Zero Creations

digital zen

WEBSITE AUDIT REPORT

YOUR COMPANY

yourwebsite.com

Welcome to your website audit review page. Below, you can find an overview of our findings, issues that require your attention as well as recommendations and steps you can take to keep your site secure and stable in the future.

Overview
General assessment of your site security, health and performance.
Issues & Solutions
Low, medium and high-level issues that need resolving. Next steps and our recommendations on how to resolve problems found on your site.
Going Forward
Next steps and our recommendations on how to keep your site functional and secure.
Work Log
Everything we do is meticulously logged. See the complete log here.

OVERVIEW

General assessment of your site security, health and performance.

YOUR SERVER/HOSTING

A-

Grade

Server Grade in an audit assesses server hardware and software against website demands. It indicates if the server's processor speed, memory, storage, and network are optimal for performance and reliability. A high grade means the server meets or exceeds needs, while a low grade suggests upgrades are necessary for improved performance and scalability.

Server Resources:

CPU: Intel(R) Xeon(R) Gold 6126 CPU @ 2.60GHz (24 core(s))
Memory: 176.32GB
OS: Ubuntu 22.04.3 LTS
Admin: Plesk Obsidian v18.0.58_build1800240115.11
 

Hardware and software resources are sufficient for the requirements of websites running on the server. Usage statistics are within normal parameters. Some security issues have been found. Possible performance gains through configuration tweaks.

Recommendation: ensure security issues are addressed. Perform minor server configuration tweaks.

 
For further details, please see under “Issues and Solutions”.

YOUR WEBSITE

C

Grade

Website Grade in an audit evaluates the overall performance and security of a website. It considers factors like load speed, mobile responsiveness, and security measures. A high grade indicates a well-optimized and secure site, while a lower grade highlights areas needing improvement for bettersite stability and security.

Following tests have been performed on your site:

  • GTMetrix multiple-location tests on the standard user flow (homepage->members area->Course Page->Lesson Page)
  • Lighthouse Mobile Responsiveness test
  • Query test on the standard user flow
  • Plugin performance test on the standard user flow + random page sample

The site is experiencing severe performance issues on un-cached, script-heavy sections. Performance tests have been done according to most prevalent traffic geolocations for the past month (UK, US/California, US/South, Canada/East).
Overall site performance varies, with the homepage having the best rating average of 85/100), while member area pages tend to do much more poorly (Courses – 68/100, Sample Course Page – 84/100, Sample Lesson Page – 54/100)

Query test doesn’t show anything critical. Some performance gains possible via selective loading of plugins and scripts per-page.

Plugin performance test singles out Gravity Forms as most resource intensive by far.

Site security headers are not properly configured.

Recommendations: Configure a CDN for even delivery of static resources worldwide. Perform a selective plugin and component load configuration on a per-page basis. Configure security headers for site hardening against malicious actors.

For details and instructions (where applicable), see “Issues and Solutions”.

ISSUES AND Solutions

Please review the details of any outstanding issues here. Any third party services and solutions listed in this section are recommended on the best-experience basis, and are not affiliated with us.

SECURITY

Server admin page is accessible via unsecured HTTP protocol

Problem description

This poses a security risk as HTTP is unencrypted, making sensitive data like login credentials vulnerable to interception.

Solution

Enable HTTPS for admin pages. Implement SSL/TLS to encrypt the data, protecting it from being intercepted during transmission. Update server configuration to redirect all HTTP requests to HTTPS.

Instructions

This task is best left to the server admin as incorrect configuration can cause problems in the functiong of the server and/or hosted websites. Consult your server admin or hosting provider in case of managed hosting, on how to properly secure the Plesk admin page.

Server admin account uses "root" as username, password is too short

Problem description

Using “root” as a username with a short password for a server admin account is a significant security risk. The “root” username is commonly targeted in brute force attacks, and a short password can be relatively easily compromised.

Solution

To enhance security, change the username from “root” to something less predictable. Use a long, complex password that combines letters, numbers, and symbols. 14+ characters recommended.
Additionally, implementing two-factor authentication adds another layer of security. 

Instructions

Consult your server admin or hosting help line on how to change the admin username into something more secure, as well as the availability of two-factor authentication.

WordPress Security

Problem description

The WordPress debug log is publicly accessible, posing a security risk. It can reveal sensitive information to attackers, such as plugin paths, version details, and other site vulnerabilities. In addition, certain security options for your WordPress hosting are not enabled.

Solution

Move the debug log to a non-public directory or restrict access.

