Full QA Audit — Min-IT Software (min-it.net)

Homepage source emits <meta name="generator" content="Elementor 3.13.3"> and the WordPress readme.html (still publicly reachable — see B3) confirms core version 6.2.2, released May 2023. WordPress security support follows the latest major branch; 6.2.x no longer receives automatic security back-ports.

Known public CVEs affecting versions ≤ 6.2.x include authenticated SQL injection paths, XSS vectors through block-editor content, and REST-API information disclosure. None require exotic skill to exploit.

Fix: schedule a staged core upgrade: full DB + files backup → staging restore → wp core update to the current stable (6.6+) → smoke-test Elementor templates → promote to production in a maintenance window. Do not auto-update from a 3-year-old branch without a staging pass; Elementor Pro 3.13.3 is very likely incompatible with current WordPress.

Generator tag confirms Elementor 3.13.3 (mid-2023 build). Elementor Pro had a critical unauthenticated privilege-escalation disclosed in 2023 (CVE-2023-48777 class) and several authenticated-contributor RCE paths across the 3.13.x–3.18.x range.

Fix: update Elementor and Elementor Pro together to latest stable after the core upgrade above. Both plugins licence-gate updates; verify the licence is current before the maintenance window so you don't get stuck on a broken intermediate version.

Live at scan time: GET https://www.min-it.net/wp-json/wp/v2/users returns HTTP 200 with a JSON payload exposing user id=5, slug=haydnadmin, name=haydnadmin. Combined with /wp-login.php returning 200 and no rate-limit evidence, this hands an attacker half of a brute-force credential pair.

Fix: block unauthenticated user enumeration in functions.php:

add_filter('rest_endpoints', function($endpoints){
  if (isset($endpoints['/wp/v2/users'])) unset($endpoints['/wp/v2/users']);
  if (isset($endpoints['/wp/v2/users/(?P<id>[\\d]+)'])) unset($endpoints['/wp/v2/users/(?P<id>[\\d]+)']);
  return $endpoints;
});

Then rename the admin user from haydnadmin to something non-guessable, rotate its password, and enable 2FA (WP 2FA, miniOrange, or Wordfence Login Security).

Live check: HEAD https://www.min-it.net/wp-admin/install.php → 200 OK. Although the site is already installed (the page shows "Already Installed"), the endpoint itself should be blocked. If the database is ever corrupted or truncated, an attacker reaching install.php can take over the site as the new admin.

Fix: nginx rules (this site runs nginx):

location = /wp-admin/install.php { deny all; return 403; }
location = /wp-admin/upgrade.php { deny all; return 403; }

Live: HEAD https://www.min-it.net/readme.html → 200 OK. This file is shipped with every WordPress release and prominently states the exact core version, giving an attacker a free CVE-matching handle.

Fix (nginx):

location ~* ^/(readme|license|wp-config-sample)\.(html|txt|php)$ { deny all; return 404; }

Note: readme.html is recreated on every core update; add the deletion (or a blocker rule that survives updates) to your post-update runbook.

Live: HEAD /wp-login.php → 200 with no WAF, no CAPTCHA, and no Cloudflare in front (headers do not show cf-ray). Combined with B3 above, a targeted dictionary attack against user haydnadmin is trivial to run.

Fix: install Wordfence or Limit Login Attempts Reloaded (rate-limit + lockout), add 2FA, and optionally rename the login URL via WPS Hide Login to remove casual probing. Best: put Cloudflare in front of the site with a WAF rule on /wp-login.php + /wp-admin/*.

Live response headers contain Strict-Transport-Security ✓ and X-Content-Type-Options: nosniff ✓ but are missing:

• Content-Security-Policy (not set — no XSS mitigation layer)
• Referrer-Policy (not set — recommend strict-origin-when-cross-origin)
• Permissions-Policy (not set — recommend minimal allow-list)
• X-Frame-Options (not set — recommend SAMEORIGIN, though CSP frame-ancestors is preferred)

Fix (nginx server block):

add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# CSP: start in Report-Only mode, then tighten
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline' https://*.googletagmanager.com https://www.google-analytics.com; img-src * data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;" always;

HTTP http://www.min-it.net/ 301-redirects to HTTPS, and the HTTPS response carries Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. TLS is terminated by nginx and the redirect chain is a single hop.

GET /?author=1 returns HTTP 404 — the classic WordPress username-reveal URL is closed. (The REST API path in B3 is still the open door.)

