Website Security Checklist: 10 Things to Check Today

Most small business websites get hacked not because of sophisticated attacks but because of basics that were never set up. Default passwords, outdated plugins, missing security headers. These are things you can check in an afternoon.

Here are 10 checks. Each one has a clear pass/fail test so you know where you stand.

1. HTTPS on every page

What to check: Visit your website. Look at the address bar. Do you see a padlock icon and "https://" at the start of the URL?

Pass: Every page on your site loads over HTTPS with a valid certificate and no warnings.

Fail: Any page shows "Not Secure" or loads over plain HTTP.

How to fix: Most hosting providers offer free SSL certificates through Let's Encrypt. Activate it in your hosting control panel and set up a redirect from HTTP to HTTPS. We have a full guide on fixing the "Not Secure" warning.

2. Software updates

What to check: Log into your CMS (WordPress, Joomla or whatever you use). Are there pending updates for the core software, themes or plugins?

Pass: Core CMS, all themes and all plugins are on their latest versions. Automatic updates are turned on.

Fail: You have updates waiting. Or worse, you're running a CMS version that's more than 6 months old.

How to fix: Update everything. In WordPress, go to Dashboard > Updates. Click "Update All" for plugins and themes. Enable automatic updates for minor releases. Back up your site first. If a plugin hasn't been updated by its developer in over a year, replace it with an actively maintained alternative.

3. Admin URL and login protection

What to check: Go to yoursite.com/wp-admin or yoursite.com/administrator. Can you see the login page?

Pass: The default admin URL is changed or protected by an additional layer (IP restriction, .htaccess password, or a security plugin that limits login attempts).

Fail: Anyone on the internet can access your login page with no restrictions.

How to fix: Install a plugin like Limit Login Attempts Reloaded (WordPress) to block brute force attacks. For extra protection, restrict admin access to your IP address through your hosting panel or .htaccess file. You can also change the login URL with a plugin like WPS Hide Login.

4. Password strength

What to check: How strong are the passwords for your CMS admin account, hosting panel, FTP accounts and database?

Pass: Every account uses a unique password of at least 16 characters. Two-factor authentication (2FA) is enabled where available.

Fail: You're using the same password for multiple accounts, or any password is shorter than 12 characters, or you don't have 2FA enabled.

How to fix: Use a password manager (Bitwarden is free and open source). Generate unique passwords of 20+ characters for each account. Enable 2FA on your hosting panel, CMS admin and domain registrar. This single step prevents the majority of account compromises.

5. Backups

What to check: When was the last backup of your website? Where is it stored? Can you restore it?

Pass: Automated backups run at least weekly. Backups are stored off-site (not on the same server as your website). You've tested restoring from a backup at least once.

Fail: You don't have backups, backups are only on the same server, or you've never tested a restore.

How to fix: Most hosting providers include automated backups. Check your hosting panel to confirm they're enabled. For WordPress, UpdraftPlus (free version) backs up to Google Drive or Dropbox automatically. Set it to run daily if your site changes frequently, or weekly if it's mostly static. Test the restore process once so you know it works before you actually need it.

6. Security headers

What to check: Go to securityheaders.com and enter your website URL.

Pass: You get a grade of B or higher.

Fail: You get a D or F, which means your site is missing basic security headers.

How to fix: Security headers tell browsers how to handle your site's content. The most important ones are:

• X-Content-Type-Options: Prevents browsers from guessing file types. Add X-Content-Type-Options: nosniff.
• X-Frame-Options: Prevents your site from being embedded in iframes on other sites (clickjacking protection). Add X-Frame-Options: SAMEORIGIN.
• Content-Security-Policy: Controls which resources your page can load. Start with a basic policy and expand as needed.
• Strict-Transport-Security: Forces HTTPS for future visits. Add Strict-Transport-Security: max-age=31536000.
• Referrer-Policy: Controls how much information is shared when visitors click links. Add Referrer-Policy: strict-origin-when-cross-origin.

In WordPress, the HTTP Headers plugin or Really Simple SSL Pro can set these. On Apache servers, add them to your .htaccess file. On Nginx, add them to your server configuration.