Instructions

In wp-config.php, update the WP_DEBUG_LOG path to a secure location. Implement .htaccess rules or server configuration to block public access to sensitive files and directories. Regularly monitor and clear the debug log to avoid storing unnecessary data. Alternatively, take advantage of the Security Options in your WordPress management toolset on your hosting admin (Plesk Admin->Wordpress->Select Domain->Issues->Critical Security Measures)

Security headers (Strict-Transport-Security, Content-Security etc.) are missing

Problem description

Missing security headers like Strict-Transport-Security and Content-Security-Policy leave a website vulnerable. These headers are crucial for preventing attacks like clickjacking, data interception, and XSS (Cross-Site Scripting).

Solution

Implement necessary security headers in the server configuration.

Instructions

The following security headers need to be configured: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.

Manual
For Apache, use .htaccess to add headers like Header set Content-Security-Policy and Header set Strict-Transport-Security.

Via Plugin

  1. Install the HTTP Headers plugin from the WordPress Plugin Repository (HTTP Headers – WordPress plugin | WordPress.org)
  2. In the WP admin dashboard, select Settings->HTTP headers->Security
  3. Turn on and configure listed security headers

GDPR/CCPA policy not readily accessible on site

Problem description

Lack of easily accessible GDPR/CCPA compliance policies on a website can lead to non-compliance issues. These regulations mandate clear, transparent privacy policies for user access.

Solution

To resolve, ensure the website features a prominently placed privacy policy link, like in the footer. This policy should clearly detail data handling practices as per GDPR/CCPA standards. Incorporating a cookie consent banner and regularly updating the policy are also recommended to maintain compliance and reflect current data practices.

Instructions

GDPR/CCPA compliant policied can be drafted with the help of online resources, or a dedicated third party service can be used, such as Termly. Since you have users from California, you need to include the sections relevant to the CCPA provisions.

Links to policy pages have to be visibly placed on every part of the site – using Elementor you can easily insert them in the site footer with a few clicks.

Cookie banner is best configured via a dedicated WordPress plugin, such as CookieYes.

No password policy configured (weak passwords allowed)

Problem description

Allowing weak passwords in WordPress is a security risk as it makes user accounts vulnerable to brute force attacks. Weak passwords can be easily guessed, compromising user accounts and potentially the entire site.

Solution

Implement a strong password policy.

Instructions

This is best accomplished using a  security plugin for WordPress.

Using WordFence, you can enforce strong passwords for all users by following these steps:

  1. Navigate to your Wordfence ‘options’ page in your WordPress dashboard.

  2. Scroll down to “Login Security Options”.

  3. Look for the option that says “Enforce strong passwords” and check the box beside it.

  4. Additionally, under “Scans to include”, check the box for “Check the strength of passwords”.

  5. Save your changes.

Site is not blacklisted

This is a positive indicator of the site’s reputation and email deliverability. Being clear from blacklists suggests that the site is not associated with spam or malicious activities, which is crucial for maintaining trust with users and email services.

SSL properly configured

SSL certificate valid until March 4th, 2024 / all pages served over HTTPS

SSL is properly configured on the site. This means the SSL certificate is valid, correctly installed, and provides secure connections via HTTPS. A properly configured SSL certificate is essential for encrypting data in transit, enhancing site security, and building trust with users. This also positively impacts SEO rankings and user confidence, especially during sensitive transactions.

No on-site vulnerabilities found (plugin, core, theme)

This indicates robust security measures and up-to-date software. Keeping these elements vulnerability-free is crucial to protect against potential exploits, ensuring the site remains secure from common attack vectors. Regular updates and security checks contribute to this positive result, enhancing overall website integrity and user trust.

No on-site malware found

A malware-free site is crucial for maintaining the safety and integrity of both the website and its users, ensuring a secure browsing experience. Regular scans and strong security protocols contribute to keeping the site clean from malware, which is vital for user trust and website reputation.

Server-side WAF active

An active WAF filters, monitors, and blocks malicious traffic or hacking attempts before they reach the web server, significantly enhancing the site’s security posture. Its presence is crucial for defending against common threats like SQL injection, cross-site scripting, and other exploitable vulnerabilities.

Server-side backup configured

Regular, automated server-side backups are crucial for protecting against data loss due to hardware failure, hacking, or accidental deletions. They provide a safety net, allowing for recovery in case of unexpected incidents.

PERFORMANCE

Page Load Time Analysis

Problem description

Pages with heavy script usage are showing poor performance ratings. This can lead to slow load times, negatively impacting user experience and SEO rankings. Page performance can be impacted by multiple factors. Performance tests indicate that pages which are not cached (typically those that are displayed for logged-in users) experience marked performance loss due to increased server response times and the number of chained critical requests.

Solution

This problem requires multiple measures in order to increase page performance.

