Security
SSL certificates, vulnerable libraries, security headers, and protecting your visitors.
Website security is both a technical necessity and a legal obligation. Under GDPR Article 32, businesses must implement 'appropriate technical measures' to protect personal data. An expired SSL certificate, outdated WordPress plugins, or missing security headers can expose your visitors' data โ and expose your business to fines. Data breaches must be reported to your DPA within 72 hours, and affected individuals must be notified if there is a serious threat to their rights.
Key facts
- โขThe Dutch AP fined a company โฌ400,000 for inadequate security measures after a data breach
- โข46% of all websites have at least one high-severity vulnerability (Acunetix 2024)
- โขWordPress plugins account for 97% of WordPress security vulnerabilities
- โขMissing security headers like Content-Security-Policy leave sites vulnerable to XSS attacks
- โขGDPR Article 32 requires encryption of personal data in transit โ meaning SSL/TLS is not optional
What we check
- โSSL/TLS certificate validity and configuration
- โSecurity headers (CSP, HSTS, X-Frame-Options, etc.)
- โKnown vulnerable JavaScript libraries
- โMixed content (HTTP resources on HTTPS pages)
- โSPF, DKIM, and DMARC email authentication records
Website security: good vs. bad examples
Expired or missing SSL certificate
Visitors see a "Not Secure" warning in their browser because the SSL certificate has expired or was never installed. GDPR Article 32 requires encryption of personal data in transit. Without SSL/TLS, form submissions and login credentials are sent in plain text.
Valid SSL with automatic renewal
A valid SSL/TLS certificate (e.g. Let's Encrypt) with automatic renewal configured. The browser shows a padlock icon. HSTS header ensures browsers always connect via HTTPS, even if someone types http://.
Outdated WordPress with known vulnerabilities
Running WordPress 5.x or plugins with known security flaws that have published CVE entries. Attackers scan for these automatically. An exploited vulnerability that leaks customer data triggers a mandatory breach notification within 72 hours.
Regular updates and patch management
WordPress core, themes and plugins updated within 48 hours of security releases. Automatic updates enabled for minor versions. Unused plugins removed entirely rather than just deactivated.
No security headers configured
Missing Content-Security-Policy, X-Frame-Options and HSTS headers. Without these, your site is vulnerable to cross-site scripting (XSS), clickjacking and protocol downgrade attacks. Most hosting providers do not set these by default.
Security headers properly configured
Content-Security-Policy blocks inline scripts and restricts resource origins. X-Frame-Options prevents clickjacking. HSTS with a long max-age and includeSubDomains. Referrer-Policy set to strict-origin-when-cross-origin.
Mixed content on HTTPS pages
An HTTPS website that loads images, scripts or stylesheets over HTTP. Browsers flag this as insecure and may block the resources entirely. It also breaks the encryption chain for any data transmitted on the page.
All resources loaded over HTTPS
Every image, script, stylesheet and font loaded via HTTPS. No mixed content warnings. External resources verified for HTTPS support before embedding. A Content-Security-Policy upgrade-insecure-requests directive as fallback.
Expired or missing SSL certificate
Visitors see a "Not Secure" warning in their browser because the SSL certificate has expired or was never installed. GDPR Article 32 requires encryption of personal data in transit. Without SSL/TLS, form submissions and login credentials are sent in plain text.
Outdated WordPress with known vulnerabilities
Running WordPress 5.x or plugins with known security flaws that have published CVE entries. Attackers scan for these automatically. An exploited vulnerability that leaks customer data triggers a mandatory breach notification within 72 hours.
No security headers configured
Missing Content-Security-Policy, X-Frame-Options and HSTS headers. Without these, your site is vulnerable to cross-site scripting (XSS), clickjacking and protocol downgrade attacks. Most hosting providers do not set these by default.
Mixed content on HTTPS pages
An HTTPS website that loads images, scripts or stylesheets over HTTP. Browsers flag this as insecure and may block the resources entirely. It also breaks the encryption chain for any data transmitted on the page.
Valid SSL with automatic renewal
A valid SSL/TLS certificate (e.g. Let's Encrypt) with automatic renewal configured. The browser shows a padlock icon. HSTS header ensures browsers always connect via HTTPS, even if someone types http://.
Regular updates and patch management
WordPress core, themes and plugins updated within 48 hours of security releases. Automatic updates enabled for minor versions. Unused plugins removed entirely rather than just deactivated.
Security headers properly configured
Content-Security-Policy blocks inline scripts and restricts resource origins. X-Frame-Options prevents clickjacking. HSTS with a long max-age and includeSubDomains. Referrer-Policy set to strict-origin-when-cross-origin.
All resources loaded over HTTPS
Every image, script, stylesheet and font loaded via HTTPS. No mixed content warnings. External resources verified for HTTPS support before embedding. A Content-Security-Policy upgrade-insecure-requests directive as fallback.
Guides are coming soon.
Check your website now
Scan your website for Security issues and 30+ other checks.
Scan your website free