If you ever needed to edit, change, update or extend an existing WordPress installation, you probably know those problems. 10+ (or even 30+) available updates, some custom plugins and a fucked up child theme or no child theme at all and multiple changes in the main theme from themeforest. Thats because everyone with minimal PHP skills can write something for WP or is able to create a child theme and paste some stackoverflow snippets into functions.php.
Probably the siteowner is completely desperate and you are the only choice he has, because any other programmer would not even take a look into such a setup. So how would you handle this situation?
The only rational way is to look what changes have been made by others and then try to fix that mess, but before you diff all plugins and the main theme with their sources and save a lot of .patch files, just install WordFence! WordFence has some great features to compare the installed plugins with the WP repo and to build diffs, but the generated log files are even more important. Those logs are crucial for any further work, because every touched plugin is no longer able to be updated without the loss of old changes and in most cases it is a damn high effort to refactor the code and to clean it up. Before you make an offer (probably you are the only one to make an offer anyway) you should take care of every touched plugin and check the generated diffs from WordFence.
But the customer only wants some minor update and will not pay for refactoring and clean up!
Of course you could just put more shit-crap-code on top of the shit, but don’t answer your phone next time that customer calls. In my opinion it is no option to extend such setups without a clean and stable basic system. Once you’ve touched anything, that customer will make you responsible for his shitpage, so think twice. You should send them the generated log files and sensitize them for safety, because otherwise the setup will some day crash the hell out of everyone who is involved.
How can I justify myself?
Edited plugins and parent themes don’t appear by accident. Probably many other (cheaper, faster, or more eloquent) programmers/agencies already worked with that setup, so why don’t they clean up what they caused? Your customer probably wasn’t happy with them or those guys have given up, because stackoverflow and github gist don’t have answers to your customers request. Also a programmer that already touched those update relevant files will never be able to clean up the system anyway. So you don’t need to justify yourself, because you are probably the only choice your customer has.