Benson Theatre — Rebuild Gap Audit

A second-pass audit (2026-05-08) of everything we've documented for the rebuild, looking for what we'd hit at launch but didn't plan for. Triggered by Eric noticing GA4 was nowhere in the spec.

Legend: ✅ covered already · ⚠️ partial / needs depth · ❌ missing

1. Analytics & measurement — ❌ MAJOR GAP (Eric flagged this)

Found on live site: GTM-WNGJGS6 (Google Tag Manager container) — owned by Shape Society. We don't have access. Whatever's inside the container (GA4? FB Pixel? Other?) is invisible to us. There's a google-site-verification=EdhCV7Zm05LpmrF9MNaCgA6i4B5h_ACWRsNSvJq7sG0 TXT record in DNS proving Google Search Console is verified somewhere — but we don't know who has access.

Item	Status	Action
GA4 property	❌ Unknown	Try to recover Shape Society's GA4 access (low odds) OR roll a fresh GA4 property under a Benson Theatre Google Workspace account post-Workspace-recovery. Either way, we lose continuity with historical data unless we get the existing one.
Google Tag Manager	❌ Unknown	Same — recover GTM-WNGJGS6 from Shape Society OR roll fresh on rebuild. Decision lives with hosting/identity — better to start fresh and own it ourselves.
Google Search Console	⚠️ Token in DNS	Verification exists but we don't know which account. Either claim ownership via DNS TXT (we control DNS now) or add a new verification. Need to do this anyway to submit fresh sitemap post-launch for SEO recovery from spam compromise.
Conversion / event tracking	❌ Missing	Donations clicked, ticket-buy-button clicked, volunteer form submitted, membership tier clicked, newsletter signed up — these need to be defined as GA4 events.
Cookie consent banner	❌ Missing	If we install GA4 + analytics cookies, technically need consent UI under various states' privacy laws (CCPA, etc.) and Google Consent Mode v2. Decision needed.
Bing Webmaster Tools	❌ Missing	Optional, low priority.

2. Email infrastructure — ❌ MAJOR GAP

DNS audit findings (verified 2026-05-08 via dig):

SPF:    NOT SET ❌
DKIM:   NOT SET (google._domainkey returns empty) ❌
DMARC:  v=DMARC1; p=none;  (monitor only, no enforcement) ⚠️

Implication: every email leaving bensontheatre.org today — Gravity Forms notifications, the quarterly newsletter, transactional confirmations, anything Workspace sends on the domain's behalf — is unauthenticated. Recipient mail servers (Gmail, Outlook, etc.) are flagging or spam-filtering this email. Real outreach from this domain is half-broken right now.

Also weird: there's an MS=ms29607555 Microsoft 365 verification token in DNS, which is left over from a prior Microsoft 365 setup. Workspace is the live system — that token should be cleaned up.

Item	Status	Action
SPF	❌ MISSING	Add `v=spf1 include:_spf.google.com ~all` TXT record at GoDaddy DNS. Critical for deliverability.
DKIM	❌ MISSING	Enable DKIM in admin.google.com → publish the generated public key to DNS as a TXT record at `google._domainkey.bensontheatre.org`. Cannot do until Workspace super admin recovered.
DMARC	⚠️ p=none	Once SPF + DKIM are in place and observing, tighten to `p=quarantine` then `p=reject`. Add `rua=mailto:` for aggregate report visibility.
MX records	✅ Correct	Already pointing at aspmx.l.google.com
Stale Microsoft TXT	⚠️ Stale	Drop the `MS=ms29607555` token at GoDaddy. Old/orphaned.
Transactional email path	❌ Undecided	Gravity Forms notifications — go through wp_mail (host-relayed, fragile) or via SMTP plugin to SendGrid/Brevo? Recommended: SendGrid via G&M's account (we already use it for other clients) or Brevo SMTP.

