sperrytreecare.com — Site Audit Report

⚠ Action Required — Two Approvals Needed Before Work Begins

Software Purchase Approval — $301/yr Pending Your Approval

Elementor Pro has been purchased as an immediate priority to address the critical security issue, charged to the Sperry Tree Care card on file with BOSSTORQUE. The remaining two licenses require your approval before staging and security work can begin.

Software	Plan	Cost	Status
Elementor Pro	Advanced Solo (1 site)	$84/yr	✓ Purchased — BOSSTORQUE
Wordfence	Premium	$149/yr	⚠ Approval Required
WP Staging Pro	Business (3 sites)	~$152/yr	⚠ Approval Required
Pending Approval Total		~$301/yr	Billed annually to your card. All prices in USD.

D+

At time of audit

Needs Immediate Attention

✓ Critical Issue Resolved

The site is live and functional — HTTPS is working and both admin accounts have 2FA active. That's a solid baseline. The audit found one critical threat (a pirated plugin that's a known malware vector), an end-of-life PHP version with no security patches, and unnecessary complexity from 29 active plugins. Update as of April 1, 2026: The critical issue is fully resolved — Elementor Pro 4.0.0 (licensed) is now active, PRO Elements (nulled plugin) has been deactivated and permanently deleted. WS1A work continues.

Executive Summary

sperrytreecare.com is a functioning site with a sound technical baseline — HTTPS is active, both admin accounts use 2FA, and the database is current. At time of audit, the most serious issue was a nulled (pirated) Elementor plugin operating as the site's page builder: a known malware vector with no security updates. That issue has been resolved — licensed Elementor Pro 4.0.0 is now active and the nulled plugin has been permanently deleted.

The remaining high-priority items are: PHP 8.1 is still serving the site despite PHP 8.3 being installed on the server (a configuration change, not an upgrade); Wordfence is running on the free tier with a 30-day delay on threat intelligence; and a WordPress error-disclosure flag is live on production. Three medium items — plugin bloat, a reCAPTCHA conflict, and no automated site backups — are addressed by the WS1A staging and cleanup work already underway.

Two software approvals are pending before staging work can begin: Wordfence Premium ($149/yr) and WP Staging Pro (~$152/yr). Elementor Pro ($84/yr) has already been purchased and is live. The WS1A roadmap below sequences all remaining work through April 10.

1 Critical 3 High Priority 7 Medium Priority 5 Already Solid

Critical — Act First

Resolved

✓ Licensed Elementor Pro Active — PRO Elements Removed

The nulled "PRO Elements" plugin (v3.35.0 by PROElements.org) has been deactivated and permanently deleted from the live site. Elementor Pro 4.0.0 (licensed, Advanced Solo $84/yr) is now active and confirmed rendering all pages correctly. The site is clean of this malware vector as of April 1, 2026.

Completed April 1, 2026 Elementor Pro 4.0.0 installed and activated. PRO Elements deactivated, then deleted. Front end verified loading correctly post-swap. Next: run Wordfence full malware scan to confirm no residual injected code from prior nulled plugin exposure.

High Priority

High

PHP 8.1 Active — 8.3 Installed, Configuration Update Pending

The WordPress environment reports PHP 8.1.2, which is end-of-life as of December 31, 2025 (security support ended; active support had ended November 25, 2023). However: in February 2026, IT completed a major server upgrade (852 packages updated) and confirmed PHP 8.3 is now installed on the server. The remaining step is reconfiguring the web server's PHP-FPM pool to point to the 8.3 interpreter — the site is still being served through the old 8.1 pool. The heavy lifting is done; this is a configuration change, not an upgrade.

✓ Independently verified April 1, 2026 — WordPress Site Health confirms: "Your site is running on an older version of PHP (8.1.2-1ubuntu2.23), which should be updated. The minimum recommended version of PHP is 8.3." This is a live check run directly against the production environment, not audit-time data.

Recommended Action Update the nginx/PHP-FPM configuration to route sperrytreecare.com to the PHP 8.3 pool (single config file edit + nginx reload). Test on staging first to confirm no plugin regressions. Resolves the EOL exposure without any new server work.

