Special Orders
Renovated under the bonnet. Same tools your staff already know.
The Bunnings portal has been running on a 13-year-old codebase and a PHP version that stopped receiving security patches in 2022. We’ve migrated it to the latest PHP, rebuilt the test safety net, refreshed the interface, and added the monitoring and lead-capture your team never had — without changing a single workflow your staff depend on.
The portal was running on software that stopped getting security patches in 2022.
It still worked day-to-day — but underneath, it was a decade-old codebase sitting three and a half years past its security expiry date. That’s a quiet risk that grows every month it’s left alone.
An unsupported PHP version
PHP 7.4 reached end-of-life on 28 November 2022. Since then it has received zero official security fixes — including for critical vulnerabilities rated 9.8/10 that have been found in it since. PHP powers 71.1% of all websites with a known server-side language (W3Techs, Jun 2026) — which means the ecosystem, talent pool, and modern PHP 8.x improvements are all squarely on our side.
A 14-year-old engine room
The template engine (Smarty 3.1.8) dated to 2012 and was completely broken on any modern PHP. The PDF, email and image libraries were all 2014–2015 vintage. Nothing had been meaningfully updated in a decade.
Zero automated tests
The portal had no automated tests at all. Any change — including the unavoidable security upgrade — risked silently breaking the quote builder that Bunnings staff rely on every day.
The 503 errors weren’t random. They were age failing.
When the portal’s hosting plan fell back to a default PHP 8.2 virtual host, the 14-year-old codebase crashed immediately and returned 503s. Nothing was broken in isolation — the code was just too old to run on any modern infrastructure. That gap is permanent until the code itself is modernised.
PHP 7.4 — EOL’d 3.5 years ago
Support ended November 2022. Any hosting migration, server update, or provider change that bumps the PHP version causes an immediate outage. There is no patch. The only fix is the migration we’ve now done.
Smarty 3.1 — a 2012 template engine
Smarty 3.1.8 used syntax and APIs that PHP 8 removed entirely. The template engine produced fatal errors on any modern PHP. We’ve replaced it with the current Smarty 5.8, which is actively maintained.
Shared hosting — no control over PHP version
On shared hosting, a provider infrastructure change can silently change the PHP version serving your site. On a managed VPS, you control the PHP version and the 503s become structurally impossible — this is the environment the modernised code is ready for.
PHP 8.4 is now the runtime, Smarty 5 is the template engine, and the full test suite has verified every quote flow and content page works identically to before. On a managed server where you control the PHP version, the conditions that caused the 503s no longer exist in the modernised stack.
A timeline of the technology.
It helps to see the gap laid out. The platform was built in the Bootstrap-3 era and barely touched since — until now.
PHP, Smarty 3, Bootstrap 3, jQuery 2 — the standard stack of the day. Libraries hand-copied in; no dependency management.
Official security support ends. The portal keeps running on it regardless — for the next three and a half years.
We take receipt of the full code and stand up a proper deployment pipeline. Still on PHP 7.4 at this point.
Test suite written, migrated to PHP 8.4, verified on 8.5, UI refreshed, lead-capture wired up.
When this portal was built, the iPhone 5 was the newest phone, and the web ran on jQuery. The PHP version it shipped on has since had three full major versions released after it — and then been retired entirely.
While we were in there, we found something else worth your attention.
Building the test suite meant reading nine years of data. A clear pattern emerged — and it has nothing to do with PHP versions. The portal has been capturing leads reliably since 2017, but it was never built to support a workflow for following them up. Three findings from the live data, with the SQL on file:
Customer enquiries sitting undelivered
Contact-form enquiries to bunenquiries@gliderol.com.au, queued by the portal but never dispatched. The oldest has been waiting 424 days. The send mechanism has been silently failing for over a year — with nothing in the system to alert anyone.
Enquiries with no follow-up trail
The contact-enquiry table has had “actioned” and “read” flag columns in its schema since launch — neither has been written to once in nine years. There’s no record of what was followed up, and no way for anyone to tell.
Quote requests, no admin record of action on any of them
Every quote submitted through the portal — 1,701 in total — sits at its initial “Quote Sent” state. Zero status updates, zero notes, zero follow-up records. Customers got their PDF, but Gliderol has no visibility into what happened next.
