1 / 14
Navigate
Racing Force Group

Infrastructure
Migration Analysis

Website Infrastructure Analysis & Hetzner Cloud Migration Proposal

Date:  June 11, 2026
Status:  Draft — For Internal Review
Prepared by:  Amar Bešlija
Executive Summary

Current State Assessment

Racing Force Group operates a portfolio of 6 WordPress-based e-commerce websites, with critical infrastructure concerns requiring immediate attention.

6
WordPress Sites
1
Domain Offline
0
Access Credentials
5
E-Commerce Stores

Key Findings

  • 01 Infrastructure fragmentation across multiple hosting providers with no centralized management
  • 02 Critical security vulnerabilities from outdated WordPress core, plugins, and exposed endpoints
  • 03 Performance bottlenecks: no caching on 4 of 5 e-commerce sites, heavy plugin stacks
  • 04 zeronoise.com domain is completely offline with unknown root cause

Critical Blockers

  • No login credentials for current server infrastructure
  • No access to Cloudflare account and DNS management
  • No access to domain registrar accounts
  • Proposing full migration to Hetzner Cloud infrastructure with fresh architecture
Digital Estate Overview

Domain Inventory

Complete inventory of all 8 domains across the Racing Force Group digital portfolio.

1
racingforce.com
Corporate Website
Live No e-commerce
2
ompracing.com
OMP EU Store
Live WooCommerce
3
us.ompracing.com
OMP USA Store
Live WooCommerce
4
bellracing.com
Bell Racing Store
Live WooCommerce
5
us.bellracing.com
Bell Racing USA Store
Live WooCommerce
6
racingspirit.com
Racing Spirit
Live WooCommerce
7
zeronoise.com
Zeronoise — OFFLINE
Offline N/A
8
hps.eu
HPS Defense
Live WooCommerce
Technology Stack

Version Matrix Analysis

Per-site plugin and core version inventory. Outdated versions highlighted in red/orange, current versions in green.

Site WordPress Elementor WooCommerce WP Rocket Slider Rev
racingforce.com 6.5.8 3.24.2 N/A No 6.7.34
ompracing.com 6.5.8 3.26.0 9.0.4 No 6.7.40
bellracing.com 6.5.8 3.24.2 9.0.4 No 6.6.20
racingspirit.com 6.7.5 4.0.8 9.7.3 No 6.7.35
zeronoise.com N/A N/A N/A N/A N/A
hps.eu 6.5.7 3.24.2 9.0.3 ✓ 3.17.3.1 6.6.20

Racing Spirit is the only site running current versions of all components. hps.eu is the only site with a caching plugin (WP Rocket) installed.

Risk Assessment

Critical Issues Overview

9 identified issues ranked by severity, from production outages to missing monitoring.

#1
CRITICAL Zeronoise.com Completely Offline
Domain returns no response. Root cause unknown. Brand presence entirely unavailable.
#2
CRITICAL — BLOCKER No Access Credentials
No login credentials for servers, Cloudflare, or domain registrars. Cannot perform any infrastructure changes.
#3
HIGH Outdated WordPress Core (6.5.x vs 6.7.x)
5 of 6 sites run WordPress 6.5.x, missing critical security patches from 6.6 and 6.7 releases.
#4
HIGH Outdated Elementor Pro (CVE-2024-8494)
Known information exposure vulnerability. Elementor versions ≤ 3.25.10 are affected across 4 sites.
#5
HIGH No Caching on 4 of 5 E-Commerce Sites
Only hps.eu has WP Rocket. Remaining stores serve uncached PHP responses, causing slow page loads.
#6
MEDIUM No Web Application Firewall (WAF)
No WAF protecting any site. All WordPress installations exposed to direct attacks without filtering.
#7
MEDIUM Exposed WordPress REST API & Endpoints
REST API and xmlrpc.php publicly accessible, enabling user enumeration and brute force attacks.
#8
MEDIUM Heavy Plugin Stack
15–20 active plugins per site creates maintenance overhead, increases attack surface, and degrades performance.
#9
MEDIUM No Monitoring or Alerting
Zero uptime monitoring, performance tracking, or security alerting in place. Issues go undetected.
Security Analysis

Vulnerability Assessment

Known vulnerabilities affecting the current technology stack components.