High

External Admin Account — Creative Pollen Agency Still Active

A second Administrator account (sperryadmin, martin@creativepollen.com) exists with full admin rights. Last login: March 2, 2026. 2,929 posts authored. No indication the agency relationship is still active.

Recommended Action Confirm with Rob and Michele whether Creative Pollen is still engaged. If not, demote to Editor or remove entirely. At minimum, reset the password now.

High

WP_DEBUG_DISPLAY Enabled on Production

This constant is enabled on the live site. If any plugin or theme generates a PHP error, the raw message — including internal file paths, code structure, and database hints — is displayed to site visitors. Direct information-disclosure vulnerability.

Recommended Action Add define('WP_DEBUG_DISPLAY', false); to wp-config.php. One-line fix, no compatibility risk.

High

Wordfence Free — 30-Day Delay on Threat Intelligence

Wordfence v8.1.4 Free is installed. The free tier receives firewall rules and malware signatures 30 days after Premium subscribers. New threats go unblocked on this site for a full month after discovery.

Recommended Action Upgrade to Wordfence Premium ($149/yr) — included in SOW WS1A. After upgrade, run a full malware scan, then configure Extended Protection firewall mode and login hardening.

Medium Priority

Medium

WP_MEMORY_LIMIT Set to 40MB

WordPress memory is capped at 40MB in wp-config.php while the server's PHP limit is 256MB. Elementor editing, UpdraftPlus backups, and image processing can crash or time out at 40MB unnecessarily.

Recommended Action Update wp-config.php: define('WP_MEMORY_LIMIT', '256M'); — raises the ceiling to match the PHP limit. No compatibility risk.

Medium

29 Active Plugins — Significant Redundancy

Well above the 15–20 recommended for a site this size. Redundancies: 3 form plugins (CF7, Ninja Forms, WPForms Lite), 2 CSS editors, 2 automation bridges, and 6+ Elementor addon bundles. Each plugin is a performance drag and an attack surface.

Recommended Action Audit on staging: consolidate to one form plugin, one CSS tool, one automation bridge, and the minimum Elementor addons actually used in live page layouts. Target: 15–18 active plugins.

Medium

Contact Form 7 Breaking Ninja Forms reCAPTCHA

WordPress is displaying a persistent red admin alert: CF7 breaks reCAPTCHA for all other plugins. Ninja Forms reCAPTCHA has been non-functional while CF7 is installed. Forms may be receiving unfiltered spam.

Recommended Action Deactivate and delete CF7 plus companions (Redirection for CF7, Flamingo) as part of form plugin consolidation. Resolves the reCAPTCHA conflict and removes 3 plugins in one step.

Medium

8 Inactive Themes Installed

Eight default WordPress themes are installed but inactive. Inactive themes can contain exploitable vulnerabilities even when not in use and contribute to the 697MB installation size.

Recommended Action Delete all inactive themes except one fallback (keep Twenty Twenty-Four). No impact on the live site.

Medium

UpdraftPlus Not Configured — No Automated Backups

UpdraftPlus is installed but has no backup schedule. There is currently no automated off-site WordPress backup. Server-level backups exist (full machine images), but these aren't site-level backups — they don't support rolling back a specific WordPress version without taking the entire server offline.

Recommended Action WP Staging Pro (approved for purchase above) includes scheduled backups to Google Drive, making UpdraftPlus redundant once installed. Deactivate and remove UpdraftPlus as part of the plugin cleanup — reduces active plugin count by one and consolidates backup management into a single tool.

Medium

File Upload Limit — 2MB Maximum

Server upload_max_filesize is 2MB. Extremely restrictive for uploading service photos, before/after documentation, and PDFs. Also limits UpdraftPlus restore operations.

Recommended Action Increase to 32MB in the server's PHP config (server-level change). Resolved automatically when the site moves to managed cloud hosting in Q3 — standard cloud plans include configurable upload limits. No immediate separate action required for WS1A.

Already Solid

Good

HTTPS Active and Functioning

SSL/TLS properly configured. Site serves fully over HTTPS. No mixed-content issues detected.

Good

2FA Active on Both Admin Accounts

Both Administrator accounts (BT_admin and sperryadmin) show 2FA Active. Strong baseline for login security.

