Website Security Checklist

HTTPS and SSL

• Valid SSL certificate installed and not expired
• HTTP redirects to HTTPS automatically (301 redirect)
• Strict-Transport-Security header enabled with a reasonable max-age
• No mixed content warnings (all resources loaded over HTTPS)
• Certificate chain is complete (intermediate certs included)

Security Headers

• Content-Security-Policy set — restricts script and resource sources to prevent XSS
• X-Frame-Options set to DENY or SAMEORIGIN — prevents clickjacking
• X-Content-Type-Options: nosniff — stops MIME type sniffing
• Referrer-Policy set (recommend strict-origin-when-cross-origin)
• Permissions-Policy disables unused browser features

DNS Configuration

• DNSSEC enabled on your domain for integrity verification
• A/AAAA records point to the correct servers
• MX records configured correctly for email delivery
• SPF, DKIM, and DMARC records set up for email authentication
• No open DNS resolvers exposed on your infrastructure

Authentication and Access

• All accounts use strong, unique passwords (12+ characters)
• Multi-factor authentication (MFA) enabled on all admin accounts
• No default credentials left on any service or device
• Admin panels and sensitive endpoints not publicly exposed if possible
• Session management uses secure, HttpOnly, SameSite cookies

Software and Code

• CMS, plugins, themes, and dependencies up to date
• Unused plugins, themes, and extensions removed
• Server and application version numbers hidden from response headers and error pages
• Debug mode disabled in production
• Error pages don't leak stack traces or database information

Server Configuration

• Directory listing disabled on web server
• File upload restrictions in place (allowed extensions, size limits)
• Unnecessary ports closed or firewalled
• SSH uses key-based authentication, not passwords
• Database not accessible from the public internet

Backups

• Automated backups running on a regular schedule
• Backups stored offsite or in a separate location from the server
• Restore process tested and documented
• Database dumps included in backups

Monitoring

• Uptime monitoring active with alerts for downtime
• SSL certificate expiry alerts configured (at least 30 days before)
• Server logs reviewed periodically for suspicious activity
• Failed login attempts monitored and rate-limited

Audit Your Site Now

Run through these checks using our free tools. Start with an SSL check, inspect your security headers, verify your DNS records, and scan your ports.