Outdated Webserver Software Found, but is there more?

[polonus]

See: https://www.virustotal.com/nl/url/3f6a8da10a5c598e10de44e2a154e48eaf886f128945307980809359057faab8/analysis/1415536120/
Bitdefender flags.
Quttera gives blacklisted esternal links and domains: http://quttera.com/detailed_report/bobwolfgramagency.com
Outdated Webserver Software found: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips DAV/2 mod_bwlimited/1.4
Two IDS alerts recently - >
2014-11-07 13:38:44   3   urlQuery Client    69.171.237.20   SURICATA TLS invalid handshake message
2014-11-07 13:38:44   3    69.171.237.20   urlQuery Client   SURICATA TLS invalid handshake message
see; https://www.virustotal.com/nl/ip-address/69.171.237.20/information/

Security Headers for htxp://bobwolfgramagency.com
Using user-agent for Chrome 31.0-MacOSX

Result   Category   Name   Actual Value   Our Recommendation   Show All Details
Missing     Framing   X-Frame-Options      Use 'sameorigin'   
Missing     Transport   Strict-Transport-Security      Use 'max-age=31536000; includeSubDomains'   
Missing     Content   X-Content-Type-Options      Use 'nosniff'   
Correct     Content   Content-Type   text/html; charset=UTF-8   Use 'text/html;charset=utf-8'   
Missing     XSS   X-XSS-Protection      Use '1; mode=block'   Details
Missing     Caching   Cache-Control      Use 'no-cache, no-store, must-revalidate'   
Missing     Caching   Pragma      Use 'no-cache'   
Missing     Caching   Expires      Use '-1'   
Missing     Access Control   X-Permitted-Cross-Domain-Policies      Use 'master-only'   
Missing     Content Security Policy   Content-Security-Policy      Try Content-Security-Policy-Report-Only to start. Include default-src 'self', avoid 'unsafe-inline' and 'unsafe-eval'   
Warning    Server Information   Server   Apache/2.2.25 (Unix).../2 mod_bwlimited/1.4   Avoid version numbers   
Warning    Server Information   X-Powered-By   PHP/5.3.26   Avoid header   
Warning     Server Information   X-Pingback   htxp://bobwolfgramagency.com/xmlrpc.php   Avoid header and disable XML-RPC.   
See: http://www.site-scan.com/eng/show_headers.php?REQUEST=GET&URL=htxp://bobwolfgramagency.com&MODIFIED=0

XSS vuln. Results from scanning URL: htxp://bobwolfgramagency.com/wp-content/plugins/mailchimp/js/scrollTo.js?ver=1.4.2
Number of sources found: 43
Number of sinks found: 19
Results from scanning URL: htxp://bobwolfgramagency.com/wp-content/themes/genesis/lib/js/menu/superfish.args.min.js?ver=2.1.2
Number of sources found: 14
Number of sinks found: 17  theme script should be checked for iFrame vulnerability

polonus