This isn’t a people problem — it’s a system one. The portal was built in 2013 to take orders and email PDFs. It was never built to support a lead-management workflow. The cost is invisible by design: enquiries come in, the database fills up, and nobody knows what got missed.
From go-live, this stops being invisible. The analytics layer included in the refreshed portal — usage funnel, session monitoring, error and uptime alerts — is exactly the fix. Every enquiry, every quote step, every failed email, every drop-off lands in one place that someone can actually watch. The hour we spend going live also turns nine years of “we don’t really know” into “we can see it”.
Here’s how the math could look. Your numbers will refine it.
An illustrative model only — the assumptions below are deliberately conservative and meant to be challenged. We’d love to plug in your real average door value, quote volume, and what share of follow-ups actually close when someone gets back to the customer promptly.
Avg residential garage door (supply + install)
Australian market pricing in 2026 puts a mid-range residential roller door with automatic opener at roughly $1,800–$3,500 installed; a double sectional door runs $2,500–$5,500. The Bunnings/Gliderol channel sits in the accessible mid-market. The model below uses a conservative $2,000 — well below the mid-range.
Sources: What’s the Damage — Garage Door Cost Australia 2026 (whatsthedamage.com.au); B&D AU Price Guide (bnd.com.au); Bunnings Garage Door Installation service page (bunnings.com.au). These are supply+install, which is the typical Bunnings Special Orders transaction.
Portal quote volume (typical year)
Real portal data shows 36–170 quotes/year across 2017–2024 (years 2017=169, 2018=81, 2019=137, 2020=159, 2021=108, 2022=77, 2023=36, 2024=39). The model uses 100/year as a conservative midpoint.
Note: the 2026 portal data (833 total) is heavily contaminated by dev and QA test traffic and cannot be used for volume modelling. The 2025 figure of 62 may also include some test entries. The 36–170 range from 2017–2024 is the defensible baseline.
The enquiries that currently fall through
The model doesn’t apply a speculative conversion-rate uplift. It asks a narrower question: what’s the value of the enquiries that currently fall through entirely — the 62 undelivered emails, the leads with no follow-up trail, the quotes where no one at Gliderol had a copy?
For reference: Harvard Business Review’s foundational study (Oldroyd et al., The Short Life of Online Sales Leads, HBR.org 2011, analysed 1.25M leads) found firms responding to enquiries within an hour were 7× more likely to qualify the lead than those who waited another hour. The gap widens sharply past 24 hours. A warm Bunnings lead — someone at the Special Orders desk asking for a quote — is about as warm as a lead gets.
100 quotes/year × $2,000 avg door × 5% conversion on leads that currently fall through without visibility
130 quotes/year × $2,500 avg door × 10% conversion on leads that currently fall through without visibility
250 quotes/year (estimate, pending clean data) × $2,500 avg door × 10% — see note below on 2025–26 volume signals
Plus the 62 enquiries already in the queue. A 10% conversion rate on 62 warm leads at a conservative $2,000 average is roughly $12,400 in pipeline that currently can’t be actioned because the emails never arrived. Even a handful of those customers still being receptive when contacted is meaningful.
On the 2026 volume signal: the raw 2026 count of 833 is mostly dev/QA test traffic from our build work and cannot be used as-is. However, the 2025 figure of 62 (vs 39 in 2024 and 36 in 2023) does suggest organic portal activity has been recovering after a mid-cycle dip — the 250/year figure in the third column is a speculative upper bound, not a modelled figure. We flag this explicitly so it can be pressure-tested with Gliderol’s own sales data.
All three columns are illustrative, not guaranteed. The $8,500 + GST one-time investment recovers itself in the conservative scenario within a single calendar year — in any reasonable scenario, the ratio is heavily in favour. The numbers are meant to be a starting point for a conversation, not a commitment.
Test first. Then migrate. Then prove it.
The risk in upgrading old software isn’t the upgrade — it’s not knowing what you’ve broken. So we did it in the order that removes that risk entirely.
We proved the quote builder still works perfectly — before and after the upgrade.
This is what separates a careful modernisation from a risky one. By capturing the portal’s exact behaviour in automated tests first, we could upgrade everything underneath with confidence — and prove, not hope, that the quote your staff generate today is identical to the one they’ll generate tomorrow.
