Vantyris · Security hygiene report
VT-2026 · v1.0.0 · Page 01 / 12
Bright Smile Dental
bright-smile-dental.example · Scan date 2026-05-22 14:04 UTC · Verified standard scan
Overall posture
Action required.
Two High findings need attention this week. Two Medium findings should be closed within the month. Five healthy findings, solid TLS & HSTS work.
Executive summary
Your domain has solid TLS and DNS basics. Two things matter this week: nobody can prove an email claiming to be from your clinic is genuine, and there's an admin panel exposed to the open internet on port 8080. Both are fixable in under two hours by your web host.
The fixes are concrete and named below. Forward this report (or its PDF) to whoever maintains your site.
Findings, in order of severity
- 01
Missing DMARC policy
highYour booking-system domain has no DMARC record. Anyone can send email that looks like it came from your clinic, and the recipient's mail server has no way to know it's fake. This is the single most common path for phishing attacks against small businesses.
How to fix
Ask your domain registrar (or your web host's DNS panel) to add a TXT record at _dmarc.bright-smile-dental.example with value: v=DMARC1; p=quarantine; rua=mailto:dmarc@bright-smile-dental.example.
Owner: your DNS administrator · Time-to-fix: ~ 30 min
▸ Show technical evidence
DNS lookup of _dmarc.bright-smile-dental.example returned NXDOMAIN.
- 02
Public admin panel on port :8080
highA WordPress admin panel is reachable from the public internet on port 8080. Anyone can attempt to log in or look for known exploits in old versions. Most production sites firewall this off.
How to fix
Ask your web host to firewall port 8080 to allow only your office IP, or restrict access with HTTP Basic Auth at the host level. If you don't recognise the service, ask the host whether it's needed.
Owner: your web host · Time-to-fix: ~ 1 hr
▸ Show technical evidence
Open port 8080 (HTTP) responding with WordPress login page at /wp-admin.
- 03
Missing Content-Security-Policy
mediumYour site has no Content-Security-Policy header. CSP is the standard browser defence against cross-site scripting, without it, if a vulnerability is ever found in your site code, an attacker can run scripts in your visitors' browsers more easily.
How to fix
Add a CSP header at your host (Cloudflare → Transform Rules → Modify Response Headers, or via your hosting panel). Start with Content-Security-Policy-Report-Only mode for a week, then enforce.
Owner: your developer · Time-to-fix: ~ 1 hr + 1 week monitoring
▸ Show technical evidence
GET / returned no Content-Security-Policy response header.
- 04
SSL Labs grade B, TLS 1.0 still enabled
mediumYour TLS configuration is mostly modern, but TLS 1.0 (a 1999-era protocol) is still enabled. It's been formally deprecated and removed from all major browsers, keeping it on is a small reduction in your security score and a tiny risk surface.
How to fix
At your hosting panel (or Cloudflare's TLS settings → Minimum TLS Version), set the minimum TLS version to 1.2. Modern clients will not notice.
Owner: your web host · Time-to-fix: ~ 5 min
▸ Show technical evidence
SSL Labs assessment returned grade B with the note 'This server supports TLS 1.0.'
What's healthy
- TLS 1.3 supported with strong cipher suites
- HSTS header present (max-age = 1 year)
- DNS resolution stable across multiple regions
- No exposed database services on common ports (3306, 5432, 27017)
- Cookies set with the Secure and HttpOnly attributes