BOSSTORQUE
Sperry Tree Care · SOW BT-STC-Q2-2026

WS1 Security Hardening Checklist

Phase A Delivery — WordPress Security Infrastructure & Analytics Foundation
Delivery Date: April 8, 2026
SOW Deadline: April 10, 2026
Prepared by: Jason Johnson, BOSSTORQUE
Status: ✅ Complete (2 items pending client action)
7
Items Complete
2
Pending Client Action
2/2
Admins with 2FA
9/9
Plugins Updated

⚠️ Action Required — Client

🔑
Wordfence Premium License Key
Real-time threat intelligence and advanced firewall rules require a Premium license. Purchase at wordfence.com and provide the key to BOSSTORQUE to activate. Currently running on the Free tier.
📱
Meta Pixel ID — Required Before April 14
Meta Pixel base code cannot be installed without the Pixel ID from your Meta Business Manager account. Meta ads go live April 14 — this must be provided to BOSSTORQUE by April 12 at the latest. The conversion event code is already written and ready to activate.

🛡️ Wordfence Security

WordPress Firewall & Login Protection
Wordfence Installed & Active
Plugin installed, activated, and firewall set to Learning Mode → Extended Protection. Web Application Firewall (WAF) monitoring all traffic.
Complete
Firewall Configuration
Firewall rules active. Brute force protection enabled. Rate limiting configured. Login page protection on.
Complete
Blocked Usernames
Common attack targets blocked at login: admin, administrator. Attempts using these usernames are rejected before password is checked.
Complete
⚠️
Real-Time Threat Intelligence Feed
Requires Wordfence Premium license. Free tier uses threat data that is 30 days delayed. Client action required: purchase license at wordfence.com.
Pending License Key
Full Site Malware & Vulnerability Scan
Complete site scan executed April 8, 2026. Scan checked all core files, themes, plugins, and database entries against known malware signatures. No critical findings.
Complete — Clean

🔐 Two-Factor Authentication

All Admin Accounts
2FA Active — Jason Johnson (Administrator)
Two-factor authentication confirmed active. Login requires authenticator app code in addition to password.
Active
2FA Active — sperryadmin (Administrator)
Two-factor authentication confirmed active. Both admin accounts verified protected.
Active
2FA Coverage: 100%
2 of 2 administrator accounts have 2FA active. 0 accounts with 2FA inactive. Verified via Wordfence Users dashboard filter.
2/2 Admins Protected

🔌 Plugin Audit

Updates, Cleanup & Compatibility
All Plugins Updated
9 active plugins verified at latest versions as of April 8, 2026. WordPress Updates dashboard confirms: "Your plugins are all up to date." Includes Wordfence, Elementor Pro, WPForms, CF7, UpdraftPlus, and all others.
9/9 Current
Security Risk Eliminated — WPCode Snippet 2331
Discovered and deactivated an Elementor Pro installer snippet that ran when ?bt_install_pro URL parameter was present. Dead code from initial setup — now an unnecessary attack surface. Deactivated April 8, 2026.
Deactivated

💾 Automated Backups

Daily Full-Site + Off-Site Storage
Daily Backup Schedule Configured
UpdraftPlus configured for daily automated backups — both files and database on the same daily schedule. Next scheduled run: April 9, 2026 at 12:27 AM.
Daily — Files + Database
Off-Site Storage — Google Drive
Google Drive configured as the remote backup destination. All backup sets are copied off-server automatically. Local copies also retained on web server (2.9 GB currently stored).
Google Drive Active
Last Backup — Successful
Most recent backup completed successfully on April 8, 2026 at 7:19 PM. Log confirms: "The backup succeeded and is now complete." 7 backup sets currently on file.
Apr 8, 2026 — Clean
⚠️
Restore Test — Recommended
A formal restore test (confirming a backup can be successfully restored to a staging environment) has not yet been performed. Recommend scheduling this within 30 days. UpdraftPlus one-click restore is available from the dashboard.
Recommended — 30-Day Window

📊 Analytics Foundation

GA4 Event Tracking · Meta Pixel · Conversion Events
GA4 — Verified Active
GA4 property G-3XMLK5G96X confirmed loading site-wide via Google Tag Manager. Tracking page views, sessions, and user behavior across all pages.
Active
GA4 Estimate Request Conversion Event
Custom generate_lead event installed via Custom CSS & JS plugin (post ID 2347). Fires on every successful Contact Form 7 submission using the wpcf7mailsent event. Loads in page footer. Verified published and active.
Live — Footer Load
⚠️
Meta Pixel — Base Code Not Yet Installed
Meta Pixel base code cannot be installed without the Pixel ID from Sperry Tree Care's Meta Business Manager. The conversion event tracking code (fbq('track', 'Lead')) is written and ready — it will be activated immediately upon receiving the Pixel ID. Meta ads go live April 14 — Pixel ID needed by April 12.
Client Action Required — By Apr 12
BOSSTORQUE · SOW BT-STC-Q2-2026 · WS1 Security Hardening · Delivered April 8, 2026
Questions? Contact Jason Johnson — jason@bosstorque.ai