Good

Elementor Auto-Update Already Disabled

Elementor v3.35.7 is not set to auto-update. The 4.0.0 major release (with compatibility warnings for 5 installed addons) will not auto-deploy on the live site.

Good

WP_DEBUG Disabled, Production Environment Set

Debug mode is off and environment type is correctly set to production. WP_DEBUG_DISPLAY needs fixing (above), but the core debug flag is correct.

Good

MariaDB 10.6 — Current and Supported

Database is running MariaDB 10.6.23, within its Long Term Support window. No database-level concerns found.

System Snapshot

Component	Current Value
WordPress Version	6.9.4
PHP Version	8.1.2 active / 8.3 installed FPM Config Update Needed
Web Server	nginx 1.18.0
Database	MariaDB 10.6.23 Supported
Active Theme	GeneratePress 3.6.0 (3.6.1 available)
Active Plugins	29 Bloated
Inactive Themes	8 Remove
HTTPS	Yes Good
WP_DEBUG	Disabled Good
WP_DEBUG_DISPLAY	Enabled Fix Required
WP Memory Limit	40MB Too Low
PHP Memory Limit	256MB Good
Upload Max File Size	2MB Too Low
WP Cache	Disabled Consider Caching
Admin Accounts	2 (BT_admin + sperryadmin/Creative Pollen)
2FA Status	Active on both accounts Good
Total Installation Size	697 MB
Hosting	Self-hosted, physical server, Eugene OR
Server OS	Linux 5.15.0 x86_64

Plugin Audit — 29 Active Plugins

PRO Elements v3.35.0 — PROElements.org — DELETED April 1, 2026

Was a nulled/pirated Elementor Pro substitute. Deactivated and permanently deleted. Replaced by licensed Elementor Pro 4.0.0.

✓ Resolved — Elementor Pro 4.0.0 (licensed) now active

Elementor (core) — Version post-Pro-swap to be confirmed

Elementor Pro 4.0.0 (licensed) is now active as of April 1, 2026. Core Elementor version should be verified on the live site — Elementor Pro 4.0.0 requires a compatible core version. If core is still at 3.35.7, update to 4.0.0 on staging first and confirm no addon regressions before pushing to live.

→ Verify core Elementor version; update on staging if still at 3.35.7

Contact Form 7 v6.1.5 + Redirection for CF7 + Flamingo

CF7 is actively breaking Ninja Forms reCAPTCHA. Three plugins for a form tool that may not own any live forms.

→ Deactivate and delete all three after confirming which form plugin owns live forms

ElementsKit / Essential Addons / Happy Addons / Royal Addons / UAE / Unlimited Elements

Six Elementor addon bundles running simultaneously. Most sites need one or two. Each adds load, complexity, and attack surface.

→ Audit which widgets are used in live pages; delete unused bundles

WPForms Lite v1.9.9.4 + Ninja Forms v3.14.2

Two form plugins active alongside CF7. Consolidate to the one powering live forms.

→ Determine which is in use, remove the other

Simple CSS v1.1.1 + Simple Custom CSS and JS v3.52

Two CSS editing plugins. One is redundant.

→ Remove whichever is not in active use

WP Webhooks v3.4.0 + Zapier for WordPress v1.5.3

Two automation bridge plugins. Likely only one is connected to live workflows.

→ Remove whichever is not connected to live automations

Wordfence / UpdraftPlus / The SEO Framework / ShortPixel / GP Premium / Kit / GenerateBlocks / WPCode Lite

Core operational plugins. Keep all. Upgrade Wordfence to Premium. Configure UpdraftPlus. Apply minor version updates.

