Auditing 30 Years of Legacy Web Infrastructure: What I Found
A real audit of a 30-year-old business with sprawling sites, domains, and forgotten cloud services. The waste I uncovered, what I'm fixing, and how to run an audit yourself.

This article is about a real engagement I'm in the middle of: auditing the web infrastructure of a business that's been operating for 30 years. Multiple websites, domains, logins, cloud services, hosting plans — and almost zero documentation. The previous tech people set things up in different places over the years and moved on without writing anything down.
I'm sharing what I've found because almost every business over a decade old looks like this. The waste is real, the fixes are usually quick, and most owners have no idea what they're actually paying for every month.
The $160/month going to two images
The first big find was simple. I was going through their AWS account, looking at what services were active and what each one was costing. One line item kept showing up: an AWS Storage Gateway running quietly month after month, $160/month for years.
I dug in to see what was actually using it. Two images. That's it. Two small image files that the company didn't even reference on any live site anymore. Some old workflow had been set up by someone long gone, and the gateway just kept running.
Annualized, that's $1,920 a year going to host two images that could sit in a basic S3 bucket for pennies — or get moved to a regular server they're already paying for.
Shut it down in about 10 minutes once I understood what it was. That single fix paid for a lot of my time.
The context: 30 years of bolted-on decisions
Here's what 30 years of unmanaged growth looks like:
- Multiple hosting providers — some bought for one site, never canceled when that site moved
- Domains scattered across registrars — GoDaddy, Network Solutions, Namecheap, even a few sitting at company emails of people who left
- Cloud accounts at AWS, sometimes Azure or GCP — each set up for “one project” that grew into vague catch-all infrastructure
- Logins stored in browsers, in spreadsheets, in “that one email from 2014”
- SaaS subscriptions auto-billing for tools nobody uses anymore
- Legacy WordPress sites — some still serving real traffic, others zombie installs
- Email systems spread across Google Workspace, Microsoft 365, and the host's default mail
No single person knows where everything is. The previous tech people each knew their slice. When they moved on, they took the knowledge with them.
The discovery process
There's no clever software for this. You sit down with the owner and you start asking:
- “Which sites do we actually have running?”
- “Who's the domain registered through?”
- “Where does the email come from?”
- “What's this $80 line item on the credit card?”
- “Who has the AWS root login?”
Half the answers are “I don't know — Mike used to handle that.” Mike left in 2019.
So you trace it. Pull the billing statements. Cross-reference DNS records. Log into anything you can get into. Reset passwords on anything you can't.
Almost every day uncovers something nobody remembered existed. A staging site that's been live for 6 years. A subdomain pointing to a server that was decommissioned. A backup service still pulling from a database that no longer exists.
More waste I've found
Servers running at 10% CPU
They had a couple of dedicated servers sized for “peak load” that someone projected for them years ago. Looking at actual usage: 10% CPU on average, gigabytes of unused RAM, plenty of free disk.
You don't need a 16-core server to do what they're doing. Right-sized to a properly-sized VPS, the monthly cost drops dramatically — and the site actually runs faster because the smaller server is on better hardware.
A dev server they don't need
There's a dev server they've been paying for that nobody's logged into in months. It existed because at some point they had a developer who wanted a staging environment. The developer left. The dev server keeps billing.
For their needs, a local Docker setup or an on-demand VPS spun up when work is happening would replace this entirely. Save the monthly fee, keep the capability when actually needed.
Legacy WordPress sites with malware
Multiple WordPress sites are running on outdated cores, unmaintained plugins, and forgotten themes. Some have malware injected — redirect scripts in functions.php, spam pages indexed in Google, fake admin accounts. Cleaning these up is steady work:
- Audit every plugin and theme
- Remove anything not actively used
- Update what stays
- Scan for backdoors and shells
- Lock down admin access
- Set up monitoring so the next compromise gets caught fast
For sites that aren't serving the business anymore, the right answer is often to archive them as static HTML and shut down the database/WordPress install entirely. Removes the attack surface, keeps the content.
