2,400+ sites audited since January 2025

Most websites have
at least one critical
security issue. Does yours?

We check 40+ security parameters and deliver a clear, plain-English report to your inbox in 24 hours. No software. No account. No subscription.

The average UK small business breach costs £3,400 to recover from. ICO GDPR fines reach £17.5 million. This audit costs £99.
Get my security report — £99
One-time payment Delivered in 24 hours No subscription, ever
Live activity
Site audited — Bristol, 4 minutes ago Critical SSL issue found — London Site audited — Manchester, 11 minutes ago 3 critical findings flagged — Edinburgh Site audited — Leeds, 19 minutes ago GDPR risk identified — Birmingham Exposed config file found — Cardiff Site audited — Bristol, 4 minutes ago Critical SSL issue found — London Site audited — Manchester, 11 minutes ago 3 critical findings flagged — Edinburgh Site audited — Leeds, 19 minutes ago GDPR risk identified — Birmingham Exposed config file found — Cardiff
94%
of audited sites have at least one critical finding
Based on 2,400+ reports, Jan 2025–May 2026
£3,400
average cost of a UK small business breach
National Cyber Security Centre, 2024
24 hrs
from order to full report in your inbox
Guaranteed delivery SLA
£17.5M
maximum ICO fine under UK GDPR
Information Commissioner's Office
Free instant tool

Check your website security right now

Enter your domain and get an instant score across 9 security checks — no signup, no software, completely free.

We only read publicly available data. Nothing is stored.
Connecting to
20%
40%
60%
80%
100%
HTTPS & certificate
Is your connection secure and certificate valid?
Security headers
Are the key browser protections in place?
Cookie compliance
Does your site ask before setting tracking cookies?
Email spoofing
Can attackers impersonate your domain?
Platform fingerprinting
Is your CMS visible to attackers in your page code?
Privacy policy
Does your site have a findable privacy policy?
See exactly what you're getting

Your report, before you pay for it

Every finding comes with a plain-English explanation of the business risk. Hover any section to see what we'd tell you.

