Go through each section and mark whether you know the answer. If you cannot confidently say "yes, this is done" — that is a gap that needs addressing. Share with your developer and ask them to confirm each item in writing.

"Most small business website breaches are not sophisticated attacks. They are failures of basic hygiene — things that would have been caught and fixed with a structured checklist."

— National Cyber Security Centre (NCSC), UK Cyber Security Breaches Survey, 2025

Section 1: SSL & HTTPS

SSL & HTTPS 5 checks
  • My SSL certificate is valid and does not expire within the next 60 days
  • Auto-renewal is configured on my SSL certificate
  • My website automatically redirects all HTTP traffic to HTTPS (301 redirect)
  • My server supports TLS 1.2 minimum — TLS 1.0 and 1.1 are disabled
  • My site has an HSTS header configured (Strict-Transport-Security)
Quick test for exposed files

Type yourdomain.com/.env in your browser. If you see text (not an error page), you have a critical vulnerability requiring immediate attention.

Section 2: Exposed Files & Sensitive Paths

Exposed Files 6 checks
  • /.env is not publicly accessible (returns 403 or 404)
  • /wp-config.php is not publicly accessible (WordPress sites)
  • /backup/, /backups/, /bak/ directories are not browsable
  • phpinfo.php does not exist in the public web root
  • No .git directory is publicly accessible (exposes entire codebase)
  • No debug log files are accessible in the public directory

Section 3: HTTP Security Headers

Security Headers 5 checks
  • Content-Security-Policy (CSP) header is configured
  • X-Frame-Options header is set to DENY or SAMEORIGIN (prevents clickjacking)
  • X-Content-Type-Options header is set to nosniff
  • Referrer-Policy header is configured
  • Permissions-Policy header is set

Section 4: DNS & Email Security

DNS & Email 4 checks
  • My domain has a valid SPF record that does not use +all
  • DKIM is configured for my primary email provider
  • A DMARC record is in place with p=quarantine or p=reject
  • No subdomain takeover vulnerabilities exist (abandoned CNAME records)

Section 5: GDPR & Privacy Compliance

GDPR & Privacy 5 checks
  • A cookie consent mechanism is in place that blocks analytics until consent is given
  • Cookie categories are clearly described and individually controllable
  • Privacy policy lists all actual data processors (Google, Stripe, Mailchimp, etc.)
  • All forms that collect personal data include a clear privacy notice
  • Google Analytics or equivalent does not fire before consent is given

Section 6: CMS Security (WordPress)

WordPress Hardening 8 checks
  • WordPress core is on the latest stable version
  • All plugins are updated to their latest versions
  • All themes are updated (including inactive themes)
  • No plugins have been abandoned by their developer (check last update date)
  • The default admin username has been changed from "admin"
  • Two-factor authentication is enabled on all admin accounts
  • Login attempts are rate-limited (Wordfence or equivalent)
  • WP_DEBUG is set to false in the production environment

Section 7: Google & Blacklisting

Google & Blacklisting 4 checks
  • Google Search Console is set up and has no Security Issues notifications
  • Google Safe Browsing status is clean (check at transparencyreport.google.com/safe-browsing/search)
  • Google Analytics is installed and showing traffic (sudden drops can signal a blacklisting event)
  • No site: query on Google shows unexpected pages or spam content

Section 8: Additional Analyst Checks

Advanced Checks 3 checks
  • No API keys are hardcoded in publicly accessible JavaScript files
  • Development or staging subdomains (dev., staging.) are password-protected or inaccessible
  • Staff email addresses are not exposed in HTML comments or page source code

Your checklist score

ScoreRatingWhat it means
36–40ExcellentStrong baseline security. Run an annual audit to maintain it.
26–35Good, gaps existPrioritise the SSL and exposed file sections first.
16–25Significant riskSeveral gaps represent critical vulnerabilities.
Below 15High riskYour site has multiple entry points that attackers will find.
94% of UK websites audited by ProtectPatch have at least one critical or high-severity finding Based on 2,400+ audits, Jan 2025–May 2026