Australian Government · DFAT · International Development
Australia Awards Timor-Leste
Same-day SEO + security hardening for the DFAT-funded scholarship program serving Timorese students. Social-meta score 0 → 92, security score 25 → 85, schema 0 → 1, homepage payload −12%.

The context
Australia Awards Timor-Leste runs the Australian Government's scholarship, short-course, and alumni programs for Timorese citizens. The website is the front door — the first place a prospective student, a current scholar in Brisbane, or a returned alumni chapter goes for information.
The site worked and was indexed, but a quick baseline audit turned up a long list of small problems with a single theme: low-cost things that had been missed. No preview cards when the site was shared on Facebook, LinkedIn, or WhatsApp. No structured information for Google. Every audited page was missing a meta description. The login area was leaking the administrator's username publicly. The site had no modern security headers. And an unused chat widget was loading on every page, adding weight nobody benefited from.
What we shipped
1 · Security baseline at the server level
We added our standard server-level security headers and blocked the public endpoint that was leaking the admin username — a small change in the right place that kills a common reconnaissance step before any login form is ever shown.
2 · A single drop-in file for the SEO basics
Everything the site was missing for search engines and social media now lives in one small, self-contained file on the server. No new plugin in the admin, nothing for the AATL team to maintain. It adds:
- Proper preview cards on Facebook, LinkedIn, Twitter, and WhatsApp — with a branded fallback image so links never look broken
- A structured identity card for Google on the homepage that correctly identifies AATL as a program run under DFAT
- Breadcrumb trails in search results so Google can show the user where the page sits in the site
- Sensible default descriptions on every page that didn't have one written by hand
- A better homepage title that mentions scholarships, short courses, and alumni programs — not just the brand name
- WordPress fingerprints removed so the site no longer broadcasts the exact version of software it's running
- Hidden test pages and orphaned demoskept out of search results without breaking any links
- Polite hand-off — if the team ever installs Yoast or RankMath, our file stands down automatically. No conflicts to debug.
3 · Helping AI assistants cite the right source
AATL is exactly the kind of authoritative source AI assistants should be quoting when a student in Bobonaro asks ChatGPT or Claude about Australian scholarships. We published a curated map of the site's 25 most important pages in the format AI engines look for, and made the site's position on AI crawlers explicit: the real assistants — ChatGPT, Claude, Perplexity, Google, Apple, Amazon — can read it and cite it.
4 · A small speed win
An unused chatbot plugin was loading roughly 28 KB of styles, scripts, and fonts on every single page request. Turning it off shaved more than 12% off the homepage weight with zero visible change to the site — the kind of thing nobody asked for but every visitor on a hotel Wi-Fi or 4G in the districts feels.
Results
Verified externally the same day with independent scanners:
- Social preview cards: 0/100 → 92/100
- Security headers grade: 25/100 → 85/100
- Structured data on the homepage: none → full identity graph
- Breadcrumb trails: added to every sub-page
- Public admin-username leak: closed at the server
- Homepage page weight: 226 KB → 198 KB (−12.4%)
- AI-discovery file: 100/100
How it stays low-maintenance
Everything we added is reversible by deleting two files. Nothing was installed in the WordPress admin, no settings the AATL team has to learn or remember. If they decide to adopt a commercial SEO plugin later, ours stands down automatically — no conflict, no migration.
Stack
Security baseline
Nginx headers + WP hardening, no plugin bloat.
SEO baseline
OG, Twitter, JSON-LD, llms.txt — set once, no admin needed.
Payload trim
Disable unused plugins, kill third-party widgets.