Website Security Checklist: 20 Steps to Protect Your Site

Websites are attacked every 39 seconds on average. Most attacks don't target well-known businesses — they use automated bots that scan millions of sites looking for known vulnerabilities. This 20-step checklist covers the essentials that protect sites of all sizes.

SSL & HTTPS (Steps 1–3)

✅ 1. Install a valid SSL certificate

HTTPS is non-negotiable. It encrypts data between your server and visitors, prevents eavesdropping on sensitive information, and is a Google ranking factor. Let's Encrypt provides free SSL certificates that most hosting providers install automatically. There is no excuse for running HTTP in 2025. Read our SSL certificate guide for full details.

✅ 2. Redirect all HTTP to HTTPS

Having SSL installed isn't enough if your site is still accessible on HTTP. Set up a permanent 301 redirect from all HTTP URLs to their HTTPS equivalents. Also set up a redirect from non-www to www (or vice versa) — pick one canonical URL structure and stick to it.

✅ 3. Set up HSTS (HTTP Strict Transport Security)

HSTS tells browsers to always connect to your site over HTTPS, even if someone types http://. Add this header: Strict-Transport-Security: max-age=31536000; includeSubDomains

Security Headers (Steps 4–7)

✅ 4. Set Content-Security-Policy (CSP)

CSP is your most powerful defence against cross-site scripting (XSS) attacks. It tells browsers which scripts, styles, and resources are allowed to load on your pages. A strict CSP can prevent attackers from injecting malicious scripts even if they find an XSS vulnerability.

✅ 5. Set X-Frame-Options

Prevents your site from being embedded in an <iframe> on another site — protecting against clickjacking attacks. Use: X-Frame-Options: SAMEORIGIN

✅ 6. Set X-Content-Type-Options

Prevents browsers from MIME-sniffing responses away from the declared content type — a technique attackers use to execute malicious files. Header: X-Content-Type-Options: nosniff

✅ 7. Set Referrer-Policy

Controls how much referrer information is sent when users navigate from your site to another. Recommended: Referrer-Policy: strict-origin-when-cross-origin

Authentication & Access (Steps 8–11)

✅ 8. Enforce strong passwords

Brute force attacks are still one of the most common attack vectors. Enforce minimum password requirements: 12+ characters, mix of letters, numbers, and symbols. Better still, use a password manager recommendation in your registration flow.

✅ 9. Enable two-factor authentication (2FA)

2FA prevents attackers from logging in even if they have the correct password. Enable it for your CMS admin, hosting control panel, domain registrar, and any other critical accounts. Use authenticator apps (Google Authenticator, Authy) rather than SMS where possible.

✅ 10. Limit admin access

Apply the principle of least privilege — give users only the minimum access they need. Review admin user accounts regularly and remove former staff/contractor accounts promptly. Consider restricting admin panel access to specific IP addresses if you have a fixed IP.

✅ 11. Protect your login page

Don't use default admin URLs (like /wp-admin for WordPress). Implement rate limiting on login attempts to prevent brute force attacks. Consider adding CAPTCHA for suspicious login behaviour.

Software & Updates (Steps 12–14)

✅ 12. Keep your CMS and plugins updated

Outdated WordPress plugins are the #1 cause of WordPress site hacks. Enable automatic updates for your core CMS, plugins, and themes. Remove plugins and themes you don't use — they're still attack surfaces even when inactive.

✅ 13. Use a Web Application Firewall (WAF)

A WAF filters malicious traffic before it reaches your site. Cloudflare offers a free WAF with basic rules. For WordPress, Wordfence or Sucuri provide more granular protection. A WAF can block SQL injection, XSS, and other common attack types automatically.

✅ 14. Remove sensitive files and directories

Make sure files like .git/, .env, composer.json, and error logs aren't publicly accessible. These often contain credentials and configuration details attackers can exploit. Test with your browser — if you can access yourdomain.com/.git/config, so can attackers.

Backups & Recovery (Steps 15–16)

✅ 15. Implement automated backups

Back up your site daily, including the database. Store backups in a separate location from your hosting (not just on the same server). Test your backups periodically — a backup that can't be restored is useless.

✅ 16. Have a recovery plan

Know what you'd do if your site were hacked today. Have contact information for your hosting provider, a process for restoring from backup, and a communication plan for notifying users if their data is affected.

Monitoring & Incident Response (Steps 17–20)

✅ 17. Set up uptime monitoring

Use a free service like UptimeRobot to alert you immediately if your site goes down. DDoS attacks and server issues often manifest as unexpected downtime.

✅ 18. Monitor for malware

Google Search Console will alert you if it detects malware on your site (which would trigger Chrome warnings for your visitors). Tools like Sucuri Site Check can scan your site for known malware signatures.

✅ 19. Review server and access logs

Regularly reviewing your server logs can reveal attack patterns, unauthorised access attempts, and unusual traffic spikes. Most hosting control panels provide access to raw log files.

✅ 20. Check SSL certificate expiry

An expired SSL certificate will display browser warnings that deter all visitors. Set up automatic renewal (Let's Encrypt certificates are valid for 90 days and auto-renew with most hosts) and set a calendar reminder to verify renewal 30 days before expiry.

Run our free website audit to check your security score. Also see our SSL certificate guide and website audit guide.