Refactoring Legacy Website and the Test Suite That Never Was

The Horror
Picture this: It’s the 2010s, but the code feels like the 1990s. I was handed the keys to a custom e-commerce site for a small manufacturing business. The tech stack? A chaotic mix of legacy Perl scripts and static HTML. The navigation bar was hard-coded into 20+ separate files.
But the real kicker? The checkout process captured raw credit card numbers and saved them to a flat text file for office staff to manually type into a terminal. No encryption. No tokenization. Just pure, unadulterated liability.

The Mission
My directive was clear but constrained: “Modernize the site, improve security, but don’t disrupt how we do business.” I wasn’t the architect; I was the mechanic trying to change the tires while the car was doing 60mph.

The Fixes (The Wins)
I took a pragmatic, three-phase approach to stop the bleeding:

1. The PHP Facelift I ripped out the hard-coded navigation and built a simple vanilla PHP template system. Updating a menu item went from 45 minutes of copy-pasting to 30 seconds of editing a single file. The site became more consistent and easier to maintain without breaking existing pages.
2. The Security Patch I integrated the PayPal API to offload payment processing. This was the critical win—we finally stopped handling raw credit card data, instantly improving security and reducing PCI liability.
3. The Logic I bridged the UPS API into the Perl cart to automate shipping costs based on weight, eliminating manual lookup errors and reducing operational bottlenecks.

The Heartbreak (The Phantom Test Suite)
The legacy checkout code was brittle, and I was constantly worried about regressions. On my own time, I built a small regression test suite using Codeception (PHP) with Selenium to perform end-to-end tests of the checkout flow. Selenium automated browser interactions, while Codeception provided a PHP-based framework to organize and run the tests, giving me confidence that the checkout process continued to work as expected.
When I proposed formalizing the suite, the business didn’t see a clear return on investment. Time spent on non-customer-facing work was hard to justify, so no resources were allocated to maintain or expand it. The suite never became part of the official workflow.
Even so, I continued running it locally before my own deployments. It quietly caught potential regressions and saved me from breaking things, even if the work never appeared on a roadmap or report.