Skip to main content
Vantyris

CS-001

A dental practice closed a publicly exposed admin panel and locked down its email spoofing surface in a single afternoon.

A privately owned dental practice · Greater Manchester, England · 12 staff across one location

Vantyris · Case study

CS-001 · Published 2026-05-23

A privately owned dental practice in Greater Manchester.

12 staff across one location · clinic sector

Score after remediation

58 to 88

Findings closed
4 of 4
Time to first fix
about 1 hour
Time to all fixes
about 6 hours, same day

What made them run a scan

A patient asked the practice manager whether her appointment data was safe, after a press article about a clinic-chain breach. The manager wanted a defensible answer for the next person who asked. She found Vantyris by searching for "small business security check" and ran a verified scan on the practice's main domain.

What Vantyris found

  1. 01

    Missing DMARC policy on the booking-system domain

    high

    The booking subdomain had no DMARC TXT record. Any sender on the public internet could send email claiming to be from that subdomain and a recipient's mail server had no policy to follow when it failed authentication.

  2. 02

    WordPress admin reachable on port 8080 from any IP

    high

    A development WordPress instance had been left exposed on port 8080 after a site refresh in 2024. The login page was indexed by search engines.

  3. 03

    Missing Content-Security-Policy and X-Frame-Options headers

    medium

    The main site set HSTS correctly but did not return CSP or X-Frame-Options, leaving the booking flow open to clickjacking framing from third-party sites.

  4. 04

    TLS 1.3 with strong cipher suites; HSTS preloaded

    healthy

    The TLS configuration scored an A on SSL Labs and HSTS was set with a 1-year max-age. No work needed on the transport layer.

What they fixed and how

The practice manager forwarded the PDF to the web host (a UK shared-hosting provider). The host firewalled port 8080 within one hour of the ticket and added DMARC, CSP, and X-Frame-Options at the Cloudflare layer the same afternoon. A re-scan that evening confirmed every High and Medium finding closed. Total elapsed time from first scan to all-fixes confirmed: about 6 hours, of which the practice manager spent about 25 minutes (the scan, the ticket, and the re-scan).

In the customer's words

I am a practice manager, not an IT person. The report told me exactly what to ask the web host to do, and they did it the same afternoon. I forwarded the PDF to a patient who asked, and that was the end of the conversation.

Practice manager, dental practice in Greater Manchester

What's next

The practice has set the same scan to repeat monthly. Two follow-up scans have confirmed the fixes have held. The manager has the PDF on file for the next patient enquiry and for the practice's annual CQC self-assessment evidence pack.

Vantyris · Shield Trust HoldingsAnonymised per customer release · Reviewed 2026-05-23

Other stories

For clinics & practices

Want one of these?

Run a verified scan, fix what matters, send the PDF to whoever asked. From EUR 10.

Anonymised by sector and region. Customer names, domains, and exact identifiers withheld unless explicitly released. We do not pay for participation. See our privacy policy.

Start free checkBack to all stories