Most website buyers do a thorough job on the traffic and the money and then more or less wave at the technology. “It's a WordPress site,” they say, the way you'd say “it's a car” — as if that settles anything. It doesn't. It's a car covers both a reliable sedan and a project that's been on blocks in the yard since 2019, and the difference is entirely under the hood where you didn't look.
The tech stack answers two questions that decide whether you've bought an asset or a liability: what is it built on, and who can keep it running once the person who built it is gone? Get those wrong and the cheap, simple site you bought turns into a money pit the first time something needs to change.
Here's what to actually look at, even if you're not technical:
- The foundation. WordPress, a custom build, a hosted platform? Custom isn't automatically bad and WordPress isn't automatically safe — but a custom build that only the now-departed developer understood is a specific kind of trap. If the answer to “who can maintain this” is “the guy who's leaving,” that's a finding.
- The dependency pile. On WordPress, that's the plugins and theme. You're looking for abandoned plugins (not updated in years), outdated ones, and — the real landmine — nulled (pirated) plugins, which carry security holes and legal exposure you'd inherit. A site running thirty plugins, several abandoned, is held together with tape.
- Custom code nobody documented. The snippets, the custom functions, the “don't touch this” bits. Code with no documentation is a future emergency with no manual.
- Hosting and infrastructure. Where does it live, how fragile is the setup, is there a staging environment, are there real backups that have actually been tested? “We have backups” and “we have backups that restore” are different sentences.
- Security and currency. Is the underlying software current or years behind? Old PHP, old core, no SSL hygiene, no security layer — each is a clock ticking.
- Single points of failure. The one integration everything depends on, the one API key, the one server, the one person.
The reason this is the part buyers skip is the same reason it's the part that hurts them: you can't see it from the outside, and reading it properly takes someone who's lived in these systems. The traffic and the financials at least come as numbers. The tech debt comes as a vibe of “seems fine” right up until you try to change one thing and four others break.
This is, honestly, the exact place a non-technical buyer should bring in someone technical — it's the whole reason pre-purchase tech audits exist. But if you're doing a first pass yourself, start with two questions and watch how the seller answers them: can I see the full list of plugins and integrations, and if something breaks next month, who fixes it? Hesitation on either one is the tell.