Technical Audit Digest
Epic 1Technical Foundation
Audit Digest
Consolidated summary of all infrastructure, tracking, security, and configuration findings for buythesametoken.com. Completed as part of Epic 1 of the ALC Media Web Project Plan.
Executive Scorecard
12 audit tasks completed across infrastructure, analytics, checkout, shipping, and security.
Priority Issues Found
Issues requiring action, ordered by severity.
Missing SPF Record
No SPF TXT record in DNS. Emails from Google Workspace, Shopify, Klaviyo may land in spam. Spoofing risk.
Fix: Add v=spf1 include:_spf.google.com include:shops.shopify.com include:spf.klaviyomail.com ~all
Ineffective DMARC Policy
DMARC set to p=none. Monitors without blocking. No report addresses.
Fix: Update to p=quarantine with rua/ruf. Escalate to p=reject after 30-60 days.
Apple Pay Not Enabled
Shop Pay, PayPal, Google Pay active. Apple Pay missing. Critical for iOS mobile conversion.
GDPR: Pre-Checked Opt-In
Marketing opt-in pre-checked at checkout. Violates GDPR/PECR for UK/EU visitors.
Consent Mode Misconfigured
No "denied" default before tags load. Shopify consent API returns true for marketing before user interaction.
38-49% Conversion Gap
Shopify: 576 orders / £45K vs GA4: 356 purchases / £23K.
Free Shipping Bug: Zone 1
Threshold "Orders £150-£250". Orders above £250 lose free shipping.
Empty Shipping Profiles
"Small Parcels" and "S/M Parcel for Ark Nova" configured but zero products assigned.
7 Google Tag Scripts/Page
Seven gtag.js scripts loading per page. Two Merchant Center IDs returning 503s.
Duplicate Smile.io Scripts
Legacy script tag AND modern app embed loading simultaneously.
Misleading Shipping Label
"Royal Mail Non-tracked International Priority" shows "2-12 weeks".
"Sell When Out of Stock" Global
ON at product level via Essential Preorder. Must audit per-product.
Complete Task-by-Task Findings
All 13 tasks in the Technical Foundation Audit epic.
| # | Task | Status | Key Findings |
|---|---|---|---|
| 1 | Confirm domain registrar ownership | Done | Registered to Christopher Scillitoe via Shopify/Tucows. Auto-renewal ON ($16, Apr 12). WHOIS privacy enabled. Action: verify payment method. |
| 2 | Audit hosting provider setup | Done | Shopify managed + Cloudflare CDN. HTTP/3, HSTS active. No intervention required. |
| 3 | Verify DNS configuration | Done | Google Cloud DNS. A/MX records correct. Issues: Missing SPF, DMARC p=none. |
| 4 | Audit SSL certificate | Done | Let's Encrypt, auto-renewed. Full chain valid. HSTS active. No mixed content. All clear. |
| 5 | Review Shopify plan | Done | Grow plan ($948/yr, 1.7%+£0.25). Adequate. Advanced ($299/mo) worth revisiting at scale. |
| 6 | Audit installed apps | Done | 20 apps, ~£385+/mo. 5 flagged: Christmas Calendar, SendWILL, Messaging, Pinterest, Instafeed. |
| 7 | Audit third-party scripts | Done | 15 script groups. Smile.io dual loading. FastBundle 4 scripts. Common Ninja 2 SDKs. |
| 8 | Verify GA4 tracking | Done | Revenue tracking works. Gaps: item_list_name and coupon parameter missing. |
| 9 | Verify conversion tracking | Done | 38-49% gap vs Shopify. Consent Mode defaults wrong. Pinterest Tag broken. |
| 10 | Review checkout settings | Done | Apple Pay missing. Opt-in pre-checked (GDPR). Phone required. No trust badges. |
| 11 | Audit shipping & inventory | Done | Free shipping cap bug. Empty profiles. Misleading labels. "Sell when OOS" on globally. |
| 12 | Secure admin access | Done | Permissions aligned. Remove inactive users. Quarterly reviews recommended. |
| 13 | Technical Audit Digest | This Doc | This document. |
What Comes Next
Store Intelligence & CRO Roadmap
Strategic PlanStore Intelligence Report
& CRO Roadmap
A data-driven response to the concerns raised about conversion rate performance, a clear diagnosis of what is actually happening, and a restructured execution plan designed to deliver the fastest possible revenue impact.