Measured live at scan time. HTML document is 99,053 bytes before a single asset loads — an Elementor red flag. Full rendered page ≈ 1.78 MB with:

• 24 external scripts + 6 inline script blocks
• 22 external stylesheets (Elementor emits per-widget CSS files)
• 11 inline <style> blocks in <head>
• Only 1 preconnect hint, 0 preload, 0 DNS-prefetch

Lighthouse calls this profile "render-blocking resources" — mobile users on 4G will see blank-screen time well past the 2.5s LCP threshold.

Fix: install a proven WP performance stack: WP Rocket (paid) or LiteSpeed Cache + Autoptimize + ShortPixel (free). Turn on: CSS concat + minify, JS defer, asset unused-CSS removal (per-page), lazy-load iframes, WebP delivery. Elementor's own "Improved Asset Loading" + "Improved CSS Loading" flags in Elementor → Settings → Experiments knock >200 KB off the homepage for free.

Repeated live cURL timing shows server response starting around 1,300 ms consistently. Google's "good" TTFB threshold is 800 ms. Since the headers do not include cf-ray or cf-cache-status, the site is not behind Cloudflare — every request hits the origin PHP stack directly.

Fix: (1) put Cloudflare in front (free plan is enough for this traffic); (2) enable a WordPress page cache — WP Rocket, W3 Total Cache, or LiteSpeed Cache — so repeat hits serve static HTML, not PHP; (3) confirm PHP version ≥ 8.1 on the host (< 7.4 can cost 2-4× latency).

Counted in the live HTML: 22 <link rel="stylesheet"> + 24 external <script> + 1 font request, none deferred. Every one of these blocks first paint.

Fix: add defer to non-critical scripts, combine Elementor's per-widget CSS (Elementor Performance settings), inline critical CSS for above-the-fold, and lazy-load third-party scripts (GTM, GA) via Flying Scripts or WP Rocket's delay-JS.

Scan detected 0 WebP references; the homepage hero image and product screenshots are PNG/JPG. Modern browser support for WebP is > 97% and for AVIF ≈ 92%.

Fix: ShortPixel or Imagify can regenerate the entire media library to WebP with automatic <picture> fallback tags — typically 40-70% size reduction with no visible quality loss.

Scan counted 1 <link rel="preconnect"> and 0 <link rel="preload">. Preloading the hero image and the primary web font saves 200-400 ms of LCP for free.

<link rel="preload" as="image" href="/wp-content/uploads/.../hero.webp" fetchpriority="high">
<link rel="preload" as="font" href="/wp-content/.../font.woff2" type="font/woff2" crossorigin>
<link rel="preconnect" href="https://www.googletagmanager.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>

Response headers show Server: nginx with no cf-ray, no x-cache, no via, no age. Every asset — including static images and fonts — is being served from origin on every request. Australia-based visitors will still get acceptable latency, but international visitors pay the full round trip.

Fix: move DNS behind Cloudflare (free tier), enable proxy on the A record, turn on "Auto Minify" and "Brotli" under Speed → Optimization. Also solves I1 caching and provides a WAF for I1 security above.

Origin nginx correctly serves Brotli-compressed HTML and CSS to browsers that advertise Accept-Encoding: br. 70-80% wire-size reduction over uncompressed.

Live homepage markup:

<link rel="canonical" href="http://www.min-it.net/" />

sitemap_index.xml entries:

<loc>http://www.min-it.net/post-sitemap.xml</loc>
<loc>http://www.min-it.net/page-sitemap.xml</loc>

Google treats http:// and https:// as different URLs. Because the site 301-redirects HTTP → HTTPS, the canonical and sitemap URLs are telling Google "the real URL is the one that immediately redirects elsewhere" — which splits authority and leaks PageRank to the redirect hop.

Fix: in Settings → General, change both "WordPress Address (URL)" and "Site Address (URL)" to https://www.min-it.net, then in Yoast → Tools → Import/Export regenerate the sitemap. Follow with a search-replace (WP-CLI): wp search-replace 'http://www.min-it.net' 'https://www.min-it.net' --precise --skip-columns=guid. Take a DB backup first.

Scan: meta_description: null, meta_desc_len: 0. Google will fall back to auto-generated snippet text from page body — which currently starts with a phone number (see C1 below) and isn't persuasive.

Fix: in Yoast SEO panel on the homepage, write a 140-160 character description, e.g.: "Seriously compliant loan-management software for Australian lenders, originators and lessors. Min-IT: 30+ years of lending platform expertise. Get a demo."

Google SERP shows up to ~60 characters — the current title is wasting ~47 characters of on-brand ranking real-estate. "Home - Min-IT" also ranks poorly because "Home" is the generic primary keyword.

