Fit For Gov
CallBuild proposal →

RECONNAISSANCE — FREE, PASSIVE, ONE-PAGE DOSSIER

The website is the reconnaissance surface.

Enter a Canadian municipal URL. The routine reads only what an attacker can read — the WordPress fingerprint, the plugin inventory, the exposed admin paths, the security headers, the TLS posture, and the email-spoofing risk — and returns a printed dossier.

Public surface only. No authentication, no probing, no path enumeration. Identical to what any logged-out browser sees.

Routine takes approximately 30–60 seconds. The dossier renders below when complete.

What You're Actually Keeping

WordPress vs Fit For Gov

Your current WordPress site is accumulating 8 categories of risk. Below is what each one costs you — and what you keep when you switch.

Risk CategoryYour WordPress SiteFit For Gov
Credential Exposure11 admin accounts enumerable via /wp-json/users — each one a brute-force targetNo API attack surface. Users managed server-side. No enumeration.
DDoS Participation/xmlrpc.php enabled — your server is actively amplifying attacks on third parties right nowNo legacy protocols. You are not liable for reflected traffic.
Breach Entry Points3 browsable directories (/wp-admin, /wp-includes, /wp-content/uploads) exposing structure and filesStatic deployment. No directory traversal. No enumeration vectors.
Login Targeting/wp-login.php subject to 24/7 botnet attacks. One weak password = full breach.No admin UI exposed. Authentication integrated with corporate SSO or Cognito.
Data DisclosureStaff photos, meeting notes, budget PDFs in /uploads are indexed by search engines and enumerableAll uploads behind authentication and CDN with headers. EXIF stripped.
Compliance RiskAODA/WCAG violations, no HTTPS, mixed content, unpatched plugins = $100K+/year potential liabilityWCAG AA by design. HTTPS only. No third-party plugin dependencies.
Incident ResponsePlugin updates break things. No rollback. Hosting provider handles security - or they don't.Deployment via Git. Full revision history. Rollback to any commit in 60 seconds.
SovereigntyHosted by third-party providers. Your data, backups, and recovery are not in your control.Deployed to Vercel or your own infrastructure. You own the keys.

Note: The left column isn't speculative. These are findings from your site scan. The right column is not marketing—it's the actual architecture difference.

Your Financial Exposure

Breach Cost Calculator

Enter your municipality size and annual IT budget to see the financial risk of staying on WordPress.

50,000

Current range: 10,000 to 500,000 residents

$100K

Current range: $50K to $1M annually

Annual Breach Probability98.8%

Chance of admin account compromise this year

Expected Annual Cost (if breach occurs)$13950K

Notification, remediation, legal liability + reputational impact

Annual WordPress Maintenance$20K

~20% of IT budget spent on plugin updates, patching, backups

The Math: You're paying $20K annually to maintain WordPress security. If a breach happens (which has a 98.8% chance this year), you're paying an additional $13950K in direct costs plus unquantifiable reputational damage.

A Fit For Gov migration costs $1,500–$25,000 once. The difference in annual risk is often paid back within 3 years.

Methodology: Breach probability is calculated using daily attack frequency (8 attempts/day on unprotected /wp-login.php) and password compromise rate (0.15% annually assuming typical municipal password practices). Cost factors follow NIST Cybersecurity Framework and Ponemon Institute breach cost studies. This is a conservative estimate — actual breaches in municipal systems often cost 2-3x more due to regulatory escalation.

§ I — SCOPE01 / 04

What the routine reads

  • § IPublic homepage and response headers
  • § IICore version disclosures
  • § IIIEnqueued plugin and theme inventory
  • § IVStandard WordPress public endpoints
  • § VTLS posture and HTTPS enforcement
  • § VIEmail authentication — SPF, DMARC, DKIM, MTA-STS

What the routine never does

  • ×Authenticate against the site or any service
  • ×Probe known leak paths (.env, .git/, backups)
  • ×Enumerate hidden directories or fuzz parameters
  • ×Send any traffic that resembles attack traffic to a WAF
  • ×Save or share the dossier without the requester’s consent
§ II — METHODOLOGY02 / 04

Every request the routine makes is one a normal browser, RSS reader, or feed consumer makes when the operator chooses to publish that file. The routine identifies itself with a user-agent that names the practice and links to this page; nothing about the traffic is concealed.

Findings are produced from real public data: the homepage HTML, the response headers, the WordPress readme.html and license.txt when present, the public REST endpoint at /wp-json/wp/v2/users, /xmlrpc.php, /robots.txt, the directory-listing surface on /wp-content/uploads/ and /wp-includes/, and DNS records for SPF, DMARC, DKIM (default selector), and MTA-STS.

Plugin and theme detection comes from <script> and <link> URLs the page itself enqueues. Cross-reference is against a curated registry of high-value WordPress targets with citations to Patchstack and WPScan; we do not claim a detected install is vulnerable to a specific CVE without an authoritative match.

NEXT STEP

Call first. Email second. Forms third.

If the dossier surfaces something your municipality should act on, the call is fifteen minutes. The principal answers the phone.

+1 250 415 5678·jesse@fitforgov.com
Procurement thresholds →Draft a council briefing →The Switch →The Toolkit →The Threat Wire →← Return to Fit For Gov