Component Version Vulnerability CVE Severity
WordPress Core 6.5.x Cross-Site Scripting (XSS) Multiple Medium-High
Elementor Pro ≤ 3.25.10 Information Exposure CVE-2024-8494 Medium-High
Slider Revolution 6.6.x Historical Remote Code Execution Various High
WooCommerce 9.0.x Various security patches missed N/A Medium
ElementsKit Various Authentication Bypass N/A Medium
WordPress REST API Open User Enumeration N/A Low-Medium
XML-RPC Open Brute Force Amplification N/A Medium
⚠ Attack Surface Summary
6 WordPress installations running 15–20 plugins each — approximately 100–120 active plugin instances in production. There is no Web Application Firewall (WAF), no Intrusion Detection System (IDS), and no automated security scanning. The entire infrastructure operates without credential access, making incident response impossible in the current state.
Performance Analysis

Page Weight & Load Time Estimates

Estimated front-end performance metrics based on external analysis of each production site.

Site CSS Requests JS Load Caching Est. Load Time
racingforce.com ~60+ Heavy (RevSlider) None 4–6s
ompracing.com ~70+ Heavy (RevSlider + Woo) None 5–8s
bellracing.com ~60+ Heavy (RevSlider + Woo) None 5–8s
racingspirit.com ~80+ Heavy (RevSlider + Woo) None 5–8s
hps.eu ~40+ Moderate WP Rocket ✓ 2–4s
zeronoise.com N/A N/A N/A OFFLINE

Performance Bottlenecks Identified

No page caching on 4 of 5 sites
60–80+ CSS file requests per page
Slider Revolution loading on every page
External FontAwesome CDN dependency
Render-blocking Google Fonts
No Redis object cache
No image optimization (WebP/AVIF)
CDN not optimized for EU audiences
BLOCKER

Access & Credential Gap

This is the single most critical blocker preventing any infrastructure work from proceeding.

This is the #1 BLOCKER for the entire project Without credentials, no migration, security hardening, or performance optimization can begin.
Service / Platform Required Access Status Priority
Server Hosting SSH root, hosting control panel Missing CRITICAL
Cloudflare Account admin, DNS edit, API tokens Missing CRITICAL
Domain Registrar Registrar login, EPP/transfer codes Missing CRITICAL
WordPress Admin Super admin for all 6 installations Missing CRITICAL
Database MySQL credentials per site Missing HIGH
SSL Certificates Certificate management / renewal Missing HIGH
Email Provider login, mailbox management Missing HIGH
Payment Gateways Stripe / PayPal / Gestpay dashboards Missing HIGH
Google Services GA, GTM, Search Console access Missing MEDIUM
Third-party APIs Doofinder, Store Locator, SaaS keys Missing MEDIUM

Credential Recovery Plan

1
Identify and contact the former developer/agency who managed the infrastructure
2
Request formal handover of all credentials in a secure, encrypted format
3
If unavailable, initiate account recovery with each provider using company documentation
4
Reset all passwords and rotate API keys immediately upon gaining access
5
Enable 2FA on every account and store credentials in a password manager (1Password / Bitwarden)
6
Document all access points and create a credential registry for the organization
Proposed Architecture

Hetzner Cloud Infrastructure

Proposed server architecture on Hetzner Cloud with Cloudflare CDN, centralized database, and object storage.

