Critical Audit — May 2026

Website Audit Report
Xeltran Strategics Estate

Comprehensive technical, UX, security, legal, and commercial assessment of xeltran-strategics.co.uk. The findings indicate the site is currently operating below industry minimum standards for a property services business.

D+
Overall Grade
Below Industry Minimum for\u003cbr\u003eReal Estate & Property Services

Executive Scorecard

Performance across 7 critical dimensions assessed against industry benchmarks for UK real estate consultancies.

D
Design
D–
UX / Navigation
F
Performance
D–
Security
F
Legal / Compliance
F
SEO
D–
Conversion
C+
Content Depth

Visual Evidence — Critical Defects

Current Homepage Critical

Homepage — Aggressive Red Palette

Red (#c00) triggers alarm in Western UX. For real estate, it undermines trust. The wolf logo is overly complex and does not convey property professionalism.

Mobile Homepage High

Mobile — Cluttered Hero & Broken Search

Hero text dominates viewport. CTA is buried. The search functionality returns "No Results Found" on all category and blog pages — a site-killing bug.

About Page High

About — Certificate Gallery Bloat

High-res PDF scans displayed as full-width images destroy mobile performance. No alt text optimization. The design feels like a personal portfolio, not a professional consultancy.

Contact Page Critical

Contact — Weak Conversion & No Trust

No reCAPTCHA, no privacy policy link, no calendar booking, no value proposition. Email shown is inconsistent (yahoo vs domain). No GDPR consent mechanism.

Development Page Medium

Property Detail — Generic Layout

No breadcrumbs, no pricing, no floor plans, no mortgage calculator integration. Content is promotional copy from developers with no independent value-add.

All Testimonials Use
Identical Template Image
Critical

Trust Signals — Completely Broken

20+ testimonials all reuse the same generic beauty-salon template image. This screams "fabricated" to any discerning buyer. Real photos with consent are essential.

Performance Impact

Current estimated metrics versus industry targets for real estate lead-generation websites. Each second of delay reduces conversion by approximately 7%.

Largest Contentful Paint (LCP) 5.5s → 2.5s target
Target
Google PageSpeed (Mobile) 35/100 → 90/100 target
Target
Interaction to Next Paint (INP) 480ms → 200ms target
Target
Bounce Rate (Estimated) 75% → 45% target
Target
Avg. Session Duration 0:48 → 4:00 target
Target

Technical Debt Summary

  • WordPress + Divi bloat — massive CSS/JS overhead
  • No image optimization pipeline — hero images 2MB+
  • No lazy loading — all images load simultaneously
  • No CDN or edge caching evident
  • Mixed image formats (png, jpg, webp, avif) — inconsistent
  • HTTPS enabled

Revenue Impact Analysis

Based on conservative estimates for an independent estate agent handling first-time buyer transactions in the London market.

£12,000
Current Monthly Revenue
500 visitors × 0.3% conversion × £8,000 avg. commission
+£88,000 / mo
Potential Uplift
£100,000
Potential Monthly Revenue
500 visitors × 2.5% conversion × £8,000 avg. commission
£1,056,000
Annual Revenue Opportunity

Assumes current traffic of 500 visitors/month. With SEO improvements, content strategy, and paid acquisition, traffic can realistically grow to 2,000–3,000/month within 12 months, compounding the revenue opportunity significantly.

Security & Risk Matrix

Threat surface assessment based on observable WordPress patterns, exposed paths, and standard threat modeling for real estate sites handling sensitive client financial data.

Risk Vector Severity Finding Business Impact
User Enumeration Critical Author slug `/author/johnmarkcausinggmail-com/` exposes admin username for brute-force attacks. Complete site compromise. Client data breach. ICO fine exposure.
Missing WAF / Security Headers High No evidence of Cloudflare, Sucuri, or custom CSP/HSTS/X-Frame-Options headers. XSS, clickjacking, and injection attacks possible. Reputational damage.
No reCAPTCHA / Form Protection High Contact form has no visible spam protection or CSRF tokens. Spam flooding. Form abuse. Data quality degradation. Operational overhead.
WordPress Plugin Surface High Divi builder + 15–30 typical plugins = large attack surface. No update visibility. Plugin zero-days can lead to full compromise. Ransomware. Data theft.
XML-RPC Exposure High Standard WordPress XML-RPC endpoint likely active. Brute-force and DDoS vector. Credential stuffing. Site takedown via pingback DDoS.
File Upload Directory Exposure Medium `/wp-content/uploads/` reveals directory structure and may leak sensitive uploads. Information disclosure. Metadata leakage (EXIF, scanner locations).
Third-Party Widget Risk Medium Trustpilot widget loads external JS. If compromised, XSS on this domain. Session hijacking. Defacement. Malware distribution to visitors.
Broken Social Link Medium Facebook link points to `SteelwolvesEsportsStreamGem` — wrong profile entirely. Brand confusion. Potential impersonation. Lost trust.

Governance & Legal Compliance

Regulatory gaps expose the business to ICO investigation, consumer complaints, and potential fines. For an estate agency handling client funds and personal data, this is non-negotiable.

Critical Gaps

  • No Privacy Policy — violates UK GDPR / Data Protection Act 2018
  • No Cookie Consent Banner — violates PECR
  • No Terms of Service — unlimited liability exposure
  • No Accessibility Statement — Equality Act risk
  • No AML Policy — legal requirement for estate agents

Positive Signals

  • Property Redress Scheme membership displayed
  • ICO Registration certificate shown
  • Business Indemnity Insurance certificate present
  • Company Incorporation certificate displayed
  • Trustpilot widget present (rating unknown)

Missing Pages (Required)

  • Privacy Policy
  • Cookie Policy
  • Terms of Service / Terms of Business
  • Accessibility Statement
  • Complaints Procedure
  • Fees & Commission Transparency

Proposed Solutions

Three pathways forward, from emergency triage to full professional rebuild. The recommended option balances speed, quality, and long-term ROI.

Emergency Triage

Phase 0 Fixes

£5,000
  • Fix "No Results Found" on all archives
  • Add Privacy Policy & Cookie Banner
  • Fix contact email consistency
  • Fix broken social media links
  • Hide exposed author page
  • Add reCAPTCHA to forms
  • Basic security headers
Request Triage Quote
Recommended
Professional Rebuild

Tier B — Full Rebuild

£38,000
  • Next.js 15 + Headless CMS + Tailwind
  • Bespoke design system & brand refresh
  • Property search with geo-filters
  • HubSpot CRM + calendar booking
  • All compliance pages (GDPR, Terms, etc.)
  • WCAG 2.1 AA + 90+ PageSpeed target
  • Cloudflare WAF + security hardening
  • Content rewrite + 6 new pages
  • SEO foundation + schema markup
View Design Proposals
Annual Operations

Running Costs

£13,000 / year
  • Vercel Pro + Analytics
  • Sanity CMS Growth tier
  • Cloudflare Pro (WAF + CDN)
  • Sentry error monitoring
  • HubSpot CRM Starter
  • Algolia search
  • 10 hrs/month maintenance & support
Learn More