Description You are engaged to perform a read-only investigative audit of an existing WordPress website and its associated files, plugins, and configurations. The purpose of this task is fact-finding only — to identify, document, and report on any security, integrity, or compliance risks prior to any further development work. This engagement does not authorise modifications, deletions, or remediation unless separately approved in writing. Scope of Work / Task List 1. Access & Environment Review Confirm hosting environment, WordPress version, PHP version, and server configuration Identify staging vs production environments (if applicable) Document user roles, access levels, and any unknown or legacy accounts 2. Plugin & Theme Audit Produce a full inventory of: Installed plugins (active & inactive) Installed themes (active & inactive) Identify: Outdated, abandoned, or unsupported plugins/themes Plugins with known security vulnerabilities Plugins performing undocumented or unexpected actions Flag any plugins that: Communicate with external servers Contain licence checks, kill-switches, or remote control functionality 3. File System & Code Inspection Review core WordPress files, custom plugins, mu-plugins, and theme files for: Obfuscated code Encoded payloads (e.g. base64, eval, gzinflate) Backdoors, web shells, or remote execution logic Identify: Files not belonging to standard WordPress or known plugins Recently modified or suspicious files Hard-coded credentials, API keys, or endpoints 4. External Connections & Remote Services Identify all outbound connections, including: APIs Webhooks Remote licence servers Analytics or tracking services Document: Purpose of each connection Whether connections are essential, optional, or undocumented Any risk of remote deactivation, control, or data exfiltration 5. Payment, Automation & Third-Party Integrations Review integrations involving: Stripe (webhooks, API keys, endpoints) Authentication providers (e.g. Google login) Automation tools or background jobs Confirm: Ownership and legitimacy of API keys No hidden redirects, interceptors, or unauthorised handlers 6. Security & Compliance Risk Assessment Identify and categorise risks as: Critical (active security threat or unauthorised control) High (serious vulnerability or compliance risk) Medium (poor practice or potential future risk) Low (non-critical issues or technical debt) Highlight any risks relating to: Remote access or control Data privacy Financial or payment interception Intellectual property ownership 7. Reporting & Documentation Provide a written audit report including: Executive summary (plain English) Detailed findings with evidence Screenshots or file references where applicable Clear distinction between facts, risks, and assumptions Include a declaration stating: The investigation was conducted independently No files were altered during the audit Findings are accurate to the best of your professional knowledge 8. Optional (If Requested Separately) Recommendations for remediation Proposed clean-up or rebuild strategy Risk-mitigation roadmap Deliverables Security & Integrity Audit Report (PDF or DOC) Plugin & File Inventory List Risk Classification Summary Signed declaration of findings (digital signature acceptable)