Project Board

Live Site Security Assessment

Passive reconnaissance of sarahcann.com — 9 April 2026. No exploitation attempted.

Critical — Fix Before Engagement

• WP REST API user enumeration — Admin username lcmosley exposed. Fix: block the endpoint.
• Zero security headers — No HSTS, CSP, X-Frame-Options. Fix: add Cloudflare Transform Rules.
• Directory listing enabled — wp-content/uploads/ browseable. Fix: Options -Indexes.
• WordPress version disclosure — WP 6.9.4 leaked. Fix: remove version strings.
• Dual DMARC record — Conflicting policies. Fix: remove duplicate.

High Priority — During Engagement

• SimpleBot vs "AI Bots" service — Opportunity to replace with a proper LLM-powered assistant.
• CTA fragmentation — Consolidate to one primary action.
• Inconsistent messaging — "Local market" vs premium B2B positioning.
• BREACH vulnerability — Fix: add random padding.
• CORS wildcard on favicon — Fix: remove wildcard.

Strategic — Migration Sprint

• Divi bloat & accessibility — Boardroom Journal static site eliminates page builder overhead.
• Missing case studies — Tourism Tasmania, Tennis Australia, QUT deserve quantified results.
• No content strategy — Migration is the opportunity to build SEO-optimised thought leadership.