3. Legal / compliance pages — ❌ MAJOR GAP

What the live site has under /policies/: a COVID-19 health screening protocol from 2020-2022. That's it. No privacy policy, no terms of use, no cookie policy, no real refund/cancellation policy beyond one sentence about ticket refunds within 24 hours.

Page	Status	Action
Privacy policy	❌ MISSING	Required for any site that takes form submissions, payments, or runs analytics. Use Termly or iubenda generator + nonprofit-specific clauses, OR have Jim's attorney review a template.
Terms of use / Service	❌ MISSING	Required when accepting payments (PayPal donations, memberships). Light version OK for nonprofit.
Cookie policy	❌ MISSING	Pairs with cookie consent banner if we install GA4 + tracking.
Refund / cancellation policy	⚠️ One sentence buried in COVID policy	Pull out into a dedicated "Tickets & Refunds" section since Benson redirects ticketing to 3rd parties (Purplepass etc.) — clarify which org handles refunds.
Donation refund policy	❌ MISSING	Standard nonprofit boilerplate.
501(c)(3) tax-deductible language on donate page	❌ MISSING	Donors need this for tax substantiation. "Benson Theatre is a 501(c)(3) nonprofit (EIN: ___). Your contribution is tax-deductible to the extent allowed by law."
EIN displayed publicly	❌ MISSING	We have the IRS letter; EIN should be on Donate + footer + About. Donor transparency.
Accessibility statement	⚠️ Empty page	Page exists but is content-blank. Real Section 504 / ADA AA statement needed.
ADA / Section 504 compliance plan	❌ MISSING	Build accessibility into the theme + audit at QA. The current shell page doesn't satisfy.

4. Page templates I haven't speced — ❌ GAPS

Template	Status	Notes
404 page	❌ MISSING	Custom 404 with brand voice + helpful nav. Critical for spam-URL kills (every spam URL hits this).
Search results page	⚠️ Built-in WP default	Per BUILD-SPEC, we're using built-in WP search. The search results template still needs design — most themes leave it ugly.
Gravity Forms confirmation pages	❌ MISSING	After volunteer form submits, after student membership signs up, after contact form sends — design the thank-you state.
Donate thank-you page	⚠️ PayPal redirects there	PayPal can be configured to return to a specific URL post-donation. Decide if we add `/thank-you-for-donating/` page.
Calendar empty state	❌ MISSING	What does /calendar show when there are no upcoming events? Same for /tickets-and-events.
Past events archive	❌ UNDECIDED	What happens to events after they happen? Auto-hide, archive page, or keep visible forever? Common venue ask: "Past Shows" gallery.
Press kit / media kit	❌ MISSING	Press requests usually need: logos (color/white/black), high-res photos of the venue, boilerplate "About Benson Theatre" copy, press contact email. Common ask.

5. Schema.org / structured data — ❌ MISSING

For SEO recovery from the spam compromise, structured data is one of the highest-leverage moves we can make. Yoast handles some defaults but needs configuration.

Schema	Status	Where
Organization (NonprofitOrganization specifically)	❌ MISSING	Add to homepage / About: name, EIN, mission, address, phone, social URLs, logo. Helps Google's Knowledge Graph.
Event	❌ MISSING	Per-event schema with date, location, offers, performer. Enables rich event results in Google Search ("Events in Omaha"). Critical for venue.
BreadcrumbList	❌ MISSING	Yoast generates if configured.
LocalBusiness or PerformingArtsTheater	❌ MISSING	More specific than Organization for a venue.
Article / NewsArticle	⚠️ Partial via Yoast	News + press posts.

