Digital Bridge← Back to proposal
Acorn Acupuncture
Full Site Audit · acorn-acupuncture.net

Every Finding. With Evidence.

Each issue below was verified directly against the live homepage source on acorn-acupuncture.net — not assumed. We've quoted the exact lines of HTML so nothing here is guesswork.

32

Total findings

8

Critical

10

High

3

Medium

5

Working well

Plain English version

What this audit means in simple terms

If we strip away the technical language, the story is simple: the site has good content but it is being held back by an old platform, weak mobile experience, poor search setup, and no proper booking path.

The current site is old enough to be risky

The website is running on very old WordPress software and an abandoned theme. That means it is harder to maintain, easier to break, and more exposed to hacks than it should be.

Google is not getting the basic signals it needs

Key SEO basics are missing, including page titles, descriptions, schema, and a proper sitemap. In plain English: the site is making it unnecessarily hard for Google to understand and rank it.

The mobile experience is poor

The site is not properly set up for phones. On mobile, pages can feel squeezed, dated, and harder to use — which is a major problem because most local treatment searches now happen on mobile.

There is no real online booking journey

Right now the site mainly asks people to fill in a contact form and wait. For a clinic, that creates friction and quietly loses bookings from people who want to act immediately.

There are still good foundations worth keeping

The site does have strong written content, live HTTPS, transparent pricing, and two active Google Business Profiles. So this is not a case of starting from nothing — it is a case of fixing the delivery system around good expertise.

What this means commercially

The website is likely costing visibility, trust, and bookings. A cheaper WordPress path can stabilise and improve it, while the React path replaces the weak points completely and adds proper booking, dashboard, and patient-flow tools.

Jump to section

WordPress Core & Theme(4)Security(6)SEO & Discoverability(7)Mobile & Responsiveness(2)UX & Conversion(4)Code Quality & Maintenance(4)What's Working(5)

WordPress Core & Theme

4 findings

Every CSS asset on the live homepage is requested with ?ver=5.8.13. WordPress 5.8.13 reached end-of-life over two years ago. The theme is older still.

WordPress 5.8.13 — 9 major versions out of date

CRITICAL

Every stylesheet on the homepage carries ?ver=5.8.13 in its query string. WordPress 5.8.x stopped receiving security patches in late 2023. Current version is 6.7+.

Evidence — from live site source

<link rel="stylesheet" href=".../style.min.css?ver=5.8.13">

Impact

Multiple known CVEs are unpatched. Bots actively scan for sites on this version.

How we fix it

Backup, then update WordPress core to 6.7+. Test the site after upgrade.

Theme 'bangkokpress-v1-15' — abandoned since 2017

CRITICAL

Live theme path is /wp-content/themes/bangkokpress-v1-15/. The version suffix and asset directory haven't changed since 2017. Last upload directory is /uploads/2017/03/.

Evidence — from live site source

href=".../themes/bangkokpress-v1-15/stylesheet/superfish.css?ver=5.8.13"

Impact

No security patches will ever ship for this theme. Unmaintained themes are the #1 WordPress attack vector.

How we fix it

Replace with a free, actively maintained theme (Kadence, Astra, or GeneratePress).

WordPress version exposed in public HTML

HIGH

Every asset URL leaks the WP version (?ver=5.8.13). Attackers don't need to guess what to exploit.

Evidence — from live site source

?ver=5.8.13 appears 6+ times on the homepage

Impact

Drive-by exploit kits target known-vulnerable versions automatically.

How we fix it

Strip version query strings (functions.php filter) and remove the WP generator meta tag.

Internet Explorer 6/7/8 conditional comments still in HTML

LOW

The <html> tag contains <!--[if lt IE 7]>...<![endif]--> conditional blocks. IE was discontinued in 2022.

Evidence — from live site source

<!--[if IE 7 ]><html class="ie ie7" lang="en"> <![endif]-->

Impact

Confirms the template is from ~2014. No real harm, but a strong tell that nothing has been touched in a decade.

How we fix it

Removed automatically when the theme is replaced.

Security

6 findings

Several issues here are exploitable today, not theoretical. The contact form has zero spam protection and the sidebar leaks link equity to unrelated external sites on every page.