Fix: rewrite via Yoast to something like "Min-IT Software — Loan Management & Compliance for Australian Lenders" (60 chars). This aligns to the H1 and existing body copy.

Scanned H2s: ["07 3038 3044", "07 3038 3044", "Regardless of size, most lenders…", "Features", "PRAISE", "Trader Login"]. Headings are a ranking signal and a screen-reader landmark; encoding phone numbers as H2s wastes both.

Fix: in Elementor, change the phone-number widgets from "H2" to a plain span or paragraph. Replace them with descriptive H2s: "Lending software built for compliance", "Trusted by Australian lenders since 1994" etc.

Yoast is emitting WebPage, BreadcrumbList, WebSite, Organization schema — good. The Organization block however has no sameAs links to LinkedIn, Facebook or similar, and no logo URL.

Fix: fill in Yoast → Settings → Site basics → Organization with logo + all social profiles.

Scan detected og:locale, og:type, og:title, og:description, og:url, og:site_name, plus Twitter summary_large_image. Yoast is generating these. OG description currently uses auto-fallback (first 300 characters of body) — improves once I1 is fixed.

Live robots.txt:

User-agent: *
Disallow:

Sitemap: http://www.min-it.net/sitemap_index.xml

Structure is correct. Caveat: sitemap line uses http:// (see B1 above) — fix that at the same time.

Scan counted exactly 1 H1 on the homepage: "SERIOUSLY COMPLIANT SOFTWARE". Good on structure — see content section for the caps-lock issue.

Scripts, styles and images on the homepage all resolve over HTTPS. The issue is confined to the meta-level URLs (canonical + sitemap — see B1), not the asset layer.

Extracted heading sequence: H1 "SERIOUSLY COMPLIANT SOFTWARE" → H2 "07 3038 3044" (×2) → H2 "Regardless of size…". Screen-reader users navigating by headings (H key in NVDA/JAWS) will land on a phone number before they hit anything describing what the site does.

Fix: same as SEO-I3 — demote the phone-number H2s to non-heading elements. No code change to templates needed; it's an Elementor widget setting.

Hard-coded: <h1>SERIOUSLY COMPLIANT SOFTWARE</h1>. When content is genuinely uppercase in the DOM, some screen readers pronounce it letter-by-letter as an acronym. Visual uppercase should be done with CSS text-transform: uppercase on normally-cased content.

Fix: edit the Elementor heading to "Seriously Compliant Software"; apply text-transform:uppercase; letter-spacing:.04em; in the widget's Typography tab.

DOM scan: no <a class="skip-link">, no visible <main role="main">, navigation is not wrapped in <nav>. Keyboard-only users hitting Tab from the address bar will step through the entire header before reaching primary content on every page load.

Fix: the Hello Elementor child theme allows you to inject a skip link. Add to functions.php:

add_action('wp_body_open', function(){
  echo '<a href="#content" class="skip-link screen-reader-text">Skip to content</a>';
});

Then ensure your primary Elementor section has ID content.

Static HTML inspection can't reliably compute computed-style contrast (especially with Elementor's inline CSS). Run WAVE (wave.webaim.org) or axe DevTools on the live page and check every low-contrast warning against WCAG 2.2 AA (4.5:1 for normal text, 3:1 for large text and UI).

Scan confirmed lang="en-AU" on the root element. Screen readers will use the correct Australian English voice/pronunciation profile.

<meta name="viewport" content="width=device-width, initial-scale=1"> — allows mobile zoom and scales correctly across devices.

Live footer text: © Copyright 2020 All rights Reserved. For a vendor selling compliance software to regulated Australian lenders, a visibly stale copyright date is a credibility problem — it's the first thing a due-diligence prospect Googles for.

Fix: in Elementor footer template, replace the hard-coded "2020" with a PHP shortcode or JS:

<span>© Copyright <script>document.write(new Date().getFullYear())</script> All rights reserved.</span>

Or use Elementor's dynamic [year] shortcode widget.

Sitemap evidence:

• page-sitemap.xml: earliest lastmod 2020-10-12, latest 2025-07-02 — only 2 pages touched in 2024-2025, rest are 2020-2022.
• post-sitemap.xml: latest blog lastmod 2024-10-22.
• Linked Terms & Conditions PDF filename is MinItTermsAndConditions.pdf uploaded in /wp-content/uploads/2020/01/.

A compliance-software vendor with a 5-year-old content footprint looks either out of business or disengaged from its market. Prospects doing vendor due-diligence will notice.