- All 11 public content pages and every quote/form process endpoint checked — loads, redirects and error pages
- The full quote builder flow: door type, size, colour, region, opener
- PDF quote generation verified down to the file output
- Admin login, dashboard and file manager smoke-tested
- All re-run and passing on the latest PHP 8.4 and 8.5 — already PHP 8.5-ready before it’s even GA
A refreshed portal that Bunnings staff can use on day one — without any retraining.
The new interface replaces the 2013 Bootstrap 3 skin with a clean, co-branded design purpose-built for the Bunnings Special Orders context. Every form field, every button ID, every AJAX endpoint is preserved — only the visual layer changes. If a staff member can use it today, they can use the new version without being told a thing.
Screenshots captured from the live demo environment. The refreshed portal runs alongside the current live site behind a ?ui=refresh switch — zero impact on Bunnings staff until you approve go-live.
Your database has been collecting quote leads for years. Nobody could see them.
When we audited the database schema, we found that every time a staff member submits a quote request, the customer’s name, email address, phone number, door configuration, and quote date are written to a database table called tbl_cart. That data has been accumulating since the portal launched — but there was no admin view to see it, no way to action it, and no copy sent to Gliderol when the quote email was sent to the customer.
In plain terms: every quote request is a warm lead. They were silently vanishing into a database row that no one ever looked at.
- What we’ve wired up: every emailed quote is now BCC’d to Gliderol at the point of send — so no quote leaves the system without your team having a copy.
- New admin orders view: a dedicated screen in the admin panel lists all captured quote leads with customer details, door configuration, quote date, and a status column (New / In Progress / Shipped / Completed) so your team can track follow-up.
- Zero workflow change for Bunnings staff: the quote form works exactly as it always has. This is purely about giving Gliderol visibility of what’s already being collected.
An independent audit was run on the modernised codebase. Eight issues fixed. Full test suite green.
Because the portal has been live for over a decade without a formal security review, we ran one on the migrated code before proposing go-live. Here’s what we found and what we did about it.
phpinfo(), admin debug disclosure, XSS in email, missing HTTP security headers — all remediated in-place.composer audit returned no security vulnerability advisories against any installed dependency.- Open-redirect guard:
safeReferer()function added — validates the Referer header matches the portal’s own host before using it for redirects. 8 unit tests. Prevents redirect-to-phishing attacks. - PHP 8 strict typing: type errors now surface as catchable exceptions instead of silent wrong-type coercions — categories of bug that were invisible in PHP 7 are now caught at runtime.
- 5 latent PHP 8.4 deprecation bugs fixed: uninitialised variables, off-by-one array access, and a case-statement syntax error that PHP 8.4 flags as a deprecation warning — all cleaned before they become hard errors in PHP 9.
- CSRF tokens + bot honeypots: verified present and passing on all quote and contact forms.
- Analytics & monitoring wired, consent-gated: PostHog (session replay + product analytics, EU servers), Sentry (PHP + JS error monitoring, linked to session replays), Google Tag Manager + GA4 — all instrumented and dormant until a consent banner is activated before go-live.
Vulnerability exploitation is now the #1 initial breach vector in confirmed incidents — overtaking stolen credentials for the first time in Verizon’s 19-year DBIR history (2026). It accounts for 31% of initial access events, up 55% year-on-year.
The median time organisations take to patch a known vulnerability is now 43 days — while mass exploitation of new CVEs typically begins within 5 days of disclosure. For a system on EOL software, patching is impossible. The gap is permanent.
Sources: Verizon DBIR 2026 (31% / 43-day figures); Verizon DBIR 2024 (5-day exploitation window). The average cost of a data breach reached USD $4.88M in 2024 — IBM Cost of a Data Breach Report 2024.
Measured response times on the modernised PHP 8.5 stack.
Benchmarked inside a local Docker environment (warm OPcache, loopback connections — not end-user network times). These measure pure PHP + Apache + MariaDB execution; real-world TTFB will be higher once TLS and network are added.
Median server response — Home, product pages, contact-us (range 88–91 ms across pages). OPcache bytecode hit rate: 99.3%.
Median for the pricing/estimates page in steady-state — live pricing queries from the database. Tail spike to ~1 s observed under transient load; targeted for a query-optimisation pass before go-live.