Forgotten cloud add-ons
CloudWatch dashboards from a discontinued project. Reserved instances that don't match current workload. NAT gateways billing $30+/month for traffic that could go through a much cheaper egress option. Snapshots of EC2 volumes from 2019 just sitting there at full storage cost.
These are individually small but they add up. Half a dozen of them quietly billing for years is real money.
Why this happens
Cloud and hosting providers have no incentive to tell you you're overpaying. The business model is: turn on services, bill monthly, hope you don't notice.
When you call to cancel something, they make you jump through hoops. When you ask whether you really need a service, the answer is always “yes, here's why.” When a new sales rep contacts you, they pitch *more* services, not fewer.
This is true even at companies you'd expect more from:
- AWS quietly charges for snapshots and unattached volumes for years
- Shared hosts auto-renew at 3-4x the intro price
- Managed WordPress hosts push you into larger plans before you actually need them
- SaaS vendors raise prices on existing customers more aggressively than new ones
The only way to keep your spend honest is to audit it. Regularly.
The audit playbook (do this yourself)
Whether you do this yourself or hire someone, here's the order I work through it:
1. Inventory everything you're paying for
- Pull the last 3 months of credit card statements and bank transfers. Categorize every recurring charge:
- Hosting
- Domains
- Cloud (AWS, Azure, GCP)
- SaaS (Slack, Notion, Mailchimp, etc.)
- Security tools
- Backup services
- Anything else
You will be surprised. Most businesses have 30-50% more line items than they think.
2. Match each charge to an actual use
For every line: what does this service do, who uses it, and is it still load-bearing? If nobody can explain why a charge exists, that's the first thing to investigate.
3. Find access and document it
Get the root credentials, billing access, and ownership records into a real password manager. 1Password, Bitwarden, Dashlane — anything but “in Mike's old email.”
This is the most boring part and the most important. Without access, you can't audit. With it, you can move fast.
4. Cut what you don't need
The forgotten gateways, dev servers nobody uses, old monitoring tools, expired domains pointing nowhere — kill them. Take notes on what you killed in case something breaks (it won't, but reassure yourself).
5. Right-size what stays
For things you do need, are you on the right plan? Servers oversized 5 years ago for a peak that never happens shouldn't still be sized for that peak.
6. Compare prices
Hosting and cloud prices have changed a lot. A 4 vCPU / 8 GB VPS that cost $80/mo five years ago is $24/mo now at the same providers. New providers like Hetzner, Vultr, OVHcloud are dramatically cheaper than what you're probably on.
Don't migrate just for sport — but if there's a 3x cost difference for the same specs, the migration pays back fast.
7. Set up real monitoring
Set up alerts for unexpected cost increases. AWS Budgets is free. So is just checking the bill once a month.
8. Document everything you learned
Wiki, Notion page, shared doc — anything. So the next person who touches this doesn't start from scratch.
What audits typically save
In my experience, a properly-done infrastructure audit on a 10+ year old business usually finds:
- $100-$500/month in pure waste (forgotten services billing nothing)
- 20-50% reduction in remaining infrastructure cost through right-sizing
- 1-3 security issues worth fixing (malware, exposed credentials, outdated systems)
- Several lost domains that can be recovered before they expire
- Many forgotten accounts with reused passwords that need rotation
Annualized, that's thousands of dollars in savings AND major security improvement. And once the audit is done, you have actual documentation to work from going forward.
The lesson for everyone
If you've been in business more than 5 years, you have waste. Probably more than you think. The longer you go without auditing, the more you accumulate.
This isn't about being cheap. It's about being honest with where your money is going. Hosting providers and cloud vendors aren't going to tell you. Your accountant sees the line items but doesn't know what they do. The only person who can find it is someone willing to dig in.
If you're a small or medium business owner reading this and thinking “I have no idea what I'm paying for half this stuff,” that's the signal to audit. Either do it yourself with the playbook above, or get someone to do it.
Need an audit?
I do this kind of work regularly — full infrastructure audits for businesses with sprawling, undocumented systems. Domains, hosting, cloud, SaaS, logins, security, the works. Usually pays for itself in the first month from the waste alone. Send me a message and tell me what you're working with.
Need Help With Your Website?
I fix these problems every day. Send me a message and I'll take a look.
Get Help Now