I’m bringing a multi-layer system back online—a native PHP-MySQL web backend that drives a Node.js WebSocket service and a client-management console. Before launch, the entire codebase needs a deep security sweep, but the web backend is my first target. I suspect hidden backdoors and unpatched vulnerabilities; I need them located, removed, and the fixes thoroughly documented. There’s no existing audit playbook, so I rely on you to propose and carry out a full methodology that mixes code review, penetration testing, patching, and verification. The environment is classic XAMPP (Apache, PHP, MySQL/MariaDB) with a standalone Node.js layer handling real-time connections, so hands-on experience with that exact stack is essential. Deliverables • A concise audit plan outlining scope, tools, and timeline • Cleaned source with every backdoor removed and all vulnerabilities patched • Fresh deployment on a standard server, fully tested for stability • Final report detailing findings, remediation steps, and hardening recommendations The work is accepted once the redeployed server runs 72 hours without error, WebSocket sessions stay stable, and your security tests return no critical issues. Include your preferred analysis and pen-testing tools plus an estimated timeframe when you respond so we can lock in the schedule and get this platform secure again.