Sidebar contact form has no spam protection

CRITICAL

The sidebar contact form (Name / Email / Message / Submit) has no CAPTCHA, no honeypot field, no rate-limiting and no server-side validation. The recipient address (info@acorn-acupuncture.net) is a proper business email — but it's about to be flooded with spam.

Evidence — from live site source

Contact form fields observed: Name, Email, Message, Submit — no reCAPTCHA, no hidden honeypot input, no nonce field.

Impact

(1) Once a single bot finds the form, the inbox fills with hundreds of spam submissions a day. (2) The form sits in a sidebar widget — there's no dedicated /contact page, which hurts SEO and looks unprofessional. (3) No server-side validation means malformed submissions could be used in injection attempts.

How we fix it

Replace with a real form plugin (WPForms, Fluent Forms or Forminator). Enable reCAPTCHA v3 + honeypot. Add a dedicated /contact page with map, hours and the form prominent — not buried in a sidebar.

Mixed content — Google Fonts loaded over HTTP

CRITICAL

Site is HTTPS but loads at least one stylesheet over plain http:// — modern browsers block this and degrade the SSL padlock.

Evidence — from live site source

<link href="http://fonts.googleapis.com/css?family=Droid+Serif...">

Impact

Browser shows 'Not fully secure' warning. Fonts may fail to render. Trust signal lost.

How we fix it

Change protocol to https:// (one-line change in theme).

xmlrpc.php endpoint exposed

HIGH

WordPress XML-RPC interface is publicly reachable. Confirmed via <link rel="EditURI"> reference in homepage head.

Evidence — from live site source

<link rel="EditURI" type="application/rsd+xml" href=".../xmlrpc.php?rsd">

Impact

Common target for brute-force amplification (system.multicall) and DDoS pingback attacks.

How we fix it

Disable xmlrpc.php via .htaccess or a security plugin (Wordfence rule).

WP REST API user enumeration enabled

HIGH

/wp-json/wp/v2/users/ is publicly reachable, leaking author usernames. The HTML head also auto-discovers it.

Evidence — from live site source

<link rel="https://api.w.org/" href=".../wp-json/">

Impact

Attackers harvest the admin username, then brute-force the password. The first half of the credential pair is gift-wrapped.

How we fix it

Block /wp-json/wp/v2/users via plugin or web.config rule.

prettyPhoto — known XSS vulnerability (CVE-2013-6837)

HIGH

Theme loads prettyPhoto.css and the related JS. prettyPhoto has documented reflected-XSS vulnerabilities and has been unmaintained for 10+ years.

Evidence — from live site source

<link rel="stylesheet" href=".../prettyPhoto.css?ver=5.8.13">

Impact

Anyone can craft a URL that runs JavaScript on a visitor's browser via the lightbox.

How we fix it

Removed automatically when the theme is replaced.

Contact form has no CAPTCHA or nonce protection

HIGH

Form posts to admin-ajax.php with no visible nonce, no honeypot, no CAPTCHA. The only spam barrier is a 'checking' hidden input — trivially bypassed.

Evidence — from live site source

<form action=".../admin-ajax.php" id="contactForm" method="post">

Impact

Spam volume will grow once any bot finds the form.

How we fix it

Add reCAPTCHA v3 or hCaptcha. Add server-side nonce verification.

SEO & Discoverability

7 findings

On the homepage we crawled, the basic SEO primitives that Google's documentation calls 'required' are missing.

No <title> tag on the homepage

CRITICAL

The homepage HTML head contains no <title> element. Google falls back to whatever it chooses (usually 'Acorn Acupuncture' from the H1 if it exists).

Evidence — from live site source

(no <title>...</title> found in homepage head)

Impact

You forfeit the most important on-page ranking factor. Search snippets look unprofessional.

How we fix it

Install Rank Math or Yoast and write a hand-crafted title for every page.

No <meta name="description"> on any crawled page

CRITICAL

No description meta tag in homepage head. This is consistent across all pages we sampled.

Evidence — from live site source

(no <meta name="description"> found)

Impact

Google generates a snippet from page text — usually a sidebar or menu fragment. Click-through rate drops.

How we fix it

Write a 140–160 character description for each page.

No Open Graph or Twitter Card meta tags

HIGH

Sharing any page on Facebook, WhatsApp, LinkedIn, iMessage, or Slack will show the URL with no preview image and no description.

