TrustBeacon Auditor Findings Guide
Version: 0.1.0

Purpose

This file explains the types of findings used by TrustBeacon Auditor. The goal is to make each result understandable to a normal website owner, not only to a developer or server administrator.

Finding Fields

Each finding should contain the following fields:

Category
The broad area being checked. Examples: Email Security, DNS Security, HTTPS, HTTP Headers, WordPress Configuration.

Check
The specific item tested. Examples: SPF Record, DKIM Record, DMARC Record, Strict-Transport-Security Header.

Status
The result of the check. Recommended values:

PASS
The check appears to be properly configured.

WARNING
The check found something incomplete, weak, missing, uncertain, or worth reviewing.

FAIL
The check found a clear problem that should be corrected.

INFO
The check provides useful information but does not directly affect the score.

NOT EVALUATED
The plugin could not evaluate the item in the current hosting/PHP environment.

Score
The number of points awarded for the check. A full pass normally receives the maximum points for that check. A warning receives partial or reduced points. A fail receives zero or very low points.

Message
A plain-English explanation of what the plugin found.

Recommendation
A practical suggestion for what the website owner should do next.

Business Impact
A non-technical explanation of why the finding matters. This should answer the question: Why should a small business owner care?

Recommended Finding Style

Good finding messages should be:

* Clear
* Short
* Non-alarming unless the issue is serious
* Written for small business owners
* Honest about uncertainty
* Specific enough to be actionable

Example Finding

Category: Email Security
Check: SPF Record
Status: PASS
Score: 10
Message: This domain has an SPF record.
Recommendation: Keep the SPF record updated whenever you change email providers.
Business Impact: SPF helps prevent spammers from sending fake email that appears to come from your domain.

Important Finding Categories

1. HTTPS and SSL

Checks whether the website is available over HTTPS and whether secure access appears to be active.

Business reason:
Visitors expect secure websites. Browsers may warn users when a site is not secure. HTTPS also affects trust, forms, logins, payments, and search confidence.

2. HTTP Security Headers

Checks for headers that help browsers protect visitors.

Common headers include:

* Strict-Transport-Security
* Content-Security-Policy
* X-Frame-Options
* Referrer-Policy
* Permissions-Policy
* X-Content-Type-Options

Business reason:
Security headers help reduce risks such as clickjacking, content injection, unsafe browser behavior, and information leakage.

3. Email Security

Checks whether the domain has email authentication records.

Common checks include:

* SPF
* DKIM
* DMARC

Business reason:
Email authentication helps protect the domain from spoofing and improves the chance that real email is trusted by receiving mail systems.

4. DNS Security

Checks DNS-related trust signals where supported.

Examples:

* DNSSEC availability
* DNSKEY support, if available in the hosting environment
* Nameserver visibility

Business reason:
DNS is the address book of the Internet. Weak or missing DNS protections can make a domain harder to trust or easier to abuse.

5. WordPress Configuration

Checks basic WordPress signals that may affect trust, exposure, or maintainability.

Examples:

* Public WordPress version exposure
* XML-RPC exposure
* Plugin/theme update awareness
* Basic site configuration risks

Business reason:
Poor WordPress configuration can increase attack surface and make the website appear neglected.

Status Message Guidance

PASS messages should confirm the good condition without exaggeration.

Example:
This domain has a DMARC record.

WARNING messages should explain the concern without panic.

Example:
A DMARC record was found, but the policy may not provide strong protection.

FAIL messages should identify a clear missing or broken item.

Example:
No SPF record was found for this domain.

NOT EVALUATED messages should be honest about technical limitations.

Example:
DNSSEC could not be fully evaluated in this hosting environment. Additional review is recommended.

Recommended Business Impact Phrases

Email Security:
This helps protect your domain from being used in fake or spoofed email.

HTTPS:
Visitors and browsers expect secure connections, especially on forms, logins, and payment pages.

Security Headers:
These headers help browsers protect visitors from common web-based attacks.

DNS Security:
DNS records help other systems decide whether your domain is properly configured and trustworthy.

WordPress Configuration:
Basic hardening reduces unnecessary exposure and helps show that the site is maintained.

Avoid These Claims

Do not say:

* This site is secure.
* This site is safe from hackers.
* This site is compliant.
* This site is certified.
* This plugin guarantees protection.

Prefer:

* This check passed.
* This setting appears to be configured.
* This issue should be reviewed.
* This result is informational.
* Additional review is recommended.
