A refit starts by making those risks visible: versions, dependencies, deploy path, backups, and the parts of the codebase nobody wants to touch.

The runtime is behind the business

PHP, Laravel, WordPress, MySQL, Ubuntu, and common packages all have support windows. When the business depends on software outside those windows, the question is not whether the app still loads today. The question is whether you can safely patch, host, recover, and insure it tomorrow.

The deploy process lives in someone’s head

Manual FTP, direct production edits, “ask the one developer,” or late-night deploy rituals are signs that the system is not just old. It is undocumented operational knowledge.

That does not automatically mean rewrite. It means the first useful work is boring: map the system, document the deploy path, confirm rollback, and test backup assumptions.

The rewrite quote arrived before the audit

A rewrite may eventually be the right commercial decision. But quoting one before understanding the current stack is risky. Many legacy systems need stabilization, documentation, and a staged upgrade path before anyone can make a clean rebuild-or-refit call.

What a refit checks first

  • Runtime and framework versions
  • Dependency and plugin risk
  • Backups and restore confidence
  • Deploy and rollback process
  • Documentation gaps and bus factor
  • Security posture observations
  • A practical 30 / 60 / 90-day path

The goal is simple: keep what still works, reduce the risk around it, and only modernize the parts that are worth touching.

Next step

Need this applied to a real system?

Request an audit →