The Problem
In our recent conversation, the team raised a serious concern: the store's conversion rate has dropped sharply. Over the past 7 days, Shopify shows a conversion rate of 0.19%. Over the past 30 days, 0.61%. These numbers are dramatically lower than the historical 1.6-2.3% range the store has maintained. The concern is understandable: if the store is converting at a fraction of what it used to, that directly impacts revenue, cash flow, and the ability to sustain operations.
We took this concern seriously and performed an immediate deep dive into the store's Shopify analytics. We pulled data across multiple time windows, compared against prior periods and year-over-year benchmarks, analyzed traffic sources by device and geography, and examined every stage of the conversion funnel.
What we found changes the picture significantly. The conversion rate drop is real in the numbers, but it is not caused by the website converting worse. It is caused by a massive influx of non-human (bot) traffic that is artificially inflating session counts and making every percentage metric look worse than reality. Orders and revenue are actually up year-over-year.
This report presents the full evidence, explains what is happening and why, and lays out a restructured execution plan that directly addresses the team's priorities: increase conversion rate, increase revenue, and do it as fast as possible.
What this document covers
Part 1: Store Intelligence. A forensic analysis of the conversion rate drop, with four independent pieces of evidence showing the root cause is bot traffic, not site degradation.
Part 2: The Restructured Plan. We heard the team's concerns about cash flow and the urgency to see results. In response, we have reshuffled the original project plan. Instead of following the planned sequence (Performance Optimization first, then CRO Execution), we are pulling forward the highest-impact CRO tasks, combining them with critical infrastructure fixes from the audit, and adding a new Phase 0 to eliminate the bot traffic problem. Every task is sequenced by expected revenue impact, not by category.
Current Performance Snapshot
Last 30 days (Mar 21 to Apr 20, 2026) compared to the prior 30 days and the same period last year.
The headline number is alarming. The underlying business is not.
Orders are up 13-15% against both the prior period and last year. Total sales are up 15-25%. The conversion rate looks terrible because sessions have been inflated by non-human traffic.
Diagnosis: What Is Happening
The conversion rate collapse is caused by bot/synthetic traffic inflating session counts. Here is the evidence.
The gap tells the story
Sessions spiked dramatically from mid-March while orders remained flat at 100-195/week. If this traffic were real, orders would scale proportionally. They did not.
Traffic Sources Point to Data Centers
| Source | City | Sessions (30d) | Prior 30d | Signal |
|---|---|---|---|---|
| Direct / None | Unknown | 41,313 | 1,617 | Likely bots (+2,454%) |
| Direct / None | Ashburn, VA | 3,134 | 3,898 | AWS data center |
| Direct / None | Seoul | 1,181 | - | Cloud hub (new) |
| Direct / None | Council Bluffs | 236 | 209 | Google/Meta DC |
| Social / Instagram | Various | 1,101 | 703 | Legitimate (+57%) |
| Search / Google | Various | 372 | 310 | Legitimate (+20%) |
Bottom Line
If we filter out the estimated ~45,000 bot sessions, the real conversion rate is approximately 1.7-1.9%, consistent with historical performance. The store is not converting worse. It is being measured against corrupted data.
One Area That Does Need Attention: AOV
Average order value has declined 8% (30d) and 23% (7d) year-over-year. This is independent of bot traffic. Possible causes: product mix shift, increased discounting, or loss of higher-ticket items. CRO execution can address this through upsell tactics, bundle promotion, and strategic pricing presentation.
The Restructured Execution Plan
We have reshuffled the original project timeline to respond directly to the team's priorities. The original plan sequenced Performance Optimization (Epic 2) before CRO Execution (Epic 3). We are now pulling the highest-impact tasks from both epics, re-ordering everything by expected revenue impact, and adding a new Phase 0 that did not exist in the original plan.