Real-world WooCommerce throughput uplift on the same hardware (PHP 7.4 → 8.5: 44.20 → 71.02 req/s). Source: Kinsta PHP Benchmarks, 2025/26.
The current live environment runs on shared hosting with no CDN layer and no full-page cache. The modernised code is ready to run on any managed VPS environment — full-page cache on static routes, edge delivery across Australia, and a controlled PHP version you own. Hosting will sit in dormakaba’s existing hosting arrangement alongside your other brands. We will benchmark the current live environment against the new environment side-by-side once provisioned, and report real TTFB numbers before final go-live sign-off.
Benchmark method: 50 sequential curl requests per page (5 warm-up discarded); loopback, no TLS; PHP 8.5.5, Apache 2.4, MariaDB 10.5. JIT available in PHP 8.5 but not yet activated — enabling it can deliver a further 10–30% on compute-heavy paths.
From a 2013 stack to a 2026 one.
Every layer brought to a current, supported version — with the latest security patches applied throughout.
| Layer | Before | After | |
|---|---|---|---|
| PHP runtime | 7.4.33 · EOL Nov 2022 | → | 8.4, verified on 8.5 |
| Template engine | Smarty 3.1.8 · 2012 | → | Smarty 5.8 · current |
| Security patches | None since 2022 | → | Fully patched, dead code removed |
| Automated tests | 0 | → | 206 tests · 490 individual checks |
| Interface | Bootstrap 3 · 2013 skin | → | Refreshed, co-branded, responsive |
| Quote wizard | Long single-page form | → | 4-step guided wizard with live estimate sidebar |
| Quote lead capture | Sent to customer; Gliderol had no copy or view | → | BCC to Gliderol + admin orders view with status tracking |
| Dependency management | Hand-copied libraries | → | Managed via Composer |
| Monitoring & alerts | None — no visibility into errors, uptime, or usage | → | Error, uptime & analytics monitoring (PostHog, Sentry, GA4) |
| Analytics & monitoring | None | → | PostHog product analytics, Sentry error monitoring, GA4 — consent-gated, ready to activate |
| Open-redirect guard | None | → | safeReferer() function — 8 unit tests |
Scale of the work: 393 PHP files · 94,620 lines of PHP code (application code excl. bundled libraries) reviewed and brought current, plus 72 Smarty templates, 116 JS modules, and 39 CSS/SCSS stylesheets — 901,229 lines of code across 3,241 files in total (incl. bundled libraries, SQL seed data and e2e tooling reviewed for compatibility). The quote builder and PDF engine your team depends on: fully intact.
The next PHP version won’t be a scramble.
The 206-test suite is the insurance policy. When PHP 8.5 ships GA, we already know it works — because the tests are passing on 8.5 right now. The codebase has a regression safety net the original 14-year-old build never had.
Zero scramble when 8.5 ships
The full test suite was run on PHP 8.5.5 (the dev preview) and passes today. When PHP 8.5 reaches GA, there is no migration work. The portal is already there.
Libraries are now managed, not hand-copied
Every third-party library is now tracked via Composer. Updating a library takes one command and a test run. Before, it meant finding the right old zip, copying it into the right folder, and hoping nothing broke.
Any future change can be verified in seconds
Before this project, there was no automated way to know if a change broke something. Now there is. This is the permanent benefit — every future update, whether it’s a content change, a security patch, or a new feature, can be verified before it goes live.
PHP 8.4 is the current LTS release, supported until December 2028. We’re also already green on PHP 8.5. Compare that to PHP 7.4, which reached end-of-life in November 2022 — the portal is now 6+ years further into the supported lifecycle than it was before this migration. The next EOL event is December 2028, not three years ago.
The upgrade is done — it just needs the green light to go live.
Closes a known security gap that’s been open since 2022
Running current, patched PHP closes off known critical vulnerabilities and the compliance exposure that comes with running retired software on a customer-facing portal.
Bunnings staff won’t notice a thing — except it’s faster
Because every flow is under test and verified, the cutover is low-risk and reversible. The new version runs alongside the live portal until you say go — if anything looks wrong, we can roll back in minutes.
The next PHP version won’t be a scramble
On a current stack with a test suite and managed dependencies, future updates are quick and safe — no more decade-long drift, and no repeat of this situation at the next end-of-life date.