Edge Layer
☁ Cloudflare (CDN + WAF + DNS)
Global CDN, DDoS Protection, WAF Rules, SSL Termination
WordPress Application Servers
racingforce.com
8 vCPU · 16GB RAM
160GB NVMe
CX32
OMP Racing
8 vCPU · 16GB RAM
160GB NVMe
CX32
Bell Racing
8 vCPU · 16GB RAM
160GB NVMe
CX32
Racing Spirit
8 vCPU · 16GB RAM
160GB NVMe
CX32
Zeronoise
8 vCPU · 16GB RAM
160GB NVMe
CX32
HPS
8 vCPU · 16GB RAM
160GB NVMe
CX32
Data & Storage Layer
🗃 MySQL Server
8 vCPU · 16GB RAM
160GB NVMe
CX32 · Centralized DB
⚡ Redis Server
4 vCPU · 8GB RAM
CX22 · Object Cache
📦 Object Storage
Hetzner S3 · Pay-per-use
Media & Backups
Infrastructure

Server Specifications

Detailed server specifications for the proposed Hetzner Cloud infrastructure.

Important: These are starter specifications. Instances can be scaled up or down based on actual usage. Hetzner allows live resizing for most configurations.
Server Hetzner Type Specs (Starter) Site(s)
WP Server — racingforce.com CX32 8 vCPU, 16GB RAM, 160GB NVMe racingforce.com
WP Server — OMP Racing CX32 8 vCPU, 16GB RAM, 160GB NVMe ompracing.com + us.ompracing.com
WP Server — Bell Racing CX32 8 vCPU, 16GB RAM, 160GB NVMe bellracing.com + us.bellracing.com
WP Server — Racing Spirit CX32 8 vCPU, 16GB RAM, 160GB NVMe racingspirit.com
WP Server — Zeronoise CX32 8 vCPU, 16GB RAM, 160GB NVMe zeronoise.com (rebuild)
WP Server — HPS CX32 8 vCPU, 16GB RAM, 160GB NVMe hps.eu
MySQL Server CX32 8 vCPU, 16GB RAM, 160GB NVMe Centralized DB
Redis Server CX22 4 vCPU, 8GB RAM Object cache
Object Storage Hetzner S3 Pay-per-use Media, backups
Backup Storage Storage Box 100–500GB Offsite backups
Software Architecture

Software Stack

Standardized software stack deployed across all WordPress application servers.

Component Technology Purpose
Operating System Ubuntu 24.04 LTS Long-term support, stability
Web Server Nginx High-performance reverse proxy
PHP 8.3 Latest stable, WordPress compatible
WordPress Latest 6.7.x CMS core, patched and current
Caching Redis + WP Rocket Object cache + page cache
SSL Let's Encrypt + Cloudflare End-to-end encryption
Backup UpdraftPlus → S3 Automated off-site backups
Monitoring Prometheus + Grafana Metrics, dashboards, alerting
Security Fail2Ban + Wordfence + Cloudflare WAF Multi-layered protection

Why This Architecture?

🔒
Full Control
Root access to all servers, no shared hosting limitations
🇪🇺
EU Data Sovereignty
GDPR-compliant, data stays in EU data centers
📈
Scalability
Live-resize instances based on demand
Performance
NVMe storage, Redis caching, Nginx
🛡
Security
WAF, Fail2Ban, automated patching
💻
Centralized Mgmt
One provider for all infrastructure
💾
Automated Backups
Daily backups to S3 + offsite storage
Migration Plan

Migration Phases

Six-phase migration roadmap from credential recovery through ongoing maintenance.