Hover over any part of the report to see detailed explanations
protectpatch-report-acmecorp.com.pdf
Ref #PP-20482 · 26 Apr 2026 · Page 1 of 4
ProtectPatch · Confidential security report
acmecorp.com
Full audit·8 categories·19 issues found·Generated 26 Apr 2026
32
/100
High risk
Industry avg: 61/100
Overall security score
Calculated across all 8 categories, weighted by severity. A score of 32/100 is well below the industry average of 61/100. The two critical findings alone account for a 40-point deduction — fixing them would bring the score above 70.
32/100 — High risk
Executive summary — acmecorp.com presents a high-risk security posture, scoring well below the industry average. Two critical vulnerabilities require immediate remediation: an expired SSL certificate and a publicly accessible .env file exposing live database credentials. A further 12 medium-risk issues were identified.
Executive summary
Written for non-technical business owners. Summarises the most urgent findings in plain English so you can make decisions quickly. Every report leads with this section — no technical knowledge required.
2Critical
Critical findings (2)
Immediate threats requiring action within 24 hours. Expired SSL certificate and publicly exposed .env file containing live database credentials.
Fix immediately
5High risk
High risk findings (5)
Serious vulnerabilities to address within 1–2 weeks. Includes missing HTTP security headers, outdated WordPress core and unenforced HTTPS redirect.
Fix within 2 weeks
9Medium risk
Medium risk findings (9)
Real vulnerabilities increasing attack surface. Includes DNS misconfigurations, GDPR compliance gaps and exposed sitemap paths. Address within 30–60 days.
Fix within 60 days
3Low / pass
Low risk and passing (3)
Categories that passed checks or have only minor findings. Form security, cookie flags and basic privacy compliance all came back clean.
No action needed
Section 1 — SSL & HTTPS
Certificate status
Expired 14 days ago
SSL certificate expired
Visitors see a browser security warning before reaching your site. Renew via your hosting control panel — most providers offer Let's Encrypt at no cost with automatic renewal.
Critical — fix today
Protocol version
TLS 1.1 detected
Outdated TLS protocol
TLS 1.1 was deprecated in 2021. Disable it in your server config or Cloudflare SSL settings and enforce TLS 1.2 minimum, TLS 1.3 preferred.
High — fix soon
HTTPS redirect
Not enforced
HTTPS redirect missing
Your site is reachable over plain HTTP — traffic can be intercepted. Add a 301 redirect in .htaccess or enable Force HTTPS in your hosting panel. Takes under 5 minutes.
High — quick win
Mixed content
3 pages affected
Mixed content on 3 pages
3 pages load HTTP resources over an HTTPS connection, breaking the security guarantee. Check your source for URLs starting with http:// and update to https://.
High — review source
HSTS header
Missing
HSTS header missing
HSTS tells browsers to always use HTTPS. Without it, users can be silently downgraded to HTTP by attackers. Add: Strict-Transport-Security: max-age=31536000; includeSubDomains
Medium
Issuer
Let's Encrypt
Certificate issuer — passing
Let's Encrypt is a trusted, widely-used certificate authority. Once you renew the expired certificate, this remains a passing check. Enable auto-renewal so it never expires again.
Pass
Section 2 — category overview
SSL certificate & HTTPS
Expired cert · TLS 1.1 · HTTPS redirect missing · 3 mixed content pages
Critical
SSL & HTTPS — 4 issues found
Expired certificate, TLS 1.1 in use, HTTPS redirect not enforced and mixed content on 3 pages. Fixing the certificate alone moves this from Critical to Medium.
4 issues · Critical
Exposed files & sensitive paths
.env publicly accessible · /backup/ open · phpinfo.php · wp-config.php readable
Critical
Exposed files — most dangerous
A .env file containing your live database password and API keys is readable by anyone. Delete the file and rotate all credentials immediately.
Delete file now
HTTP security headers
CSP absent · X-Frame-Options missing · Referrer-Policy weak · Permissions-Policy not set
High
HTTP headers — 4 missing
Missing headers leave you open to clickjacking, cross-site scripting and information leakage. All 4 can be added in Cloudflare or your server config in under an hour.
4 headers missing
DNS & email security
SPF record permissive (+all) · DMARC policy absent · DKIM selector not found
Medium
DNS & email — spoofing risk
SPF uses +all allowing any server to send email as your domain. Without DMARC, attackers can send phishing emails appearing to come from your address.
Email spoofing risk
GDPR & privacy compliance
GA loads before consent · No cookie categorisation · Privacy policy gaps
Medium
GDPR — 3 compliance gaps
Google Analytics fires before cookie consent — a direct UK GDPR violation. ICO fines for serious breaches can reach £17.5 million.
Legal exposure
Form & cookie security
All forms submit over HTTPS · Cookies marked Secure · HttpOnly & SameSite set
Pass
Form & cookie security — passing
All forms submit over HTTPS, cookies have Secure, HttpOnly and SameSite=Strict set correctly. No action required here.
No action needed
Additional observations
API key in JS source · Dev subdomain exposed · Staff emails in HTML · Sitemap reveals hidden paths
Medium
Additional observations — 4 found
Unrestricted Google Maps API key in JS source, dev subdomain publicly accessible with debug mode on, staff emails in HTML comments, sitemap revealing unlinked internal paths.
4 analyst findings
Section 3 — priority fixes
Renew SSL certificate immediately
Expired cert causes browser security warnings. Renew via hosting panel — Let's Encrypt is free with auto-renewal.
→ Quick win · Hosting panel
How to fix — SSL renewal
1. Log in to your hosting control panel. 2. Find SSL/TLS section. 3. Click Renew. 4. Enable auto-renew. If using Let's Encrypt it renews for free. Estimated time: 5 minutes.
5 min · Free
Remove exposed .env & config files
Live database credentials are publicly readable. Delete files, rotate all credentials, add deny rules in .htaccess.
→ Urgent · Developer required
How to fix — remove .env
1. Delete /public/.env via FTP immediately. 2. Change your database password. 3. Regenerate all API keys. 4. Add to .htaccess: <Files ".env"> deny from all </Files>
Do this first
Implement all security headers
CSP, X-Frame-Options, Referrer-Policy and Permissions-Policy all missing. Configurable in Cloudflare in under an hour.
→ Medium effort · Cloudflare
How to fix — security headers
Cloudflare: Rules → Transform Rules → Response Headers. Or add directly to nginx.conf or .htaccess. Use securityheaders.com to verify after adding.
30–60 min
Update WordPress core & all plugins
WordPress 5.8 — 3 versions behind. WooCommerce, Yoast and Contact Form 7 all have active CVEs.
→ Quick win · WordPress admin
How to fix — WordPress updates
1. Back up your site. 2. WP Admin → Dashboard → Updates. 3. Update core first, then plugins, then themes. 4. Test after each major update.
10 min · WP Admin
ProtectPatch · Confidential · acmecorp.com · AI-assisted passive analysis. Not a penetration test.
Get my security report — £99
Secured by Stripe · No subscription · Report within 24 hours
Simple process

Three steps. 24 hours. Complete clarity.

No software to install. No server access. No credentials. Just enter your domain, pay once, and receive your report.

01
Enter your domain
Type your website address. We handle everything from there — no plugins, no server access, no credentials required from you.
02
We audit 40+ parameters
Our analysis checks SSL, security headers, exposed files, GDPR compliance, WordPress vulnerabilities, and 35+ additional parameters.
03
Report in your inbox
Within 24 hours you receive a clear PDF with every finding explained in plain English — and exactly what to do about each one.
Get my security report — £99
Secured by Stripe · No subscription · Report within 24 hours
What you're protecting

40+ checks. All explained as business risk.

We don't just flag technical issues — we explain what each one could cost you in plain English your whole team will understand.