→ Keep and configure per WS1A scope

Current Infrastructure — Documented

Component	Current Setup	Cloud Migration Path
Web hosting	Self-managed Linux server, Eugene OR (nginx 1.18.0)	Managed cloud hosting (WP Engine, Kinsta, or equivalent) — Q3 site rebuild
PHP version	8.3 installed on server (Feb 2026); PHP-FPM pool for this site still points to 8.1.2 — config update pending	Near-term: update PHP-FPM config to use 8.3 pool. Long-term: resolved automatically on cloud hosting
File upload limit	2MB (server php.ini / nginx config)	Resolved automatically — standard cloud plans include configurable limits
DNS management	Managed at server level; registrar nameservers point to server	Transfer to Cloudflare — BOSSTORQUE manages directly (see below)
Email server	Self-hosted SOGO webmail + RoundCube (open source groupware); Dovecot IMAP; ActiveSync for mobile/Outlook; free Let's Encrypt SSL renewed manually every 3 months	Google Workspace — recommended Phase 2 (see below)
File/collaboration	Server-based (scope TBD)	Google Workspace Drive — recommended Phase 2
SSL certificates	Free Let's Encrypt, manually renewed every 3 months	Auto-renewing SSL included standard with cloud hosting

🔒 DNS Management Access — Action Requested

Sperry's DNS is currently managed at the server level, which means any DNS change — email authentication records (SPF/DKIM/DMARC), domain verification, URL redirects, new subdomains — requires coordinating through IT. That's a bottleneck for routine marketing and security work that should be self-service.

The standard approach for any professionally managed site is to move DNS to Cloudflare, which provides a web-based control panel where Sperry and BOSSTORQUE both have direct access — independent of any hosting arrangement. Cloudflare DNS is free, significantly faster than self-hosted DNS, and adds DDoS protection at no cost. Once nameservers are updated at the domain registrar (a one-time change), BOSSTORQUE can manage all DNS records directly going forward.

Requested: Authorization to transfer sperrytreecare.com DNS to a Cloudflare account. BOSSTORQUE will set up the Cloudflare account, document and import all existing DNS records, and coordinate the nameserver cutover to ensure zero downtime.

Phase 2 Recommendation — Email & File Server Migration

Once the website is on cloud hosting and the web server dependency is retired, the self-managed email server (SOGO/Dovecot) and file storage become the remaining items still running on the physical server. We recommend migrating to Google Workspace in Phase 2: professional email at sperrytreecare.com, shared Drive storage, Calendar, and Meet — replacing SOGO webmail, RoundCube, and server-based file storage in a single move. Typical cost is $12–18/user/month. BOSSTORQUE will prepare a full scope and cost analysis when the timing is right — no action needed now.

Strategic Note — Infrastructure & Hosting

The PHP situation is a symptom of a bigger issue — and the decision to fix it has already been made.

Sperry's website currently runs on a self-managed physical server in Eugene, OR. When the server was recently rebuilt, PHP was not updated — it remains at version 8.1.2, which reached full end-of-life on December 31, 2025 (active support had ended November 25, 2023). This means no security patches are available for any PHP vulnerability discovered after that date. On a managed cloud hosting platform, PHP version management is handled by the provider automatically — this gap simply doesn't exist.

Server-level backups (full machine images) are currently the only backup in place. These are valuable for physical server recovery, but they are not WordPress site backups — they don't allow rolling back to a specific version of the site without taking the entire server offline. WP Staging Pro bridges that gap now. On cloud hosting, automated site-level backups are a standard included feature.

In the Q2 strategy meeting on March 25, 2026, Rob stated directly: "The servers are going to be gone. It's not a matter of if, it's a matter of when. The website's going to be on the cloud — that's not a big deal." That alignment is already in place. The WS1A work protects the site through this transition and positions the Q3 rebuild to land cleanly on cloud infrastructure when the time comes.

Scope clarification: moving sperrytreecare.com to cloud hosting does not require changing the physical server, office file storage, or the existing IT relationship. The server continues handling everything it handles today. The website is simply removed from that responsibility — it gets its own dedicated, professionally managed web infrastructure. The PHP issue and the backup gap are both solved at the hosting layer without touching anything else on the server.

Recommended path: Complete WS1A security hardening on the current server. Transfer DNS management to Cloudflare (BOSSTORQUE-managed) to unlock email authentication and independent DNS control. Proceed with Q3 new site build on cloud hosting — already scoped, already aligned. PHP version and upload limit issues resolve automatically at the hosting layer. Once the new site is live, the website's dependency on the physical server is fully retired.

Items Requiring Server Access

Most of the WS1A work is done entirely through WordPress admin — no server access needed. Two items are different: they require changes to server configuration files. These can't be made through WordPress and will need to be coordinated with whoever manages the server.

