Shopware Audit
Full report within 5 days, costed action plan.
We tear down the code, Store and custom plugin state, cache performance, security, and SEO of your Shopware 6 instance. PDF report, costed action plan, 1h debrief. Fixes by us or by you.
How we can help
Code audit
Custom Storefront / Admin plugins, Symfony services, custom entities, code quality.
Security audit
Admin ACL, hardening, API exposure, Auth, Sales Channel permissions audit.
Performance audit
HTTP / ESI / Varnish cache, Redis, Messenger workers, DAL queries, Vite bundling.
Database audit
MySQL indexes, poorly defined custom entities, Doctrine migrations, n+1 queries.
Plugin audit
Complete inventory: Store plugins, custom plugins, versions, CVEs, conflicts, abandonware.
Configuration audit
Flow Builder, Rules, divergent Sales Channels, Messenger queues, active subscriptions.
Technical SEO audit
Sitemap, multi-Sales Channel hreflang, product JSON-LD, robots, mobile speed.
Action plan
Prioritization, costing in person-days and euros, top 3 to launch first.
How we work
-
01
30-min brief
Understand the context, current stack, technical team, and business stakes.
-
02
Access & analysis
SSH / DB / admin read access. Static, dynamic, and manual analysis.
-
03
Drafting
Structured PDF report, screenshots, action plan costed in person-days.
-
04
1h debrief
Findings presentation, Q&A, joint prioritization based on your budget.
Tech stack
Ready when you are.
No pitch — just an honest assessment of your project in 20 minutes.
Frequently asked questions
Is the audit neutral?
Yes. The audit is a standalone deliverable — you pay for the report, that's it. You can then have the fixes done by your internal team, by us (separate fixed quote on the fixes), or by another provider. The report is the same in all cases.
What do you need to start?
SSH read access on the instance, database read access, Shopware admin read access (admin account with reduced ACL is fine). NDA signed before any access if needed. If the instance is on Shopware PaaS, we can work on a structural dump.
Do you also audit the target version (6.7)?
Yes by default. The diagnosis quantifies the migration effort to the target version (mostly 6.7 in 2026): plugin compatibility, breaking changes (Vue 2 → Vue 3 admin, payment handlers, async payment), recommended tests. The migration itself is a separate deliverable, costed separately.
Do you audit Shopware Store plugins?
Yes. The plugin inventory is systematic: installed version, version available on the Store, abandonware, known CVEs, code quality (for plugins outside the Store), conflicts with other plugins. We also flag paid plugins whose subscription has expired — so no more security patches.
What performance impact can we expect?
It depends on your starting point. On a poorly cached instance, TTFB can drop from 800ms to 80ms with properly configured Varnish + Redis. LCP can drop from 3-4s to 1.2-1.5s with a Storefront audit (Twig, JS plugins, lazy loading). The report quantifies the expected gain item by item.
Do you look at Flow Builder and Rules?
Yes. It's an often under-audited but critical point in 2026: divergent Sales Channel configurations, orphan Rules, Flow Builder events not triggered, blocked Messenger queues. These are the kind of silent problems that lose orders for months without anyone noticing.
Do you look at payment gateways?
Yes. The audit covers Stripe, PayPal, Mollie, Klarna, and Shopware native gateways: SCA configuration, webhooks, payment statuses, async handling (since 6.7), deferred capture. This is also where the biggest risks of silent order loss hide.