SEF Card WordPress Audit Fix Package Generated: 2026-06-30 Major fixes applied: 1. Added root .htaccess with Options -Indexes, security headers, cache headers, compression rules, sensitive file protection, and /sitemap.xml redirect to /wp-sitemap.xml. 2. Added robots.txt with sitemap references and safe WooCommerce utility-page exclusions. 3. Added PWA/branding files: manifest.webmanifest, site.webmanifest, favicon.svg, icon-192.png, icon-512.png, apple-touch-icon.png. 4. Added MU plugin: wp-content/mu-plugins/sef-audit-fixes.php - Security headers fallback from PHP - Cache-Control fallback - robots.txt filter and sitemap redirect fallback - Canonical/meta description/Open Graph/Twitter card fallbacks - Organization, WebSite, BreadcrumbList, Product, and ItemList JSON-LD fallbacks - Optional GTM and Meta Pixel support through wp-config constants SEF_GTM_ID and SEF_META_PIXEL_ID 5. Updated SEF theme: - Header phone/email are clickable tel:/mailto links - Search form label and nonce added - Primary nav aria-label added - Newsletter form label, nonce, email type, and required field added - Hero slider/dot buttons improved for accessibility - Footer plain-text phone/email/WhatsApp lines auto-link where possible - Fallback # links changed to real URLs 6. Fixed SEF Chat dbDelta schema format that caused “Key column KEY doesn't exist” SQL errors. 7. Updated SEF Security Guard defaults/migration to avoid self-blocking audit crawlers with an overly low rate limit and broad user-agent blocks. 8. Updated Security Guard 403 helper output with lang, viewport, robots, nav, and main landmarks. 9. Patched WP Total Audit noindex false positives for cart/checkout/account/add-to-cart/wp-admin utility URLs. 10. Patched wp-login.php undefined variable warnings seen in error_log. Manual/ID-dependent items: - GTM and Meta Pixel require real IDs. Define in wp-config.php: define('SEF_GTM_ID', 'GTM-XXXXXXX'); define('SEF_META_PIXEL_ID', '000000000000000'); - Thin content, multiple H1, and heading hierarchy issues need page/product content edits inside WordPress editor or page builder. - If the old Security Guard database table already contains blocked IP rows, clear blocked IPs once from plugin admin after upload.