6. Brand image / favicon set — ⚠️ PARTIAL

We have icon.png on the existing site and the logo SVGs. Need:

Asset	Status
favicon.ico (multi-size)	❌ Generate from logo
32x32 / 192x192 PNG	⚠️ Existing site has `icon.png` — needs proper resize set
Apple Touch Icon (180x180)	⚠️ Existing site has it
Android Chrome icon	❌ Add to web manifest
`site.webmanifest`	❌ MISSING
`theme-color` meta tag	❌ MISSING
Open Graph default image	⚠️ Currently uses Benson Theatre Sign photo — fine but should be intentional
Twitter Card image	⚠️ Same as OG

7. Calendar / event features (venue-standard) — ❌ GAPS

Feature	Status	Notes
iCal subscribe-to-calendar feed	❌ MISSING	Standard for venues. Lets patrons subscribe in Apple/Google Calendar. Events Manager Pro supports this natively — just need to enable + link.
"Add to Calendar" button per event	❌ MISSING	Single-click add to Google/Apple/Outlook from event single page. AddEvent.com or self-hosted.
Past events archive view	❌ UNDECIDED	See above.
Event RSS feed	⚠️ WP default	Available via /event/feed/ if CPT registered properly.
Event search / filter	❌ MISSING	Filter by category, date, free vs ticketed. Events Manager Pro supports.

8. Nonprofit transparency — ❌ GAPS

Things 501(c)(3)s typically display:

Item	Status
Annual report / 990 link	❌ MISSING
Board of Directors page	❌ Probably under /staff-leadership but confirm
Major donor / sponsor wall	❌ Likely missing — Candid + NAM badges hint at more
Impact statistics	⚠️ Donate page mentions "5,000 community members" but stats are stale (early 2022 launch claim)
Mission statement (prominent)	✅ On home + About
EIN	❌ Should be in footer at minimum
Charity Navigator / Candid public link	❌ Have the Candid Platinum badge — link it to their public profile

9. Forms — ⚠️ PARTIALLY SPECCED

BUILD-SPEC has volunteer + student-membership + contact + booking forms. Possibly more:

Form	Status	Notes
Volunteer application	✅ Specced	Replace Google Form
Student membership signup	✅ Specced	Replace Google Form
General contact	✅ Specced	New (didn't exist on old site)
Booking inquiry	✅ Specced	On /booking-information
Press inquiry	❌ MISSING	Press kit page should have a press contact form
Newsletter signup	⚠️ Deferred	Pending Jim's clarification on current newsletter
Donation in-honor / in-memory of	❌ MISSING	Common nonprofit ask — "this gift is in honor of [name]" with an option to email the honoree
Group ticket / group sales inquiry	❌ MISSING	Venues commonly accept group sales requests
Rental quote request	❌ MISSING / mailto only	/booking-information currently a `mailto:booking@`. A Gravity Form with date / event size / catering / tech needs would qualify leads better.
Event submission (for community partners)	❌ MISSING	Community partners propose events to Benson Theatre. Could be a Gravity Form workflow.

10. Performance, monitoring, ops — ❌ GAPS

Item	Status
Core Web Vitals targets	❌ Not stated
Performance baseline (current site)	❌ Not measured
Uptime monitoring (UptimeRobot / BetterStack)	❌ MISSING
Broken link monitoring post-launch	❌ MISSING
404 monitoring (which old URLs are still being hit)	❌ MISSING — Redirection plugin tracks this
Pre-launch QA checklist	⚠️ `/testing` skill exists but not adapted to this project
DNS TTL drop before cutover	❌ Not in launch plan — should drop A record TTL to 300s 24-48hrs before cutover
Staging environment	❌ Not planned beyond Local
Backup/restore drill	❌ Not planned
Plugin licenses inventory (who owns Gravity Forms key, ACF Pro, ACFE, Imagify, Admin Columns Pro)	❌ MISSING
Rollback plan if launch goes wrong	❌ MISSING — on Flywheel, host-native restore is path

11. Content gaps surfaced by deeper sitemap audit

Pages we have but didn't dig into deeply:

Page	What's there	Action
`/policies`	COVID-only	Rewrite as proper Policies page covering: privacy, terms, cookies, refunds, code of conduct, photo/recording, accessibility commitment. Link from footer.
`/accessibility`	Empty shell	Write a real accessibility statement: AA conformance target, accommodations available (ramps, elevator already mentioned on /the-main-auditorium), how to request accommodations, contact for issues.
`/parking`	Useful but short	Confirm content is current.
`/the-cliff-judy-radcliff-green-room-campaign`	H1 mismatched	Likely a wrapped campaign — KILL or ARCHIVE per Jim.
`/what-is-benson-social`	Unknown	Need to confirm program with Jim.
`/community-partners`	Title only	Need the actual partner list.