The goal is simple: deliver the fastest possible conversion rate improvement with the resources we have. Every task below is sequenced by how quickly it can generate measurable revenue lift, not by which epic it originally belonged to. Infrastructure fixes that directly affect conversion (Apple Pay, checkout friction, shipping bugs) are pulled into Phase 0 alongside the bot traffic fix. CRO quick wins that the original plan scheduled for weeks 5-8 are brought forward to weeks 2-5. Tasks that are important but slower to show results (positioning, About page, performance optimization) stay in later phases.
Immediate
Critical fixes and bot filtering so we can measure CRO results accurately.
Jun 3 - Jun 27
Highest-ROI, lowest-effort changes targeting the homepage and product page buy box.
Jul 1 - Jul 26
Jul 29 - Aug 27
Expected Impact
Projections based on ~20,000 legitimate sessions/month and current AOV of £65.55.
How we arrived at these scenarios
These projections are based on the store's real (bot-filtered) traffic of approximately 20,000 legitimate sessions per month and the current AOV of £65.55. The math is straightforward: additional orders = (new conversion rate - current rate) x monthly sessions. Additional revenue = additional orders x AOV.
Conservative (+0.3%): This level of lift is consistently achievable through homepage headline and CTA optimization alone. Industry benchmarks show that rewriting a headline to be customer-benefit-focused and redesigning a CTA for higher contrast typically yields a 0.2-0.5% conversion rate improvement on ecommerce sites. Phase 1 covers these changes.
Moderate (+0.6%): This compounds the Phase 1 wins with social proof deployment (testimonials on product and collection pages) and market differentiation (the "Why Choose Us" section). Adding visible reviews and satisfaction framing to product pages is one of the highest-ROI CRO interventions available, with documented lifts of 0.2-0.4% on its own. Combined with Phase 1, a total 0.6% lift across the full 12-week plan is realistic.
Optimistic (+1.1%): This assumes all three phases deliver at the upper end of their expected ranges, including checkout friction reduction (Apple Pay, hidden discount field, trust badges, urgency messaging). Reaching 3.0% would put the store above its historical average and requires sustained execution across all phases plus some organic traffic quality improvement.
Our Approach: Why We Restructured the Plan
The original Web Project Plan had three epics in sequence: Technical Foundation Audit (complete), Performance Optimization, then CRO Execution. That sequence made sense when we built it. Performance optimization improves page speed, which reduces bounce rate. CRO execution improves what visitors see and do, which increases purchases. The logical order was to make the site faster first, then make it more persuasive.
But the situation has changed. The team has told us directly that cash flow is tight and that results need to come faster. We listened. And when we dug into the data, we found that the conversion rate alarm is largely a false signal caused by bot traffic. That means the real opportunity is not about fixing a broken site. It is about making a working site convert even better, and doing it quickly enough to impact revenue within weeks, not months.
That is why we restructured the plan. We pulled the highest-impact CRO tasks forward. We combined them with critical audit fixes that directly affect checkout conversion (Apple Pay, GDPR compliance, shipping friction). We added Phase 0 to clean up the bot traffic so we can measure results accurately. And we moved performance optimization to a later phase, because while it matters, it does not generate the same immediate revenue lift as CRO changes do.
The CRO report we delivered in January scored the store's "Decision" stage at 14/25 and "Action" stage at 17/25. Those are the two weakest points in the conversion funnel. Every task in Phases 1, 2, and 3 targets one of those two stages. The changes we are making are not speculative. They are proven, high-ROI interventions that are widely used by top-performing ecommerce stores: headline rewrites, CTA redesigns, bestseller badges, scarcity messaging, testimonial deployment, and checkout friction reduction.
Performance optimization is not being dropped. It will run as the next phase after CRO execution completes. The 17 tasks originally planned for Epic 2 (image compression, script cleanup, lazy loading, font optimization) remain in the project plan and will be executed on the same timeline structure.
Next Steps
1. Review and approve the restructured plan as outlined above.
2. ALC executes Phase 0 (bot filtering + critical fixes) in Week 1. This is already in motion.
3. Phase 1 begins immediately after, with weekly progress updates shared with the team.
4. We schedule a check-in at the end of Phase 1 (Week 5) to review initial conversion rate impact and adjust Phase 2 priorities based on what we learn.
5. Performance Optimization begins after CRO Execution completes, using the same 12-week structure.