Fix: publish at minimum a "What's new in 2026" product update post + refresh the homepage copy; review the Terms & Conditions PDF with legal for any regulation changes (NCCPA, ASIC RG 209/266 updates).

The H1 is a brand tagline, not a topic sentence. "Compliant software" generates millions of low-relevance results; none include loan, lending, originator, NCCPA or any of the product's actual positioning terms that appear lower in the page body.

Fix: promote the existing subhead concept into the H1, e.g. "Loan management software for Australian lenders, originators & lessors". Keep the tagline as an eyebrow label above it if you want to preserve the brand voice.

Posts sitemap shows the most recent blog entry is from late 2024. For an SEO programme targeting "NCCPA compliance", "responsible lending software", etc., a quarterly cadence on topical regulation / product release notes would provide consistent indexable surface area.

Scanned for lorem ipsum, TBD, coming soon, [insert…] markers — none found. All visible copy is production content.

H1 is "SERIOUSLY COMPLIANT SOFTWARE" with a "GET STARTED NOW" button — but "Get Started" is generic and doesn't map to an obvious funnel outcome (demo? trial? quote?). For a considered-purchase B2B product with a long sales cycle, a dual-CTA pattern works better: "Book a 20-min demo" as the primary + "Download brochure" as the secondary.

Fix: rewrite hero CTAs, track each as separate GA4 events, A/B test where possible.

Page has a "PRAISE" section with anonymous quotes but no named customers, logos, loan-volume numbers, or years-in-market stat. For a regulated-industry buyer, credibility signals (real lender logos, licence numbers, years operating) are a significant conversion lever.

Fix: secure permission from 3-5 existing lender clients to display logos + attributed quote. Add a stats strip: "Since 1994 · $X billion processed · N active originators".

WCAG 2.2 AA requires 24×24 px minimum touch targets; industry best-practice is 44×44. Hello Elementor defaults can render nav links at ~32 px height on mobile. Spot-check the mobile menu and footer links on real devices.

A 404 is a conversion opportunity. Build a branded Elementor 404 template with: a clear apology headline, the search bar, and 3-5 "popular pages" links (Features, Contact, Demo).

Viewport meta is correct and Elementor's default column stacks at < 768 px. No horizontal scroll artefacts detected in the homepage markup.

Scan counted 1 PNG, 0 JPG, 0 WebP on the homepage HTML — but when rendered through Elementor the page pulls several additional PNG product screenshots via background-images (which the scanner doesn't count). Swapping these for WebP with the plugins in Performance-R1 typically saves 300-800 KB on this page alone.

Elementor-rendered hero backgrounds are typically discovered late in the render pipeline (CSS parse → background-image request). Explicitly preloading the hero image as described in Performance-R2 shifts LCP start from ~1.2s to ~0.2s after HTML parse begins.

No ShortPixel, Imagify, Smush or EWWW plugin markers in the HTML. Content editors uploading original camera-sized images today get those bytes delivered to every visitor with no recompression.

Fix: install ShortPixel or EWWW, run the bulk-optimise against existing media, and enable the "optimise on upload" toggle.

Of the images directly in the homepage markup, 0 were missing an alt attribute and 0 were missing width/height. (Background-images used by Elementor sections don't take alt, which is correct decorative behaviour.)

Yoast is populating og:image and the site serves a favicon. Social previews will render in Slack / LinkedIn / Facebook.

The /contact page shows a Contact Form 7 / Elementor Forms instance with name/email/phone/message fields. No g-recaptcha, no cf-turnstile, no honeypot field in the markup. Combined with the compliance-software topic (valuable lead for spammers), expect form-spam volume to keep growing.

Fix: add Cloudflare Turnstile (free, invisible) or hCaptcha. Both drop into Elementor Forms / CF7 with a plugin.

No WP Mail SMTP / FluentSMTP / Post SMTP markers. WordPress's native wp_mail() falls back to PHP's mail(), which is notoriously unreliable for deliverability (usually lands in spam or bounces silently, so you never know you lost the lead).

Fix: install WP Mail SMTP or FluentSMTP, point it at a transactional provider (Amazon SES, Postmark, SendGrid, Mailgun), add SPF + DKIM + DMARC DNS records, then test end-to-end from the contact form.

Inputs missing autocomplete="email", autocomplete="tel", autocomplete="name", autocomplete="organization". These let Safari / Chrome pre-fill on mobile and measurably lift form-completion rate.

No evidence of HubSpot / Pipedrive / Zoho / ActiveCampaign tracking snippets in the page markup. Lead-capture without CRM pipeline means sales response time depends on someone manually checking an inbox.