7. Email authentication (SPF, DKIM, DMARC)

What to check: Does your domain have SPF, DKIM and DMARC records configured?

You can check this with free tools like MXToolbox. Enter your domain and look for SPF, DKIM and DMARC results.

Pass: All three records are present and valid. DMARC policy is set to at least p=quarantine.

Fail: One or more records are missing, or DMARC is set to p=none with no plan to increase it.

How to fix: These DNS records prevent others from sending emails that look like they come from your domain. Without them, spammers can send phishing emails as "you@yourdomain.com" and your real emails are more likely to land in spam folders.

Your email provider (Google Workspace, Microsoft 365, TransIP) has documentation for setting up SPF and DKIM. For DMARC, add a TXT record for _dmarc.yourdomain.com with the value v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com. Start with p=none if you want to monitor before enforcing.

8. Exposed files and directories

What to check: Try accessing these URLs on your website:

• yoursite.com/.env
• yoursite.com/wp-config.php.bak
• yoursite.com/.git/
• yoursite.com/backup/
• yoursite.com/debug.log

Pass: All of these return a 404 (not found) or 403 (forbidden) error.

Fail: Any of these return actual content. This means sensitive files are publicly accessible.

How to fix: Block access to sensitive files and directories. In .htaccess (Apache), add:

<FilesMatch "\.(env|bak|sql|log|ini|sh)$">
    Require all denied
</FilesMatch>

Delete any backup files, database dumps or log files from your web root. They should never be in a publicly accessible directory. Also check that directory listing is disabled. Try accessing yoursite.com/wp-content/uploads/ directly. If you see a file listing instead of a 403, add Options -Indexes to your .htaccess.

9. Form security

What to check: Submit your own contact form. Then check: does the form have CAPTCHA or spam protection? Is the form submission sent over HTTPS?

Pass: Forms have spam protection (reCAPTCHA, hCaptcha or a honeypot field). Form submissions are sent over HTTPS. Form data is validated on the server side, not just in the browser.

Fail: No spam protection on forms. Or the form action URL uses HTTP instead of HTTPS.

How to fix: Add Google reCAPTCHA v3 or hCaptcha to your forms. Both are free. In WordPress, most contact form plugins (Contact Form 7, WPForms, Gravity Forms) have built-in CAPTCHA support. Make sure your form's action URL uses HTTPS. If you're using a form that sends submissions to email, check that sensitive data isn't logged in plain text on your server.

10. Monitoring and alerts

What to check: Would you know if your website went down right now? Would you know if someone changed a page?

Pass: You have uptime monitoring that alerts you when the site goes down. You receive notifications when CMS users log in or when files change.

Fail: You'd only find out about problems when a customer tells you, or when you visit the site yourself.

How to fix: Set up free uptime monitoring with UptimeRobot (monitors every 5 minutes, sends email alerts). For WordPress, Wordfence (free version) sends alerts when someone logs in, when plugins are updated and when files are modified. These basic alerts mean you'll catch problems in minutes instead of days.

Your next step

Run through these 10 checks. Most small business websites fail on at least 4 of them. The good news is that every item on this list can be fixed without hiring a developer.

If you want a quick overview of where your website stands, run a free security scan. It checks HTTPS, headers, exposed files and more in 30 seconds.

Frequently asked questions

How often should I run through this checklist?

Once a quarter is a good minimum. Also run through it whenever you change hosting providers, add new plugins or redesign your site. Set a calendar reminder.

My web developer set up my site years ago. Should I be worried?

Probably. Web security standards change fast. A site that was secure in 2022 might have outdated software, expired certificates and missing headers today. Run the checks above and you'll know for sure.

I use Wix/Squarespace/Shopify. Does this apply to me?

Partially. Managed platforms handle some security automatically (HTTPS, software updates, backups). But you're still responsible for strong passwords, 2FA, email authentication and monitoring. Items 4, 7 and 10 apply to every website regardless of platform.

Can I automate these checks?

Yes. Tools like our website scanner automate most of these checks. For ongoing monitoring, set up UptimeRobot for uptime alerts and Wordfence (WordPress) or a similar tool for file change detection.

---

Scan your website's security for free at trustyourwebsite.nl/scan. You'll get a score and a prioritized list of what to fix.