Project Dashboard
Working board — mainly for Adrian, but you're welcome to browse.
Status
Brand Discovery
Complete — deep research dossier compiled
Service Architecture
Draft — awaiting Sarah's review
Brand Voice Guide
Draft — awaiting Sarah's review
Visual Design System
Boardroom Journal aesthetic applied — awaiting feedback
Photography
Pending — professional portraits and brand assets needed
Security Assessment
Complete — passive recon of sarahcann.com finished. 11 issues identified.
Public Site Build
Not started — migration from Divi/WordPress to Boardroom Journal will eliminate most security concerns by architecture
Live Site Security Assessment
Passive reconnaissance of sarahcann.com — 9 April 2026. No exploitation attempted. Full details in the recon and recommendations documents.
Critical — Fix Before Engagement
- WP REST API user enumeration — Admin username
lcmosley(ID 1) exposed at/wp-json/wp/v2/users. First step in credential brute-force. Fix: block the endpoint or disable REST API. - Zero security headers — No HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, or Permissions-Policy. The hub already has all of these. Fix: add Cloudflare Transform Rules mirroring the hub's
_headersfile. - Directory listing enabled —
wp-content/uploads/,/plugins/,/themes/,/backup/,/backups/all browseable. Fix:Options -Indexesin.htaccess. - WordPress version disclosure — WP 6.9.4 leaked via
?ver=6.9.4on dashicons CSS. Fix:remove_action('wp_head', 'wp_generator')and dequeue version strings. - Dual DMARC record — Conflicting DMARC policies can cause delivery failures. Fix: remove duplicate, set
p=rejectwithruareporting.
High Priority — During Engagement
- SimpleBot vs "AI Bots" service — The live site lists "AI Bots" as a service, but the deployed chatbot (SimpleBot botId 55113) is a mid-tier system with curated knowledge base and guardrails. Opportunity: replace with a proper LLM-powered assistant that understands Sarah's methodology.
- CTA fragmentation — Some links go to Kartra, some to Typeform quiz, some to internal pages. No single primary action. Fix: consolidate all CTAs to one primary action (free strategy session or diagnostic).
- Inconsistent messaging — Homepage says "local market" and "community-centric" but about page positions Sarah as a premium B2B consultancy with institutional clients. Two conflicting narratives.
- BREACH vulnerability — Content-Encoding set to deflate on responses with user data. Fix: add
Content-Encoding: identityor random padding. - CORS wildcard on favicon —
Access-Control-Allow-Origin: *on favicon.ico. Fix: remove the wildcard header. - .htpasswd accessible — Available at web root. Fix: remove from web root, add to deny list.
Strategic — Migration Sprint
- Divi bloat & accessibility — The Boardroom Journal static site (this hub) eliminates page builder overhead, WordPress attack surface, and accessibility gaps. Est. 3–5× LCP improvement.
- Missing case studies — Tourism Tasmania, Tennis Australia, and QUT deserve quantified results pages. The hub already has the content; migration makes this natural.
- No content strategy — The live site has no blog or insights section. The migration is the opportunity to build one with SEO-optimised thought leadership.
Hub vs Live Site
Security headers
Live: None · Hub: Full CSP, HSTS, X-Frame-Options, Permissions-Policy
Visual identity
Live: Divi default blue · Hub: Boardroom Journal (ink + gold)
Page builder
Live: Divi (bloated inline CSS) · Hub: Zero-build vanilla HTML/CSS/JS
WordPress exposure
Live: Users, API, login, directory listing · Hub: Not applicable (static)
CTA clarity
Live: Fragmented (Kartra + Typeform + internal) · Hub: Single path (welcome → diagnostic)
Performance
Live: ~3–5s LCP (Divi) · Hub: <1s LCP (static)