A free checklist

The 12-point website security checklist.

Twelve checks you can run against your own business website this afternoon — the same standards we hold our own builds to. No jargon, no upsell. Answer each one honestly; every 'no' is a place to start.

01
Your site loads over HTTPS, everywhere
Every page — not just the checkout — should show the padlock and redirect plain http:// to https://. If any page serves over http, passwords and form data cross the wire in the clear.
02
The HTTPS certificate renews itself
A certificate that expires takes the whole site down with a scary browser warning. Confirm it auto-renews (most modern hosts do) rather than living on a calendar reminder someone will eventually miss.
03
Software and plugins are on supported, current versions
Out-of-date CMS cores, themes, and plugins are the single most common way small-business sites get compromised. Anything no longer receiving security updates is an open door — replace or remove it.

04
Admin accounts use strong, unique passwords and 2FA
Reused or weak admin passwords are guessed in bulk by bots every day. Every login that can change the site should have a unique password and two-factor authentication turned on.
05
Logins are rate-limited or behind a gate
An exposed admin login with unlimited attempts invites brute-force attacks. Limit failed attempts, add a challenge, or restrict the admin path so it isn't a free-for-all.
06
Secrets are not stored in the site's code or repo
API keys, database passwords, and payment credentials belong in environment variables, never committed to the codebase or pasted into a theme file. If a secret ever shipped in code, rotate it.
07
Form inputs are validated on the server, not just the browser
Browser-side checks are for convenience; they can be bypassed in seconds. Every form that writes to a database or sends mail must validate and sanitize input on the server too.
08
Security headers are set
A Content-Security-Policy, HTTP Strict-Transport-Security, and sensible referrer and frame policies cost nothing and shut down whole classes of attack. Most sites ship with none of them.
09
Backups run automatically and have been test-restored
A backup you've never restored is a guess. Confirm backups run on a schedule, live somewhere off the server, and that someone has actually restored one to prove it works.
10
Dependencies are scanned for known vulnerabilities
The libraries your site is built on have published, fixed security flaws all the time. An automated scan (it's free) tells you when one of yours has a known issue so you can patch before it's exploited.
11
Customer and contact data is access-controlled
Form submissions, customer records, and uploaded files should be reachable only by people who need them — enforced by the database, not just hidden behind a URL nobody's supposed to find.
12
Someone is actually responsible for security after launch
Security is not a launch-day task; it's a standing one. If no named person or retainer owns patching, monitoring, and renewals, the answer to 'who handles this?' is nobody — until something breaks.

9 more checks

Get the full checklist.

Enter your email and we’ll send the complete 12-point checklist to keep. No spam, no automated drip — and you can read the rest right here.

We hold our own builds to this standard and keep them there with affordable monthly care — patches, monitoring, and a senior engineer on the line when something has to move.

How we build & maintain sites Talk to a senior engineer

The 12-point website security checklist.

Your site loads over HTTPS, everywhere

The HTTPS certificate renews itself

Software and plugins are on supported, current versions

Get the full checklist.