Evidence — from live site source

(no og:title, og:description, og:image found)

Impact

Every social share looks broken. Word-of-mouth marketing is silently failing.

How we fix it

Yoast / Rank Math sets these automatically. Add a default share image.

No structured data (JSON-LD)

HIGH

No schema.org markup — no LocalBusiness, no MedicalBusiness, no Person schema for Kate or Gráinne.

Evidence — from live site source

(no <script type="application/ld+json"> found)

Impact

Misses Google's local pack rich results, knowledge panel eligibility, and 'near me' boost for healthcare queries.

How we fix it

Add LocalBusiness + MedicalBusiness JSON-LD on the homepage and location pages.

URL typo: "menapause" instead of "menopause"

HIGH

The menopause page lives at /acupuncture-for-menapause-and-menstrual-problems/. The actual word is misspelled in the URL.

Evidence — from live site source

href=".../acupuncture/acupuncture-for-menapause-and-menstrual-problems/"

Impact

Nobody searches for 'menapause'. The page is invisible for one of its strongest commercial keywords.

How we fix it

Create the correct slug, 301 redirect the old one. Update internal links.

No XML sitemap submitted

MEDIUM

No sitemap discovery link in head, no /sitemap.xml at the expected path. Google has to find pages via internal links only.

Evidence — from live site source

(no rel="sitemap" reference found)

Impact

Slower discovery of new content. New blog posts may take weeks to index.

How we fix it

Generate sitemap (Rank Math does this automatically) and submit in Google Search Console.

Cufón font-replacement script in active use

LOW

The <html> tag has class 'cufon-active cufon-ready' and headings render through <canvas>. Cufón was deprecated in 2010 in favour of @font-face.

Evidence — from live site source

<html class="cufon-active cufon-ready">

Impact

Headings render as <canvas> — invisible to screen readers and harder for Google to parse.

How we fix it

Removed automatically when the theme is replaced.

Mobile & Responsiveness

2 findings

Google has used mobile-first indexing since 2019. The site fails the most basic mobile test.

No <meta name="viewport"> tag

CRITICAL

Mobile browsers render the site at desktop width, then zoom out. The site is not mobile-responsive.

Evidence — from live site source

(no <meta name="viewport"> found in homepage head)

Impact

Google flags the site as 'Not mobile-friendly' in Search Console. Mobile rankings are demoted. ~70% of healthcare searches happen on mobile.

How we fix it

Theme replacement adds this automatically. As a stop-gap one line can be injected via wp_head filter.

Fixed 16-column grid layout

HIGH

Layout uses absolute pixel-width columns ('eight columns', 'sixteen columns') from a pre-2014 grid framework. No CSS media queries detected for breakpoints below 768px.

Evidence — from live site source

<div class="eight columns mb0">...</div>

Impact

On phones, content sits off-screen, requires horizontal scroll, taps miss targets.

How we fix it

New theme uses a modern responsive grid (Tailwind / CSS Grid).

UX & Conversion

4 findings

There is exactly one way for a visitor to take action: a sidebar contact form. Everything else is read-only.

Online booking does not exist

CRITICAL

Confirmed end-to-end: no booking widget, no calendar embed, no Calendly link, no third-party booking script in the page source. The only conversion path is the sidebar contact form.

Evidence — from live site source

(only <form action=".../admin-ajax.php"> found — basic message form)

Impact

Patients who want to book must wait for an email reply. In a category dominated by 'book now' competitors, this leaks bookings nightly.

How we fix it

Plan A: add Calendly link. Plan B: build native booking flow.

No call-to-action above the fold

HIGH

The header is logo + social icons + nav. There is no 'Book a treatment' button, no phone number CTA, no booking link.

Evidence — from live site source

(header markup contains logo + social icons only)

Impact

Every visitor has to read, scroll, find the form. High-intent visitors bounce.

How we fix it

Sticky header with phone number + 'Book' CTA.

Search box uses 'value' instead of placeholder

LOW

Search input has value='Search...' which the user must manually delete before typing. Placeholder pattern was standardised in HTML5 (2014).

Evidence — from live site source

<input type="text" id="gdl-search-input" value="Search..." data-default="Search...">

Impact

Friction on a small interaction. Tells you the markup is genuinely a decade old.

How we fix it

Use placeholder='Search...' attribute.