Fix: route form submissions through Zapier / Make / the CRM's native Elementor integration to create a CRM record on submit and fire a notification.

Scan detected 2 tel: links on the homepage. Mobile users can tap-to-call without copy-paste. Good.

Live scan detected:

• GTM-P8ZHH9BH (Google Tag Manager)
• UA-109905610-1 (Universal Analytics — sunset by Google in July 2023, no longer collects data)
• No cookie consent banner (Complianz / Cookiebot / CookieYes markers absent)

The UA snippet is collecting zero data — pure dead weight on every page load. The missing consent banner is a harder problem: under Australian Privacy Act 1988 amendments + the upcoming 2024-26 Privacy Act reform, and definitely under GDPR for any EU visitor, analytics/marketing cookies require explicit prior consent.

Fix: (1) remove all UA snippets from HFCM and functions.php; (2) route all tags through GTM only; (3) install Complianz (paid, best in class for AU/NZ/EU) or CookieYes to gate non-essential cookies.

Scan did not find a G-XXXXXXXXXX GA4 measurement ID anywhere on the page. Combined with the dead UA snippet, this site has no working analytics today — traffic, conversions, and referral sources are effectively unmeasured.

Fix: create a GA4 property in Google Analytics, deploy via the existing GTM container (don't hard-code), configure conversion events for: demo-form submit, contact-form submit, phone-link click, brochure-download click.

Footer links detected: Privacy Policy ✓, Terms & Conditions ✓ (as a 2020 PDF — see Content-I1). Missing: Cookie Policy. If you deploy any tracking at all (even just GTM), a Cookie Policy page explaining what's set and why is both legally required (GDPR if any EU visitors) and good practice for trust.

Fix: most cookie-consent plugins (Complianz, CookieYes) auto-generate a Cookie Policy page based on your scan results and keep it updated as you add/remove trackers.

Once GA4 is live (I1), configure custom events for:

• contact_form_submit — contact page
• demo_request — primary CTA
• phone_click — any tel: link
• brochure_download — T&C PDF and any product PDFs
• scroll_50 / scroll_90 — for engagement

All of these are one-tag-per-event in GTM with variable-based triggers.

Scan confirmed the GTM-P8ZHH9BH loader in <head> and the <noscript> iframe fallback in <body>, injected via the HFCM by 99 Robots plugin. That's the container — what's in the container is the work in I1/R1 above.

Public surface reveals no backup plugin markers (UpdraftPlus, BlogVault, ManageWP, Jetpack). Combined with the outdated core (Sec-B1) and exposed attack surface (Sec-B3/B4/B5), a compromise today means there is no confirmed clean restore point.

Fix before any other remediation starts:

1. Install UpdraftPlus or BlogVault.
2. Run a full files + DB backup; store offsite (S3, Dropbox, Google Drive).
3. Test-restore into a staging subdomain to prove the backup actually works.
4. Set recurring schedule: daily DB, weekly files, 30-day retention.

An untested backup is not a backup.

DNS inspection finds no staging.min-it.net, dev.min-it.net, or similar. The WordPress core + Elementor upgrades recommended in Sec-B1/B2 are high-risk on this age of codebase; they must be validated against the actual production data on a staging copy first.

Fix: most good hosts (SiteGround, Kinsta, WP Engine, Rocket.net) provide 1-click staging. If the current host doesn't, spin up a separate subdomain cloned with UpdraftPlus / Duplicator.

• Uptime monitor hitting the homepage every 1-5 min: UptimeRobot (free tier), Better Stack, Pingdom.
• Error monitoring: at minimum enable WordPress WP_DEBUG_LOG (write to file, not display) + set up Wordfence email alerts for 500s. For a paid tier, Sentry or Rollbar.
• Search Console coverage report reviewed monthly once SEO-B1 is fixed.

Before the first maintenance window, a one-pager shared with the team answering:

1. Who authorises a rollback? (named person + backup)
2. How is the previous state restored? (backup ID + exact commands)
3. How long does it take? (target < 30 min)
4. What communications go out, to whom, at what point?

After moving the canonical + sitemap to https://, confirm every indexed URL still resolves and 301s cleanly. Use Screaming Frog (free up to 500 URLs) or curl -LI on the top-20 pages from Search Console.

HTTPS terminates cleanly, HSTS preload set, no certificate-chain errors on scan. The origin (nginx) appears to be using Let's Encrypt or equivalent — verify renewal is scheduled (usually handled by cPanel AutoSSL or certbot cron).

Yoast SEO is injecting a Google Site Verification meta tag; the property is claimed in GSC. Ensure the current engagement owner has access — request transfer if not.