12. Migration / cutover deeper details — ⚠️ PARTIAL

Already covered: 301 redirects, sitemap submission, DNS cutover. Missing:

Item	Status
URL mapping spreadsheet (old → new, every URL)	⚠️ SITEMAP-MASTER covers KEEP/KILL/MERGE; need a separate redirect MAPPING after Final column is filled
Email continuity through cutover	⚠️ MX stays on Workspace — should be no email impact, but verify in pre-launch
Robots.txt	❌ Default WP suffices but verify spam-injected URL paths are explicitly disallowed
410 (Gone) for spam-injected paths	❌ Better than 301 for SEO recovery — tells Google "this was never legitimate"
Pre-launch DNS TTL drop	❌ See above
Pre-launch announcement / notice	❌ Should we soft-launch under a staging URL and ask Jim to test before flip?

13. Other I haven't speced

Multilingual? I'm assuming English-only. Confirm.
WordPress role assignments for Jim, Miranda, Eric — who's Administrator vs Editor vs Author?
Comments on blog posts — enable or disable? Default WP allows; nonprofits usually disable to avoid moderation overhead.
Author bylines on news/press posts — do they show? Whose names attach?
Search engine indexing pre-launch — keep noindex while developing, flip on at launch.
Privacy-respecting embeds — if we ever embed YouTube/Vimeo, use privacy-mode embeds (cookieless until clicked).

Priority bucket

Pre-launch must-do (10): 1. SPF + DKIM + DMARC (email auth) 2. GA4 property — fresh on G&M / Benson account, with conversion events 3. Google Search Console verification (ours, not Shape Society's) 4. Privacy policy + Terms + Cookie policy (proper) 5. Real accessibility statement 6. 501(c)(3) language + EIN on Donate page 7. 404 + Search results templates designed 8. Schema.org Organization + Event markup 9. Real /policies content (refunds, COH, photo/recording) 10. Pre-launch DNS TTL drop + redirect map QA

Strongly recommended (10): 11. iCal feed + "Add to Calendar" buttons 12. Press kit page 13. Cookie consent banner (paired with GA4 decision) 14. SendGrid SMTP for transactional email 15. Past events archive policy 16. Group sales / rental quote forms 17. Annual report / 990 link 18. EIN in footer 19. SEO conversion event tracking 20. Uptime monitoring

Nice-to-have (post-launch OK): 21. Press inquiry form 22. In-honor / in-memory donation flow 23. Community partner event submission flow 24. Newsletter archive (if newsletter exists) 25. Privacy-mode YouTube/Vimeo embeds

Open questions for Eric (asked separately + as Todoist cards)

GA4/GTM strategy: try to recover Shape Society's GTM/GA4 OR roll fresh GA4 (and skip GTM)?
Privacy/Terms: Termly/iubenda generator vs hand-written vs Jim's attorney?
Cookie consent banner: yes (CookieYes / Complianz) vs no (skip if cookieless analytics)?
iCal calendar feed + "Add to Calendar" — yes (standard) or skip?
Past events archive: hide / archive page / keep forever?

Open questions for Jim (added to Todoist 'Blocked' for May 11 session)

Where does the existing GA4 / GTM live? (Who has access?)
Do you have a privacy policy from any prior version of the site?
What's the EIN? (Per IRS letter — likely on file, just need to confirm)
Past events — keep visible, archive, or delete?
Is there a press kit / logo files we should reuse?
Major donors / sponsors — any wall or recognition we should display?
Most recent annual report or 990 — link to public version?
Should comments be enabled on news/press posts?
Group sales — currently any process? Want a form?
Rental quote — currently a mailto. Want a real qualifying form?