1 — Switch PHP-FPM Pool to PHP 8.3

PHP 8.3 is already installed on the server from the February 2026 upgrade — the website just needs to be pointed at it. This is a single line change in the PHP-FPM pool config file (something like /etc/php/8.3/fpm/pool.d/sperrytreecare.conf) followed by an nginx reload. No PHP installation needed — it's already there.

2 — Increase Upload File Size Limit

The server's php.ini has upload_max_filesize = 2M and post_max_size = 8M. Recommend increasing both to 32M and 64M respectively. Two line changes + PHP-FPM restart. Note: this resolves automatically when the site moves to cloud hosting in Q3.

Both of these are low-risk, targeted changes. Neither touches the WordPress installation or affects any other site on the server. BOSSTORQUE will provide exact file paths and values once server access is coordinated.

Implementation Roadmap — WS1A (Due April 10)

#	Action	Where	Risk	Owner
1 ✓	DONE (Apr 1) — Activated licensed Elementor Pro Advanced Solo ($84/yr) on the live site — replaced PRO Elements cleanly with no page disruption	Live site	None	BOSSTORQUE
2	Manual UpdraftPlus backup → save to Google Drive	Live site	None	BOSSTORQUE
3	Install WP Staging Pro, create full staging clone at password-protected subdirectory	Live site (plugin)	Very low	BOSSTORQUE
4 ✓	DONE (Apr 1) — Deactivated and deleted PRO Elements on live site; confirmed Elementor Pro (licensed) renders all pages correctly	Live site	None	BOSSTORQUE
5	On staging: Audit which Elementor addons are in active use; remove unused plugins	Staging only	None	BOSSTORQUE
6	On staging: Fix wp-config.php — WP_DEBUG_DISPLAY off, WP_MEMORY_LIMIT 256M	Staging only	None	BOSSTORQUE
7	On staging: Upgrade Wordfence to Premium, run full malware scan, configure firewall + login hardening	Staging only	None	BOSSTORQUE
8	On staging: Test Elementor 4.0.0 update with surviving addons — verify all pages render correctly	Staging only	Low (staging)	BOSSTORQUE
9	Full staging QA — all pages, forms, and Elementor-built layouts	Staging only	None	BOSSTORQUE
10	Push confirmed staging changes to live site	Live site	Low — backup exists	BOSSTORQUE
11	Post-push UpdraftPlus backup → Google Drive	Live site	None	BOSSTORQUE
12	Review sperryadmin (Creative Pollen) account with Rob & Michele — revoke or downgrade	WP Admin	None	Rob / Michele
13	Configure automated weekly backup schedule in UpdraftPlus	Live site	None	BOSSTORQUE
14	Verify GA4 tracking and install Meta Pixel + estimate request conversion events	Live site	Low	BOSSTORQUE
15	Initiate DNS transfer to Cloudflare — set up Cloudflare account, document and import all existing DNS records, coordinate nameserver cutover for zero-downtime transition; configure SPF/DKIM/DMARC email authentication records	Cloudflare / Registrar	Low — fully reversible	BOSSTORQUE
16	Switch PHP-FPM pool for sperrytreecare.com to PHP 8.3 interpreter — PHP 8.3 already installed on server; requires updating pool config file + nginx reload. BOSSTORQUE will provide exact file path and config values.	Server config	Very low	Contract IT
17	Increase upload file size limit — update `upload_max_filesize` to 32M and `post_max_size` to 64M in server php.ini. Two line changes + PHP-FPM restart. Resolves automatically at Q3 cloud migration.	Server config	Very low	Contract IT

Still to Verify

Item	Status
GA4 tracking tag	Not yet verified. Will check WPCode snippets and page source.
Meta Pixel	Not yet installed per audit. WS1A deliverable.
Estimate request conversion events	Pending GA4 and Pixel being live.
Security response headers	External check completed. Full HSTS/CSP review pending Wordfence Premium config.
Creative Pollen relationship status	Needs confirmation from Rob or Michele before action on sperryadmin account.
Elementor Pro features in use	Resolved Apr 1, 2026 — Clean swap completed on live site. PRO Elements deleted, Elementor Pro 4.0.0 licensed and active. All pages confirmed rendering correctly.