Stops customer data being intercepted in transit
SSL/TLS configuration, HSTS policy, mixed content analysis
Finds exposed files before attackers do
.env files, config directories, backup files, admin panel exposure
Prevents the "Not Secure" warning destroying your traffic
Certificate validity, expiry warnings, issuer and chain verification
Reduces your ICO GDPR fine exposure
Cookie consent compliance, privacy policy checks, data transfer analysis
Stops Google blacklisting your site as dangerous
Malware scan, Google Safe Browsing status, blocklist verification
Closes the doors bots knock on 24 hours a day
WordPress hardening checks, login page exposure, brute-force vectors
Stops attackers impersonating your email domain
SPF, DKIM and DMARC records — email spoofing and phishing prevention
Flags anything our analysts spot beyond the checklist
API keys in source, dev subdomains, staff data exposure, SRI missing
Real customers, real findings

What founders discovered in their reports

These aren't general endorsements — they're accounts of what the audit actually found.

★★★★★

We had a .env file exposing our live database password for 11 months. We had absolutely no idea until ProtectPatch flagged it. I dread to think what could have happened.

JT
James T.
Founder, e-commerce — 12k customers
★★★★★

Our SSL certificate was 6 days from expiry. We'd have lost all our organic traffic overnight and had no idea it was coming. The report paid for itself fifty times over.

SR
Sarah R.
Director, SaaS product — London
★★★★★

Three critical findings — none spotted by my developer in two years of working on the site. Plain-English explanations meant I actually understood what to prioritise.

MK
Marcus K.
MD, professional services firm
Simple, transparent pricing

No subscription. No upsell. Just the report.

Choose the number of domains. All plans include the full 8-category audit with risk ratings and PDF delivery within 24 hours.

Hover over any feature to learn more
Starter
1 domain
£99
£99.00 per domain
 
Full security auditi
8 categoriesi
PDF within 24hrsi
Risk-rated findingsi
Fix recommendationsi
Get started
Save £19
2 domains
£179
£89.50 per domain
10% saving
Full security auditi
8 categories eachi
All PDFs 24hrsi
Risk-rated findingsi
Fix recommendationsi
Get started
Most popular
Best value
3 domains
£249
£83.00 per domain
Save £48 · 16% off
Full security auditi
8 categories eachi
All PDFs 24hrsi
Risk-rated findingsi
Fix recommendationsi
Get started
Save £116
5 domains
£379
£75.80 per domain
23% saving
Full security auditi
8 categories eachi
All PDFs 24hrsi
Risk-rated findingsi
Fix recommendationsi
Get started
Save £291
10 domains
£699
£69.90 per domain
29% saving
Full security auditi
8 categories eachi
All PDFs 24hrsi
Risk-rated findingsi
Fix recommendationsi
Get started
All tiers include the same comprehensive report. More domains = bigger saving per audit.
Secured by Stripe GDPR compliant Read the FAQ →
Who we are

Built by people who've seen what breaches actually cost

PP
The ProtectPatch Team
Security analysts & developers

We spent years in security consulting and incident response before building ProtectPatch. We watched small businesses lose customers, face regulatory investigation, and in some cases close entirely — all because of security issues a £99 audit would have caught. ProtectPatch exists because the gap between "we should probably check our security" and "we know exactly where we stand" should cost £99 and 24 hours — not £5,000 and three weeks.

Contact us · Mon–Fri, 9am–6pm GMT
Common questions

Everything you need to decide

Is this the same as a penetration test?
No. A penetration test involves a tester actively attempting to exploit vulnerabilities — it typically costs £2,000–£10,000 and takes weeks. ProtectPatch is an automated security audit: we check 40+ known vulnerability parameters against your live site and deliver findings in 24 hours. Think of it as a thorough inspection before the expensive investigation.
Will this slow my site or cause any disruption?
No. Our audit is entirely passive — we make no changes to your site, install nothing, and require no server access. The scanning process is indistinguishable from normal visitor traffic.
What if I don't understand the technical findings?
Every finding includes a plain-English explanation of the business risk and a specific recommendation for how to fix it. You don't need a developer to understand the report — though you may need one to implement some fixes.
Can I get a refund if I'm not satisfied?
Yes. If we find no critical or high-severity issues in your audit, we will refund you in full. We also consider refunds within 48 hours of delivery if the report doesn't meet expectations — contact us here.
Do you offer volume pricing for agencies?
Yes — our 5 and 10 domain tiers offer significant per-domain savings. For larger volumes or ongoing arrangements, contact us and we can discuss a custom structure.
How long does the report take?
We aim to deliver all reports within 24 hours of payment confirmation. In practice, most arrive significantly faster. For multi-domain orders, all reports are delivered within the same 24-hour window.

Not ready to buy yet?

Get our free 5-point website security checklist — the things every business owner should check before anything else. No spam. Unsubscribe any time.

No spam. Unsubscribe instantly at any time.