Optimize Server Response Times: Review and enhance server configuration. Process log indicates that the website in question is lately served by the PHP FastCGI application. Consider switching to PHP-FPM/Apache for a potential increase in speed and performance.

Enable caching for logged-in users: Currently, the caching system is set up to serve only one set of cached assets and is not serving cached files to logged in users at all. Enabling user-specific caching option could help with site performance on a membership-focused site like yours.

Explore using Memcached in addition to current static asset caching: Memcached is a high-performance, distributed memory object caching system primarily used to speed up dynamic web applications by alleviating database load.

Selectively load asssets on a per-need basis: WordPress can be configured to load or unload plugins, scripts and assets on a per-page basis. Since load time tests indicate that the BuddyBoss theme is responsible for the majority of the chained requests slowing down the site, explore if it is possible to unload assets or scripts on pages which do not need them to function.

Instructions

Optimize Server Response Times

  1. Log into your Plesk server admin interface
  2. Select “Domains”->members.embodimentunlimited.com
  3. Select “PHP”
  4. From the “run PHP as” drop down list, select “FPM application served by Apache”. Leave all other settings as is.
  5. Click “Apply”

Enable caching for logged-in users

Your WPRocket cache plugin automatically differentiates between static and dynamic content, but does not serve cached files to logged-in users. This negatively affects page performance for all pages which require the user to be logged into the system. To try and fix this, you can take advantage of the option to serve cached content to logged in users, on a per-user basis (separate caches for each user).

  1. In Your WordPress dashboard, select Settings->WP Rocket
  2. Under “Cache”, check the “Enable caching for logged in users”
  3. Under “Advanced Rules”, make sure to include specific URLs that you never want to be cached. Anything where personal account data, including login credentials, is handled should be excluded from caching.

Explore using Memcached in addition to current static asset caching

Memcached can help reduce database load and in some cases speed up the site noticeably. However, setting this up is a technically involved process and therefore best left to qualified professionals. Site-side, you will need a caching plugin that supports Memcached (WP Rocket does not), such as TW3 Total Cache.

In addition to that, your server needs to be configured to support the feature. Consult with your server admin or hosting on how to achieve this.

Selectively load asssets on a per-need basis

Plugin performance tests  as well as load tests revealed that there is room for optimization when it comes to loading scripts and assets on pages which do not need them. For example, the My Courses page still loads the Gravity Forms plugin, even though no forms are used on that page:

Using specialized plugin tools, unneeded plugins, scripts, components and assets can be selectively turned off, especially on membership area pages, to decrease loading times and improve page performance.

Server Log Analysis

Problem description

The following errors and issues have been found in the server log:

  1. Frequent 404 Errors (Not Found): A significant number of entries are 404 errors. These errors indicate that requested pages or resources are not found on the server. This could be due to broken links, pages that have been moved or deleted, or incorrect URLs being accessed. The paths mostly include various event categories and pages, suggesting that either these pages do not exist or the links pointing to them are outdated or incorrect.

  2. AhrefsBot Activity: Many of these 404 errors are associated with requests made by AhrefsBot, a web crawler from Ahrefs, a tool for SEO and link analysis. This suggests that your website is being crawled for SEO purposes. While this is normal, the high number of 404 errors encountered by the bot indicates that it’s trying to access a lot of non-existent pages, which might suggest issues with your site’s structure or outdated sitemap information.

  3. BuddyBoss API Errors: There are repeated 400 (Bad Request) and 403 (Forbidden) errors related to BuddyBoss API endpoints (/wp-json/buddyboss/v1/members/presence and /wp-json/buddyboss/v1/pusher/data). This suggests problems with the BuddyBoss plugin or integration, possibly related to authentication or permissions.

  4. 500 Internal Server Errors: There are several 500 errors, indicating server-side issues when accessing certain pages like /welcome-to-embodiment-portal and /apple-touch-icon-precomposed.png. These errors suggest that there’s a problem on the server itself, potentially due to issues in the website’s code, database errors, or server configuration issues.

  5. 503 Service Unavailable Error: The log shows 503 errors for the WordPress login page (/wp-login.php). This could be due to the server being unable to handle the request due to maintenance or overload, which might also indicate a brute force attack attempt to log into the WordPress admin.

  6. Potential Security Concerns: Requests to URLs like //wp-includes/wlwmanifest.xml and //?author=1 might indicate attempts to gather information about the WordPress installation, which could be a precursor to a more targeted attack. The repeated 401 error on accessing /wp-json/wp/v2/users/ also points towards unauthorized attempts to access user data.