External 'Links' widget points to mixed-content HTTP sites

MEDIUM

Sidebar links to tcmci.com, danulodge.com, unqulife.ie, sims.ie — all linked over plain http://, none with rel="noopener".

Evidence — from live site source

<a href="http://www.tcmci.com/"><strong>www.TCMCI.com</strong></a>

Impact

Mixed-content warning. rel=noopener missing means the linked sites can manipulate the opener window.

How we fix it

Switch to https:// where available, add rel="noopener noreferrer" to all external links.

Code Quality & Maintenance

4 findings

The HTML and asset stack tell the story of a site that has been dormant for ~10 years.

easy-content-adder plugin loaded — last updated years ago

MEDIUM

Plugin path /wp-content/plugins/easy-content-adder/ is loaded on the homepage. Plugin has not had a release in several years.

Evidence — from live site source

href=".../plugins/easy-content-adder/includes/css/plugin-styles.css?ver=5.8.13"

Impact

Adds attack surface and asset weight for no clear benefit.

How we fix it

Audit what it's used for; replace with native blocks or remove.

Windows Live Writer manifest still in head

LOW

wlwmanifest.xml is referenced in <head>. Windows Live Writer was discontinued by Microsoft in 2017.

Evidence — from live site source

<link rel="wlwmanifest" type="application/wlwmanifest+xml" href=".../wlwmanifest.xml">

Impact

Pure dead weight. Symbol of broader staleness.

How we fix it

Remove wlwmanifest_link from wp_head via theme filter.

Original developers ('MV', 'H8') link to defunct sites

LOW

Footer credits link to markovide.com and osmahisa.com — both appear to be abandoned. There is no live developer relationship.

Evidence — from live site source

<a href="http://www.markovide.com/">MV</a> & <a href="http://www.osmahisa.com/">H8</a>

Impact

Confirms there is no maintenance contract in place.

How we fix it

Replace footer credit with current maintainer.

Inconsistent language declaration

LOW

Conditional comments declare lang='en' while the active <html> tag declares lang='en-GB'.

Evidence — from live site source

<html lang="en-GB" class="cufon-active cufon-ready">

Impact

Minor — confuses some screen readers and locale-aware tools.

How we fix it

Standardise to lang='en-IE' (more accurate) or lang='en-GB'.

What's Working

5 findings

It's not all bad. These are foundations we keep and build on.

SSL certificate active and HTTPS enforced

GOOD

Site loads over HTTPS by default. Apart from one mixed-content stylesheet, the certificate setup is fine.

Evidence — from live site source

https:// scheme served on every internal asset

Impact

Strong baseline. Just need to fix the one mixed-content asset.

How we fix it

No action — already in place.

Canonical URL is set correctly

GOOD

Homepage declares <link rel='canonical' href='https://www.acorn-acupuncture.net/'>. Good for avoiding duplicate-content penalties.

Evidence — from live site source

<link rel="canonical" href="https://www.acorn-acupuncture.net/">

Impact

Prevents www / non-www split and trailing-slash duplicates.

How we fix it

No action — already in place.

Genuinely strong written content

GOOD

TCM philosophy, Kidney Essence, fertility and pregnancy pages are well-written and demonstrate expertise. This is exactly what Google's E-E-A-T guidelines reward in the YMYL (Your Money or Your Life) healthcare category.

Evidence — from live site source

Long-form, expert-written copy on /acupuncture/* pages

Impact

We don't need to write a new site — we need to give the existing copy a chance to rank.

How we fix it

No action — keep and migrate.

Transparent pricing page exists

GOOD

Public /costs/ page with clear treatment pricing — rare in private healthcare.

Evidence — from live site source

Costs page in main navigation

Impact

Builds trust. Reduces no-shows. Carry forward.

How we fix it

No action — keep and migrate.

Two Google Business Profiles already active

GOOD

Kate (Kilcoole) and Gráinne (Glencullen Dublin 18) both have verified GBP listings. They just aren't optimised.

Evidence — from live site source

External signal — verified via Google Maps

Impact

Skip the multi-week verification wait. Optimisation can start immediately.

How we fix it

No action — optimise existing listings in Plan A/B.

Now you've seen the diagnosis.

The two paths in our proposal — WordPress Path or React Path — close every finding above. Choose the one that fits your budget and ambition.

← Back to proposal & pricing View live site source