Phase 0 Credential Recovery 🔴 BLOCKER
  • Contact former developer/agency for credential handover
  • Initiate account recovery with hosting providers
  • Recover Cloudflare account access
  • Recover domain registrar access for all 6 domains
  • Document and secure all credentials in password manager
Phase 1 Hetzner Infrastructure Setup
  • Create and configure Hetzner Cloud project
  • Provision 6 WP servers (CX32), MySQL, Redis
  • Configure Hetzner S3 object storage
  • Set up internal networking / firewall rules
  • Install Nginx, PHP 8.3, MySQL on all servers
  • Configure Redis for object caching
Phase 2 WordPress Migration, Staging & Hardening Key Phase
  • Migrate WordPress files and databases per site
  • Update all WordPress cores, plugins, and themes to latest
  • Configure WP Rocket caching on all sites
  • Install and configure Wordfence security
  • Disable XML-RPC, restrict REST API
  • ▶ Staging Environment for Future Development: Set up staging clones of each site for safe testing of updates, new features, and theme changes before deploying to production
  • Performance tuning: image optimization, CSS/JS minification
  • Configure automated backups to S3 via UpdraftPlus
Phase 3 Cloudflare Optimization
  • Configure Cloudflare DNS for all domains
  • Enable Cloudflare WAF with WordPress ruleset
  • Set up page rules for caching static assets
  • Configure SSL mode (Full Strict)
  • Enable Brotli compression
  • Set up Cloudflare analytics and monitoring
Phase 4 Testing & Go-Live
  • Comprehensive functional testing on all sites
  • E-commerce checkout flow verification
  • Performance benchmarking (target < 3s load time)
  • SSL certificate verification
  • DNS cutover with low TTL for quick rollback
  • Post-launch monitoring for 72 hours
Phase 5 Ongoing Maintenance
  • Weekly WordPress core and plugin updates
  • Monthly security audits
  • Prometheus/Grafana monitoring dashboards
  • Quarterly performance reviews
  • Backup verification and restore testing
Action Items

Recommended Next Steps

Prioritized action items organized by urgency and timeline.

🔴 Immediate
1
Request all credentials from former developer/agency with a formal handover document
2
Verify domain ownership with registrars; obtain EPP transfer codes for all 6 domains
3
Gain Cloudflare account access; verify DNS records match current configuration
4
Investigate zeronoise.com offline status; determine if domain can be recovered or needs rebuild
🟠 Short-Term
1
Create Hetzner Cloud account and set up the project with billing and access controls
2
Provision staging environment on Hetzner for initial migration testing
3
Define migration order: start with racingforce.com (simplest, no e-commerce)
4
Audit all active plugins across sites; identify and remove unused/insecure plugins
🔵 Medium-Term
1
Execute full site-by-site migration following the 6-phase plan
2
Rebuild zeronoise.com from scratch on fresh WordPress installation
3
Deploy Prometheus + Grafana monitoring across all servers
4
Verify backup integrity with test restores on staging environment
Appendix

Credential Checklist & Technology Summary

Complete credential checklist and technology summary for reference during the migration.

Credential Checklist

🌐 Server Hosting
SSH root access Control panel login
Cloudflare
Account email 2FA recovery API tokens
🌐 Domain Registrar
6 domains EPP codes WHOIS access
🔐 WordPress Admin
Admin credentials FTP/SFTP access
🗃 Database
MySQL per site phpMyAdmin
🔒 SSL Certificates
Private keys Renewal access
Email
Provider login Mailbox list DNS records
💳 Payment Gateways
Stripe PayPal Gestpay
📊 Google Services
Analytics Tag Manager Search Console
🔌 Third-party APIs
Doofinder Store Locator Other SaaS keys

Technology Summary (Appendix B)

Technology Usage
WordPressCMS (all 6 sites)
WooCommerceE-commerce (5 sites)
Elementor ProPage builder (all sites)
Slider RevolutionHero sliders (all sites)
WP RocketCaching (hps.eu only)
CloudflareCDN / DNS (all domains)
ElementsKitElementor addons
DoofinderSite search
Store LocatorDealer locator
FontAwesomeIcon library (CDN)
Google FontsTypography (render-blocking)
Stripe / PayPal / GestpayPayment processing
Google Analytics / GTMAnalytics & tracking
PHPServer-side (version varies)
MySQLDatabase (per site)