  7. Other Crawlers/Bots: Besides AhrefsBot, there are requests from PetalBot and bingbot. This is normal for website indexing, but the fact that they’re also encountering 404 errors suggests that these indexing services are working with outdated or incorrect information.

  8. User Agents and Devices: Various user agents like Mozilla (compatible with different OS), okhttp, and AppleWebKit indicate a diverse range of devices and software accessing the site, from regular browsers to bots and API calls.

Solution

Audit Your Website: Check for broken links and update your sitemap. Ensure that all linked pages exist and are accessible.

Review and Update BuddyBoss Integration: Investigate the errors related to BuddyBoss API calls and resolve any issues with permissions or configurations.

Investigate Server Errors: Look into the server-side errors (500 and 503) to identify and fix underlying issues.

Enhance Security Measures: Investigate the potential security concerns, such as unauthorized access attempts, and strengthen your website’s security.

SEO Optimization: Given the high number of 404 errors encountered by SEO bots, consider reviewing and updating your SEO strategy.

Monitor Server Load and Health: The 503 errors might indicate server overload, requiring better server management or an upgrade in resources.

Instructions

Check for broken links

  • Tools: Use tools like Screaming Frog SEO Spider, Ahrefs, or Google Search Console to scan your website for broken links.
  • Steps: Run a crawl of your website using these tools. They will identify URLs that return 404 errors. Update or remove these links from your website.

Review and Update BuddyBoss Integration:

  • Tools: WordPress Debugging tools like WP_DEBUG for investigating API issues.
  • Steps: Enable WP_DEBUG in your WordPress wp-config.php file to log any errors. Review these logs for specific issues related to BuddyBoss API calls and consult BuddyBoss documentation or support for resolution.

Enhance Security Measures:

  • Tools: Security plugins like Wordfence, Sucuri, or iThemes Security.
  • Steps: Install a security plugin and run a complete scan of your website (WordFence has already been installed as part of the audit process and can be configured for protection against brute force attacks and malicious probing attacks). Configure firewalls, and regular scans, and monitor logs for suspicious activities. Ensure WordPress, plugins, and themes are up to date.

Database and Query Performance

Problem description

Query monitoring revealed that certain plugins used on the site are inefficiently coded, resulting in the same database query being executed multiple time per page load. On a random sample from the standard user flow, biggest offenders are the WishList Member Legacy and LearnDash plugins.

The number of duplicate queries is not exceedingly high, but might benefit from query caching (Memcached).

Solution

Explore using Memcached in addition to current static asset caching.

Instructions

Memcached can help reduce database load and in some cases speed up the site noticeably. However, setting this up is a technically involved process and therefore best left to qualified professionals. Site-side, you will need a caching plugin that supports Memcached (WP Rocket does not), such as TW3 Total Cache.

In addition to that, your server needs to be configured to support the feature. Consult with your server admin or hosting on how to achieve this.

Resource Optimization

JavaScript and CSS compression and minification are enabled.

Image optimization is enabled.

Lazy load of images is enabled.

JavaScript deferred loading is enabled.

GOING FORWARD

Next steps and our recommendations on how to keep your site secure and performing well.

Explore server-based caching options

Explore server-based caching options like Varnish or Nginx FastCGI to improve website performance. These tools can significantly reduce server load and page load times by caching static and dynamic content, leading to a smoother and faster user experience. Implementing such caching solutions can be particularly beneficial for high-traffic sites.

Implement a regular schedule for database cleanups

Implement a regular schedule for database cleanups to maintain optimal performance. Regularly removing old, unnecessary data like spam comments, post revisions, and transient options helps in reducing database bloat, thereby improving response times and overall site efficiency. This maintenance task is crucial for keeping your WordPress site running smoothly and efficiently.

Consider setting up scheduled data backups to remote storage

Consider setting up scheduled data backups to remote storage to ensure data safety and business continuity. Regular, automated backups stored offsite (like in cloud services) protect against data loss due to server failure, hacking, or accidental deletions. This strategy is essential for disaster recovery and maintaining the integrity of your website’s data.

Set up site-side WAF and schedule regular anti-malware scans

Set up a site-side Web Application Firewall (WAF) using a plugin like WordFence to enhance your website’s security. Schedule regular anti-malware scans through the plugin to detect and prevent malicious software and hacking attempts. This proactive approach not only secures your site from various online threats but also maintains the trust of your users by protecting their data.

Set up site monitoring

Set up site monitoring using tools like Uptime Robot or Jetpack Monitor. These services will continually check your website’s availability and performance, alerting you to any downtime or significant issues. Monitoring helps in quickly addressing problems, minimizing potential disruptions, and ensuring a consistent, reliable user experience.

-end of report-