Mobile-ready today. Native app possible tomorrow.
The refreshed interface is fully responsive — every Bunnings team member can build and send a quote on a tablet at the customer’s car, not just whoever is on the back-office machine. No behaviour change for staff; no new training. If you want to go further later, a native iOS/Android app (offline mode, push notifications for new enquiries, photo capture of the install site) becomes a clean follow-on project on these foundations — and a far simpler build than it would have been on the original 2013 codebase. That’s separate, scoped work; not part of this $8,500.
For the first time, you’ll be able to see exactly how the portal is used — and catch problems before staff feel them
The refreshed portal ships with usage analytics, session monitoring, and error & uptime monitoring built in — included in the fixed price, privacy-friendly by design. Concretely, this means:
- Quote-builder funnel: see how many staff start a quote, how many complete it, and exactly which step they drop off at — so you can spot UX friction and act on it with real data instead of guesswork.
- Session insight: if a staff member hits a confusing screen or an unexpected error, you’ll be able to see a replay of what happened — no more chasing down bug reports over email.
- Error & uptime alerts: automatic notification if the portal goes down or throws an error, so you know before anyone reports it. Uptime and response times tracked continuously.
Teams with this kind of visibility spend 79% fewer hours dealing with outages and resolve problems measurably faster. (New Relic 2024 Observability Forecast, n = 1,700 technology professionals.)
What’s done, what’s in build, and what’s next.
All work is behind a ?ui=refresh feature switch — the existing live site is completely untouched until we cut over.
| Phase | What | Status |
|---|---|---|
| 1 — Safety net & migration | 206-test suite written from scratch; PHP 7.4 → 8.4 migration; Smarty 3 → 5; security audit (8 issues fixed); 5 latent PHP 8.4 deprecation warnings cleared | ✓ Complete |
| 2 — UI refresh shell | New co-branded design system; refreshed home page with photo hero; stat strip; all remaining front-end pages reskinned; responsive layout | ✓ Complete |
| 3 — Quote wizard | 4-step guided quote builder wizard with live-updating estimate sidebar; same AJAX backend and PDF generation untouched; colour swatch picker | ● In build |
| 4 — Lead capture & orders view | BCC on every emailed quote; new admin orders screen with status tracking (New / In Progress / Shipped / Completed); CSV export | ● In build |
| 5 — New environment | Deploy modernised code to dormakaba’s hosting environment; side-by-side benchmark legacy vs. new; DNS cutover coordinated with dormakaba’s hosting team | — Scheduled |
| 6 — Analytics activation | Consent banner enabled; PostHog + GA4 + Sentry activated in production; quote-funnel dashboards configured; uptime alerts set | — Scheduled |
| 7 — Polish & go-live | Query-optimisation pass on pricing page; final cross-browser QA; production cutover during an agreed maintenance window; 24-hour post-launch watch | — Awaiting approval |
Genuinely below market — and fixed, so there are no surprises at go-live.
An agency would charge $28,000–$35,000 for this scope. We’re proposing $8,500 — a fixed price for a complete, refreshed portal that’s already built, tested, and ready to go live.
(migration + test suite + UI + lead capture + analytics)$28,000–$35,000
This is a complete, refreshed product — rebuilt on current foundations, fully tested, and ready for years of service, not months.
- Full PHP 7.4 → 8.5 migration, security patched throughout
- 206-test automated safety suite, 490 individual checks, written from scratch
- Verified identical behaviour, before and after
- Refreshed, co-branded portal interface with 4-step quote wizard
- Quote lead capture — BCC to Gliderol + admin orders view with status tracking
- Performance improvements (query optimisation, OPcache, PHP 8.5 speed gain)
- Usage analytics, quote-funnel tracking & error/uptime monitoring
- Production cutover and 24-hour post-launch watch
Security & PHP-version monitoring, error/uptime alerts, analytics health checks, and minor updates — so the portal stays visible, healthy, and never falls behind again. Hosting itself sits in your existing dormakaba hosting bundle.
Ready to take it live.
Everything described here is built, tested and waiting. The go-live is a short, scheduled window — typically a weeknight or Saturday morning — and requires no action from your team during cutover. If you’re happy with what you’ve read, reply with a thumbs up and I’ll send the invoice and propose two or three timing options.