Website Audit Checklists:

The Definitive Guide

by Ian Cleary

Security Audit Checklist

The following chapter is about the Security Audit Checklist which is part of the full Website Audit Checklist definitive guide.

Security Audit

What measures have you put in place to ensure your website is secure?

The potential effects of treating website security as an afterthought….

Loss of data – if you don’t have good backups you could lose all your data.

Breach of data protection regulations – for example, with GDPR data protection in Europe it is your responsibility to ensure that the data is protected.

Loss of business – Imagine running an eCommerce site about Christmas time and your site is down for a couple of days.

Loss of SEO ranking –  If your website is down for a long period of time, Google will notice and this may effect your traffic.

Brand reputation –  Our website was in Russian website when I got in one morning.  That wasn’t a great day but it forced us to implement better security.

I hope I’ve convinced you of the importance of a secure website!

Website Security Framework

You want to make sure your website is secure and user data is protected.

There’s been a steady increase in the number of regulations concerning data protection and privacy so it’s important to get this right.

Here are some of the checks that you need to carry out.

Is the site exposed to credential brute force attacks?

This is where a hacker tries to capture your password so they can access your admin area, control panel of SFTP server (i.e. where you upload or download files to your server).

I don’t have to tell you that a large majority of people create extremely weak passwords.

Did you know that 123456 is one of the most common passwords that people use!?

Here’s how long it takes to crack a password:



Use Lastpass or a similar tool to manage all your passwords. This tool generates passwords, stores them securely and then automatically enters the passwords for you for applications.  You can have hundreds of good passwords but you don’t have to remember any of them.


Is there an SSL certificate?

Having an SSL certificate on your website is a fundamental security practice because it makes sending sensitive information, like credit card info, secure for your users.

For many people who make purchases online, an SSL certificate also serves as a trust signal.


Make sure there is an SSL certificate for all relevant sub domains.

Are there regular backups?

Backups are an important part of security because if you get hacked and your latest data gets compromised, you can always revert to a previous backup.

Ideally, you’ll set up automated backups with your website hosting provider. You can also use one of the popular WordPress plugins to save and backup your site.

However, if you want to make your website secure you need to back it up on a regular basis.

Is there a WAF (web application firewall) sitting in front of your website?

When requests come in to access your website you’ll want them to pass through a firewall that approves them. This firewall will block any known threats.

Whether you’re aware of this or not, attempts to hack your website happen on a daily basis so you need to protect yourself.

Depending on your hosting there may be a WAF already as part of the package. For example, if you use cloud hosting there will be a WAF.

If you don’t have a WAF as part of hosting you may use a solution such as Securi which is a very reputable provider of software that protects you from hacking and malware.

Is the website exposed to malware attacks?

Malware is a code that is designed to attack a system.

One type of malware is a virus that moves from machine to machine and can cause all sorts of damage.

But there’s other malware that can attack you to:

  • Steal credit card information
  • Show unwanted ads and direct people to spam sites
  • Inject spam on a page, etc.

Is the site exposed to SQL injection?

SQL is a language that is used to interact with databases.

For example:

Select first-name, last-name from contact-table;

This is selecting all the first name and last names from the contact table.

SQL injection is when a hacker changes that sql statement.

For example:

There is a search done on your website which is converted to SQL and sent to the database.  The vulnerability is on the web page so the SQL is changed.  There’s some additional information added to the SQL statement so that more information is returned from the database.

The hackers can then steal this information.

Is the website exposed to cross site scripting?

Cross site scripting refers to injecting client side scripts that are typically executed when a page loads.

This could completely change what gets displayed on the web page.

Are there outdated plugins on the website?

Plugins get updated all the time and mostly those updates are related to bug fixes.

An important bug fix is when there is vulnerability in the plugin that could compromise your website security.

Is the website exposed to Dos/DDoS attacks?

DoS is denial of service where one machine attacks another.

DDoS is distributed denial of service where many machines attack one machine!

The purpose?

As the name suggests it’s to deny service.  Which means once you have a DDos (or DoS) attack then it’s unlikely that anyone will be able to access your website.

Who has access and what level of access?

On more than one occasion I have given access to my website to an Agency/Developer to perform a particular action but forgot to remove their access afterwards.

So you need to audit roles/permissions on your website to see who still has access and remove access where it’s no longer necessary.

Is the website secure from bots filling out forms?

This one is really annoying because you get constant spammy emails!

Mike Stelzner

Securing your website from bots that attempt to complete your forms with bogus data or try to attack your login page is essential.

Mike Stelzner, Founder, Social Media Examiner

Is the checkout process secure?

Your checkout process has to be protected with a valid SSL certificate but it also has to follow the latest security standards, like GDPR for EU.

During checkout, your customers are sharing their personal information (address, email, credit card info, etc.) so you need to make sure the data is secured.

Your website has to adhere to Payment Card Industry (PCI) rules which ensures that you are processing and storing user’s credit card information in a secure manner.