Security
SSL certificates, vulnerable libraries, security headers, and protecting your visitors.
Website security is both a technical necessity and a legal obligation. Under GDPR Article 32, businesses must implement 'appropriate technical measures' to protect personal data. An expired SSL certificate, outdated WordPress plugins, or missing security headers can expose your visitors' data โ and expose your business to fines. Data breaches must be reported to your DPA within 72 hours, and affected individuals must be notified if there is a serious threat to their rights.
Key facts
- โขThe Dutch AP fined a company โฌ400,000 for inadequate security measures after a data breach
- โข46% of all websites have at least one high-severity vulnerability (Acunetix 2024)
- โขWordPress plugins account for 97% of WordPress security vulnerabilities
- โขMissing security headers like Content-Security-Policy leave sites vulnerable to XSS attacks
- โขGDPR Article 32 requires encryption of personal data in transit โ meaning SSL/TLS is not optional
What we check
- โSSL/TLS certificate validity and configuration
- โSecurity headers (CSP, HSTS, X-Frame-Options, etc.)
- โKnown vulnerable JavaScript libraries
- โMixed content (HTTP resources on HTTPS pages)
- โSPF, DKIM, and DMARC email authentication records
Website security: good vs. bad examples
Expired or missing SSL certificate
Visitors see a "Not Secure" warning in their browser because the SSL certificate has expired or was never installed. GDPR Article 32 requires encryption of personal data in transit. Without SSL/TLS, form submissions and login credentials are sent in plain text.
Valid SSL with automatic renewal
A valid SSL/TLS certificate (e.g. Let's Encrypt) with automatic renewal configured. The browser shows a padlock icon. HSTS header ensures browsers always connect via HTTPS, even if someone types http://.
Outdated WordPress with known vulnerabilities
Running WordPress 5.x or plugins with known security flaws that have published CVE entries. Attackers scan for these automatically. An exploited vulnerability that leaks customer data triggers a mandatory breach notification within 72 hours.
Regular updates and patch management
WordPress core, themes and plugins updated within 48 hours of security releases. Automatic updates enabled for minor versions. Unused plugins removed entirely rather than just deactivated.
No security headers configured
Missing Content-Security-Policy, X-Frame-Options and HSTS headers. Without these, your site is vulnerable to cross-site scripting (XSS), clickjacking and protocol downgrade attacks. Most hosting providers do not set these by default.
Security headers properly configured
Content-Security-Policy blocks inline scripts and restricts resource origins. X-Frame-Options prevents clickjacking. HSTS with a long max-age and includeSubDomains. Referrer-Policy set to strict-origin-when-cross-origin.
Mixed content on HTTPS pages
An HTTPS website that loads images, scripts or stylesheets over HTTP. Browsers flag this as insecure and may block the resources entirely. It also breaks the encryption chain for any data transmitted on the page.
All resources loaded over HTTPS
Every image, script, stylesheet and font loaded via HTTPS. No mixed content warnings. External resources verified for HTTPS support before embedding. A Content-Security-Policy upgrade-insecure-requests directive as fallback.
Expired or missing SSL certificate
Visitors see a "Not Secure" warning in their browser because the SSL certificate has expired or was never installed. GDPR Article 32 requires encryption of personal data in transit. Without SSL/TLS, form submissions and login credentials are sent in plain text.
Outdated WordPress with known vulnerabilities
Running WordPress 5.x or plugins with known security flaws that have published CVE entries. Attackers scan for these automatically. An exploited vulnerability that leaks customer data triggers a mandatory breach notification within 72 hours.
No security headers configured
Missing Content-Security-Policy, X-Frame-Options and HSTS headers. Without these, your site is vulnerable to cross-site scripting (XSS), clickjacking and protocol downgrade attacks. Most hosting providers do not set these by default.
Mixed content on HTTPS pages
An HTTPS website that loads images, scripts or stylesheets over HTTP. Browsers flag this as insecure and may block the resources entirely. It also breaks the encryption chain for any data transmitted on the page.
Valid SSL with automatic renewal
A valid SSL/TLS certificate (e.g. Let's Encrypt) with automatic renewal configured. The browser shows a padlock icon. HSTS header ensures browsers always connect via HTTPS, even if someone types http://.
Regular updates and patch management
WordPress core, themes and plugins updated within 48 hours of security releases. Automatic updates enabled for minor versions. Unused plugins removed entirely rather than just deactivated.
Security headers properly configured
Content-Security-Policy blocks inline scripts and restricts resource origins. X-Frame-Options prevents clickjacking. HSTS with a long max-age and includeSubDomains. Referrer-Policy set to strict-origin-when-cross-origin.
All resources loaded over HTTPS
Every image, script, stylesheet and font loaded via HTTPS. No mixed content warnings. External resources verified for HTTPS support before embedding. A Content-Security-Policy upgrade-insecure-requests directive as fallback.
Related guides
How to Check If a Website Is Trustworthy (2026 Guide)
How to check if a website is trustworthy. 10 things to look for: SSL, privacy policy, business details, cookie consent, and more.
My Website Says 'Not Secure' โ Here's How to Fix It
Your browser shows 'Not Secure' for your website? Here is what it means and how to fix it step by step.
Website Security Checklist: 10 Things to Check Today
A practical security checklist for small business websites. 10 things you can check and fix today without technical expertise.
GDPR Requires a Secure Website: What You Need to Know
GDPR Article 32 requires you to protect personal data with appropriate security. Here is what that means for your website.
Outdated WordPress Plugins Are a Security Risk
Outdated WordPress plugins are the top attack vector for small business sites. Learn how to check, update and review your plugins.
SPF, DKIM and DMARC: Email Security in Plain Language
SPF, DKIM and DMARC explained simply. Learn what they do, why you need them and how to set them up for your domain.
Website Hacked? Here's What to Do Right Now
Your website has been hacked or shows signs of malware. Here are the steps to take right now to contain the damage and get back online.
What Does a Website Security Scan Check?
What a website security scan actually checks: SSL, headers, vulnerable libraries, outdated CMS, and more. Learn what the results mean and how to fix issues.
Why Your Business Emails End Up in Spam (And How to Fix It)
Business emails landing in spam? You're probably missing SPF, DKIM, or DMARC records. Here's what they are and how to set them up.
Don't Let Your Domain Expire: The Hidden Business Risk
An expired domain can tank your SEO, break your email and let someone else take your business name. Here is how to prevent it.
SSL Certificate: What It Is, Why You Need It
An SSL certificate encrypts data between your website and visitors. Here is what it does, why you need one and how to get one for free.
Related from other areas
Check your website now
Scan your website for Security issues and 30+ other checks.
Scan your site free