# KCPC Security & Performance Audit Report
**Company:** Kuwait Company for Process Plant Construction & Contracting K.P.S.C (KCPC)  
**Website:** https://kcpc.com.kw  
**Audit date:** 2026-06-22  
**Auditor:** Automated redesign workflow scan  
**Scope:** Homepage + key public pages (company/about-us, services, projects, contact-us, investor-relations)

---

## 1. Executive Summary

The current kcpc.com.kw site is a WordPress + PHP 7.4 installation using a legacy construction theme and a large plugin stack. It runs over HTTPS but only negotiates TLS 1.2 and ships virtually no modern HTTP security headers. The page is heavy (~171 KB HTML) and loads numerous render-blocking stylesheets and scripts from multiple plugins, which hurts mobile performance and Core Web Vitals. Several WordPress-specific attack surfaces are exposed, including XML-RPC and the REST API.

**Overall risk rating: MEDIUM-HIGH** — functional, but aging software and missing hardening controls create avoidable security and performance debt.

---

## 2. TLS / HTTPS

| Signal | Finding | Risk |
|--------|---------|------|
| Certificate issuer | Let's Encrypt (CN = YR2) | Low |
| Validity | 2026-06-05 → 2026-09-03 (~73 days) | Low |
| TLS version | TLS 1.2 only | Medium |
| TLS 1.3 support | Not detected | Medium |
| HSTS header | Missing | Medium |
| Mixed content | Canonical uses `http://`; some asset URLs use `http://` | Medium |

**Recommendation:** Enable TLS 1.3, add a `Strict-Transport-Security` header, and canonicalise all URLs to HTTPS.

---

## 3. HTTP Security Headers

The server exposes `Server: Apache` and `X-Powered-By: PHP/7.4.33`, but none of the following protective headers were observed:

- `Strict-Transport-Security` (HSTS)
- `Content-Security-Policy`
- `X-Frame-Options`
- `X-Content-Type-Options`
- `Referrer-Policy`
- `Permissions-Policy`

**Recommendation:** Add a minimal hardening set, e.g.
```
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
```

---

## 4. CMS / Application Stack

| Component | Version | Note |
|-----------|---------|------|
| Server | Apache | Banner exposed |
| PHP | 7.4.33 | End-of-life since January 2023 |
| CMS | WordPress | Detected via REST API, Yoast SEO, themes |
| Page builder | WPBakery / js_composer 8.7.2 | Heavy frontend output |
| Slider | Revolution Slider | Plugin detected |
| Grid | Essential Grid 3.1.10 | Plugin detected |
| Forms | Contact Form 7 6.1.6 | Plugin detected |
| E-commerce | WooCommerce 10.8.1 | Plugin detected (possibly unused) |
| Mega menu | EasyMega | Plugin detected |
| Theme | Construction child theme | Legacy styling |

**Risk:** PHP 7.4 no longer receives security patches. A large plugin surface increases the chance of unpatched vulnerabilities. WooCommerce appears present even if the site does not sell online, adding unnecessary attack surface.

**Recommendation:** Migrate to PHP 8.1+ / supported WordPress stack, or move to a static/generated site to remove the dynamic CMS attack surface entirely.

---

## 5. WordPress-Specific Exposures

| Endpoint | Status | Risk |
|----------|--------|------|
| `/xmlrpc.php` | Exposed | Brute-force / amplification vector |
| `/wp-json/wp/v2/pages/...` | Exposed | Content/user enumeration |
| `/wp-json/oembed/...` | Exposed | Information disclosure |
| `wp-json` link in header | Present | Confirms API is public |

**Recommendation:** If a dynamic CMS is kept, disable XML-RPC via server block or plugin and restrict unauthenticated REST API access to required endpoints.

---

## 6. Performance Observations

| Metric | Observation |
|--------|-------------|
| HTML transfer | ~171 KB uncompressed homepage |
| Stylesheets | 10+ external CSS files (plugins, theme, WooCommerce, Google Fonts) |
| Scripts | Multiple inline and external JS blocks from plugins |
| Fonts | Several Google Fonts loaded separately (Open Sans, Raleway, Droid Serif, Montserrat) |
| Images | Many unoptimised PNG/JPEG; no modern formats (WebP/AVIF) observed |
| Caching headers | No explicit `Cache-Control` / `Expires` headers observed in response |
| Render-blocking | WPBakery, WooCommerce, Essential Grid, and Revolution Slider CSS block first paint |

**Estimated Core Web Vitals impact:** Likely poor LCP and CLS on mobile because of large CSS/JS payload, no resource hints, and non-deferred scripts.

**Recommendation:** Inline critical CSS, defer non-critical JS, compress and convert images to WebP/AVIF, and add resource hints (`preconnect`, `dns-prefetch`). A static rebuild would eliminate most of this overhead automatically.

---

## 7. Information Disclosure

- Server (`Apache`) and PHP version (`7.4.33`) are disclosed in response headers.
- A PDF (`/wp-content/uploads/2026/03/KCPC.pdf`) is directly linked/accessible.
- `/wp-content/uploads/2024/10/KCPC-Company-Profile.pdf` is downloadable by anyone.
- WordPress plugin versions are visible in query-string cache-busters.

**Recommendation:** Suppress server banners, move confidential documents behind authentication or at least hide their directory index, and remove version strings from plugin URLs where possible.

---

## 8. Quick-Win Action Plan

1. **Immediate (this week)**
   - Add HSTS and the six missing security headers.
   - Force HTTPS canonical URLs and fix mixed-content references.
   - Block or restrict `/xmlrpc.php`.
   - Hide `X-Powered-By` and `Server` banners.
2. **Short term (next 2–4 weeks)**
   - Upgrade PHP to 8.1+ and patch WordPress/plugins.
   - Audit and remove unused plugins (WooCommerce if not needed).
   - Convert hero/service images to WebP/AVIF and lazy-load below-fold assets.
3. **Medium term (next redesign cycle)**
   - Rebuild as a lean static/HTML-first site or headless Jamstack architecture.
   - Serve assets from a CDN with immutable caching.
   - Implement CSP with a nonce/hash-based script-src policy.

---

## 9. Audit Methodology

Commands and checks used:
- `curl -I -L` over HTTPS to capture response headers.
- `openssl s_client` to inspect certificate subject, issuer, dates, and TLS negotiation.
- Homepage download and static analysis of HTML source (plugins, versions, asset URLs).
- Manual review of public sitemap links extracted from the homepage.

No intrusive testing, authenticated scanning, or vulnerability exploitation was performed.

---

*Report generated as part of the KCPC website redesign workflow.*