One of the warning signs that you might be working with a WordPress installation that’s hacked the core for some terrible reason is heavy customization of the dashboard area, and other /wp-admin/ customizations, most notably when the customization provides no additional functionality.
It’s not an absolute rule, of course, but it does seem more common – especially among agencies / developers that brand and style WordPress in such a way as to present clients with a product they claim is proprietary.
The reason why I opened a new tab and created this post is that I’m working with one such website right now. I have no particular desire to shame anyone, email the agency, or even write to the client. It’ll be – politely – in my notes long before the project deadline, of course.
Sadly, this particular site is for a pretty large company – with some developers on staff – but none that work with web technologies, so there’s no way they’d know, either.
Although there are valid use-cases for everything below, here are a few points to look out for:
- Excessive removal of core features, using functions such as
- Heavy styling of the dashboard, especially for areas in which there is no functional reason for the appearance to need altering.
- Any admin-footer branding indicating that the site is powered by “Joe Blow CMS” or the like
- Removal of the WordPress generator meta tag
- Excessive removal or editing of roles and capabilities
- Heavy usage of vanilla PHP or other practices that indicate an unfamiliarity with native WordPress code.
See a few of those? Run a diff / compare on everything – not just /wp-admin. Use whatever is in your toolbox – you can do it with git, svn, or your favorite syntax editor.
Just run the damn diff. Because not finding this out early may cost you a great deal of time, and cause your customer a great deal of worry.
If you’re in unfamiliar territory, remember the diff!