Comprehensive technical, UX, security, legal, and commercial assessment of xeltran-strategics.co.uk. The findings indicate the site is currently operating below industry minimum standards for a property services business.
Performance across 7 critical dimensions assessed against industry benchmarks for UK real estate consultancies.
CriticalRed (#c00) triggers alarm in Western UX. For real estate, it undermines trust.
HighEarlier evidence showed empty result states; current category/search behavior needs browser retest before calling it site-wide broken.
HighHigh-res PDF scans displayed as full-width images destroy mobile performance.
CriticalNo reCAPTCHA, no privacy policy, no calendar booking, no value proposition.
MediumNo breadcrumbs, no pricing, no floor plans, no mortgage calculator.
Repeated testimonial design weakens credibility without client photos, video clips, or verifiable case context.
Verified asset complexity and planning targets. Exact Lighthouse/PageSpeed numbers still need lab capture before publication.
Scenario model for discussion only. Actual uplift requires analytics, lead value, and CRM tracking after launch.
| Scenario | Monthly Visitors | Visitor → Lead | Lead → Client | Avg. Fee | Monthly Revenue |
|---|---|---|---|---|---|
| Current (Broken Site) | 400 | 0.5% | 12% | £5,500 | £1,300 |
| Conservative (Rebuilt) | 1,000 | 1.0% | 14% | £5,500 | £7,700 |
| Expected (Rebuilt) | 1,500 | 1.5% | 18% | £6,000 | £19,900 |
| Optimistic (Rebuilt + Growth) | 2,500 | 2.0% | 22% | £7,000 | £77,000 |
The old £223,000 uplift figure should not be treated as a forecast until traffic, conversion rate, close rate, and average fee assumptions are validated with analytics and CRM data.
Threat surface assessment based on observable WordPress patterns, exposed paths, and standard threat modeling for real estate sites handling sensitive client financial data.
| Risk Vector | Severity | Finding | Business Impact |
|---|---|---|---|
| Author Slug Exposure | High | Email-derived author slug is publicly accessible. | Credential-targeting and professionalism risk; not proof of compromise. |
| Missing WAF / Headers | High | No evidence of Cloudflare, Sucuri, or custom CSP/HSTS headers. | XSS, clickjacking, and injection attacks possible. |
| No reCAPTCHA | High | Contact form has no visible spam protection or CSRF tokens. | Spam flooding. Form abuse. Data quality degradation. |
| WordPress Plugin Surface | Medium | Exact plugin count is unknown; Divi, Yoast, TrustBox, and gallery indicators are visible. | Authenticated plugin inventory is required to score this precisely. |
| XML-RPC Exposure | Medium | XML-RPC was not verified in this pass. | Check during technical discovery before assigning high severity. |
| File Upload Exposure | Medium | `/wp-content/uploads/` reveals directory structure. | Information disclosure. Metadata leakage. |
| Third-Party Widget Risk | Medium | Trustpilot widget loads external JS. XSS risk if compromised. | Session hijacking. Defacement. Malware distribution. |
| Broken Social Link | Medium | Facebook link points to wrong profile entirely. | Brand confusion. Potential impersonation. Lost trust. |
Regulatory gaps expose the business to ICO investigation, consumer complaints, and potential fines.
Three pathways forward. The recommended option balances speed, quality, and long-term ROI.
Pricing based on UK agency market benchmarks for 2025-2026.