See: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Ffreshmtl.ca%2F&ref_sel=GSP2&ua_sel=ff&fs=1
Insecure Trackers SSL: This website is insecure.
60% of the trackers on this site could be protecting you from NSA snooping. Tell freshmtl.ca to fix it.
Identifiers | All Trackers Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.
jckwds5890XXXXXb9b0 -freshmtl.ca jckwds-guest-user-id
Decoded obfuscated script there from line 1131 henceon: http://ddecode.com/hexdecoder/?results=bf9630090d109f5226ac6db7bf5e62b5
Excessive server info proliferation detected: Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
WordPress Version Outdated!
4.4.7
Version does not appear to be latest 4.7.2 - update now.
WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.
woocommerce 2.5.0 latest release (2.6.13) Update required
https://woocommerce.com/
Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.
ID User Login
1 FreshMTL admin
2 None None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.
Retirable code: -http://freshmtl.ca
Detected libraries:
jquery-migrate - 1.2.1 : -http://freshmtl.ca/wp-includes/js/jquery/jquery-migrate.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.3 : (active1) -http://freshmtl.ca/wp-includes/js/jquery/jquery.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected
Mark: B because of stylesheet issues against “same origin policy”: https://sritest.io/#report/415014bf-4cf3-415c-a242-c58d4156a135
F-F-X-status and even more insecurity: https://observatory.mozilla.org/analyze.html?host=freshmtl.ca
Website twice came under WordPress Automatic Brute Force Attacks like WPBrute 2016-01-26 02:08:46 Brt Forc* mplfct*on ttcks g**nst WordPrss XMLRPC, with being so insecure in the infrastructure this does not surprise me one bit, site could be compromised from one moment upon the next,
polonus (volunteer website security analyst and website error-hunter)